Users involved in installation, customization, and configuration

The users described here are involved in planning, installing, customizing, and configuring FTM SWIFT.

Table 1. Users involved in installation, customization, and configuration
User	Description	Authorization
Planner	This user determines: The number and names of instances, OUs, broker servers, application servers, and SAG servers Which services are to be assigned to each OU-server combination Which type of SAG clustering is to be used, and the composition of each SAG cluster Resource requirements such as storage requirements Who is to carry out all installation and customization tasks	(none)
Installer	This user: Handles the distribution media Installs and uninstalls FTM SWIFT User ID: root
Customizer	This user employs the CDP to manage instances, servers, and OUs, and transfers deployment data to runtime systems. Recommended user ID: ucust1	On the customization system, this user requires: Membership in a primary group that has the rights specified for the group dnicusgr Membership in group dniadmin
Database administrator	This user configures and maintains database resources, including those that are needed by FTM SWIFT, and carries out the following tasks: Prepares and runs database configuration jobs Creates the FTM SWIFT database Creates tables and indices for FTM SWIFT Installs routines Creates, grants, and revokes database roles Grants and revokes database privileges Creates or drops procedures Loads initial data into the runtime database Binds plans and packages Carries out housekeeping tasks such as backing up and archiving data Starts and stops the database Recommended user ID: udb2adm1	On the runtime system on which the database is located, this user requires: Membership in the database group Membership in group dnicusgr Membership in group dnilpp
Db2® fenced user ID	This user manages database programs such as stored procedures and user-defined functions. Recommended user ID: db2fenc1	On the runtime system on which the database is located, this user requires: Membership in the database group Membership in group dnilpp Read permission for the vault that is created by the data integrity administrator when issuing the vault utility command create as described in step 2.a in Activating the data integrity framework
IBM MQ administrator	This user configures and maintains IBM MQ queues and queue managers, including those that are needed by FTM SWIFT. Recommended user ID: uwmqadm1	On the runtime systems, this user requires: Membership in group mqm Membership in group dnicusgr If queue manager security is activated, this user must have the right to define queues and channels.
Message broker application developer	This user: Copies projects and plug-ins to a message broker toolkit workstation Installs plug-ins, imports sample projects, and creates message flows Creates and deploys BAR files in a test environment Recommended user ID: uwmbad1	On the runtime system where the message broker for test purposes runs: Membership in group dniadmin.
Message broker administrator	This user: Configures the brokers used by FTM SWIFT Issues broker commands, for example, to activate broker statistics and accounting Starts and stops brokers and queue managers Runs the Broker Administration Program (BAP) to deploy and customize the BAR files This is also the user ID under which the broker program runs. Recommended user ID: uwmba1	On the runtime system on which the broker runs, this user requires: Membership in group mqm Membership in group mqbrkrs Membership in group dnicusgr Membership in group dnilpp Membership in the group specified by the placeholder DNIvSGRP Assignment of the database role DNI_SERVER Read permission for the vault that is created by the data integrity administrator when issuing the vault utility command create as described in step 2.a in Activating the data integrity framework
WebSphere® Application Server administrator	This user authorizes the installation of the FTM SWIFT enterprise applications, and uses the administrative console to: Configure application servers Start, stop, and configure enterprise applications In network deployment environments (not single-server environments), start and stop application servers Recommended user ID: uwasa1	This user must be part of the configured external user registry (for example, LDAP) of the WebSphere Application Server environment and have the administration and security roles in the WebSphere Application Server environment. This user does not need to be defined in the local operating system.
