Permissions in the RES_PERM database table

The RES_PERM table contains permissions. Each permission is specific to the type of resource to which it applies.

Permissions for resource type graphical user interface

The Operations and Administration Console (OAC) comprises many different pages whose access is restricted if security is enabled. The following table lists the pages by functional area and shows which values in the RES_PERM database table are used to define the appropriate resource and permissions.
Table 1. Valid OAC resources and permissions
Functional page area Resource name in the RESOURCE column Possible values in the PERMISSIONS column
Alerts all_alerts view
Authorizations security view
Batches batch view
Calendar Entries calendar_entry create, edit, delete, view
Calendar Groups calendar_group create, edit, delete, view
Channels channel create, edit, delete, view
Classifications classification create, edit, delete, view
Configuration Values value create, edit, delete, view, val_cat
Database Query (Support) dev-ibm dev-ibm
Events event view
Event XML data cbe_xml view
Extended Value Entries obj_value view
Formats format create, edit, delete, view
Fragments fragment view
ISF data isf view
Mappers mapper create, edit, delete, view
Parties involved_party create, edit, delete, view
Payment Transactions txn_payment view
Physical Transmissions transmission view
Raw data raw_data view
Resolution Actions resolution_action view, execute
Schedule Entries schedule_entry create, edit, delete, view
Scheduler Tasks scheduler_task create, edit, delete, view
Securities Transactions txn_securities view
Services service create, edit, delete, view
Service Participants service_participant create, edit, delete, view
Transaction transaction view
The following table shows the valid permission entries.
Table 2. Valid permissions
Permission Meaning
create Allows creation
delete Allows deletion
edit Allows editing
execute Allows execution
view Allows viewing
val_cat Restrict by value category.

Permissions for resource type DATA_PARTY

Operational data within the Financial Transaction Manager (FTM) database can be assigned to an owner (related to a party table entry) to support restricted viewing of operational data. It is this mechanism that is used to enable FTM for multibank applications. For more information, see Multibanking.

The DATA_PARTY permission entries can be used to apply a fine-grained view of operational data:
DATA_PARTY
Authorizes users to view operational data that belongs to the party specified by RESOURCE.
DATA_PARTY_ALL
Authorizes users to view data that belongs to all parties, this value does not require a valid Party ID on its RESOURCE attribute.
DATA_PARTY_TREE
Authorizes users to view data that belongs to the party specified in RESOURCE, or of any party that descends from that party.
Note: If WebSphere® Application Server application security is enabled, FTM requires that all users that access the OAC have a valid set of DATA_PARTY permission entries. At a minimum, these permissions need to be a mapping to a DATA_PARTY_ALL entry, which allows a user to see all operational data.

However, if WebSphere Application Server application security is disabled, FTM requires that no DATA_PARTY permission entries exist in the database. This requirement means that enabling or disabling WebSphere Application Server security also requires changes to authorization data in the database. This behavior is deliberate and is intended to ward against accidental changes in the OAC security environment that allows users to view data they should not.

Permissions for resource type VAL_CAT

The VAL_CAT permission entries can be used to restrict a user to create, delete, view, or edit for only specific categories of configuration value entries. Use of these types of RES_PERM entries is enabled and disabled by a RES_PERM entry of resource type GUI for the configuration value resource with permission val_cat. An example is shown in the following table.
Resource name in the TYPE column Resource name in the RESOURCE column Value in the PERMISSIONS column
GUI value val_cat
When a VAL_CAT resource permission is defined, the resource must be set to the value category for which the permission is needed. And, the permission must be set to create, delete, edit, or view as shown in the following table.
Resource name in the TYPE column Resource name in the RESOURCE column Value in the PERMISSIONS column
VAL_CAT value category create, delete, edit, view

Permissions for resource type RES_ACT

The RES_ACT permission entries can be used to restrict a user to run only specific resolution actions. These actions are actions that can be made available to the user when an object is either in an alert state or in another state that the FSM model considers resolvable. Like other resources, user access to the resolution action pages can be controlled by GUI permission entries. An example is shown in the following table.
Functional page area Resource name in the RESOURCE column Valid values in the PERMISSIONS column
Resolution Actions resolution_action view, execute
A user who is mapped to a resolution_action execute permission is granted global execute permission on all resolution actions. However, a user who is mapped to only a resolution_action view permission can be granted execute permission to specific resolution actions. When a RES_ACT resource permission is defined, the resource must be set to the name of the FSM state that is associated with the resolution action. And, the permission must be set to the name of the resolution action for which permission is to be granted. An example is shown in the following table.
Resource name in column TYPE Resource name in the RESOURCE column Value in the PERMISSIONS column
RES_ACT FSM object state resolution action name