WebSphere Application Server operator	This user: Starts and stops application servers Installs the FTM SWIFT enterprise applications Recommended user ID: root	On the runtime system on which the application server runs, this user requires: Membership in group dnilpp Read and write access to the installation directory of the application server On the customization system this user requires: Membership in group dnicusgr On the runtime system on which the queue manager of the application server runs, this user requires permission to connect to that queue manager. In bindings mode, this user also requires the same permissions as described for the web-application queue accessor (uwebqa1)
Runtime data accessor	In an application-server authentication alias for JDBC data sources, this user is used to authenticate the connection between an FTM SWIFT enterprise application and the runtime database. Recommended user ID: urunda1	On the runtime system, on which the database is located, this user requires: Permission to connect to the runtime database of the instance by means of JDBC Read and write access to the database tables by having been assigned the database role DNI_APP_SERVER
Reference data accessor	This user is used in an application server authentication alias for JDBC data sources to authenticate the connection between the Reference Data component of an FTM SWIFT enterprise application and the runtime database that contains the reference data tables. Reference data tables can be shared among several instances, and the runtime database in which they are located can be different from the runtime database of the instance in which the enterprise application is deployed. Recommended user ID: urefda1	On the runtime system on which the database that contains the reference data tables is located, this user requires: Permission to connect, by means of JDBC, to the runtime database Read access to the reference data tables by having been assigned the database role DNI_REFDATA_USE
Web-application queue accessor	An FTM SWIFT enterprise application uses the user ID of this user to obtain configuration and security data. The user ID of this user is specified as the environment entry during configuration of the application server. Recommended user ID: uwebqa1	This user requires: The role DnfRmCfg for SYSOU, DNFSYSOU, and for each business OU for which the RMA Facility is to manage relationships The role DnpAoCfg for SYSOU The role DnqERCfg for SYSOU, and for each business OU for which the MER Facility is to process messages
First FTM SWIFT system configuration administrator	This user: Creates, commits, approves, and deploys FTM SWIFT configuration entities Can switch off dual authorization for the system administration and security administration services Recommended user ID: sa1	On the runtime system where the broker runs, this user requires: The role DniSA for the SYSOU Membership in group dnilpp Membership in group dnicusgr Membership in the group specified by the placeholder DNIvYGRP Membership in the group specified by the placeholder DNIvOGRP The right to connect to the queue manager used by the FTM SWIFT CLI
Second FTM SWIFT system configuration administrator	This user: If dual authorization is active, approves FTM SWIFT configuration entities that were committed by the first FTM SWIFT system configuration administrator (sa1) Approves the switching off of dual authorization for the system administration and security administration services Recommended user ID: sa2 Note: The user ID of this user must be different from that of the first FTM SWIFT system configuration administrator.	Same as for the first FTM SWIFT system configuration administrator.
First FTM SWIFT security administrator	This user creates and commits the FTM SWIFT roles and relationships that are required to work with OUs and COs, and that determine the access rights of each user. Recommended user ID: ua1	On the runtime system where the broker runs, this user requires: The role DniUA for the SYSOU Membership in group dnilpp Membership in group dnicusgr Membership in the group specified by the placeholder DNIvYGRP Membership in the group specified by the placeholder DNIvOGRP The right to connect to the queue manager used by the FTM SWIFT CLI
Second FTM SWIFT security administrator	If dual authorization is not active, this user is not needed. If dual authorization is active, this user approves the FTM SWIFT roles and relationships committed by the first FTM SWIFT security administrator (ua1). Recommended user ID: ua2 Note: The user ID of this user must be different from that of the first FTM SWIFT security administrator.	Same as for the first FTM SWIFT security administrator.
SAG Add-On Installer	The SAG Add-On must be installed on the SAG workstation by the root user (AIX® and RHEL x86) or by a user having administrative rights (Windows).
RA owner	During installation of the SAG Add-On, the root user must specify the user ID of the RA owner, because only the RA owner has authorization to access the SAG remote API, and the SAG Add-On uses that API to communicate with SAG. This user ID must be used to customize the SAG Add-On configuration profile as described in Setting the SAG operator password	This user ID must also be defined on the broker runtime system, and must have access to the remote event service and the queues used by the SAG Add-On.