The RES_PERM table contains permissions. Each permission is specific to the type of resource to which it
applies.
Permissions for resource type graphical user
interface
The
Operations and Administration Console (
OAC) comprises many different pages whose access
is restricted if security is enabled. The following table lists the pages by functional area and shows which
values in the RES_PERM database table are used to define the appropriate resource and permissions.
Table 1. Valid OAC resources and permissions
Functional page area |
Resource name in the RESOURCE column |
Possible values in the PERMISSIONS column |
Alerts |
all_alerts |
view |
Authorizations |
security |
view |
Batches |
batch |
view |
Calendar Entries |
calendar_entry |
create, edit, delete, view |
Calendar Groups |
calendar_group |
create, edit, delete, view |
Channels |
channel |
create, edit, delete, view |
Classifications |
classification |
create, edit, delete, view |
Configuration Values |
value |
create, edit, delete, view, val_cat |
Database Query (Support) |
dev-ibm |
dev-ibm |
Events |
event |
view |
Event XML data |
cbe_xml |
view |
Extended Value Entries |
obj_value |
view |
Formats |
format |
create, edit, delete, view |
Fragments |
fragment |
view |
ISF data |
isf |
view |
Mappers |
mapper |
create, edit, delete, view |
Parties |
involved_party |
create, edit, delete, view |
Payment Transactions |
txn_payment |
view |
Physical Transmissions |
transmission |
view |
Raw data |
raw_data |
view |
Resolution Actions |
resolution_action |
view, execute |
Schedule Entries |
schedule_entry |
create, edit, delete, view |
Scheduler Tasks |
scheduler_task |
create, edit, delete, view |
Securities Transactions |
txn_securities |
view |
Services |
service |
create, edit, delete, view |
Service Participants |
service_participant |
create, edit, delete, view |
Transaction |
transaction |
view |
The following table shows the valid permission entries.
Table 2. Valid permissions
Permission |
Meaning |
create |
Allows creation |
delete |
Allows deletion |
edit |
Allows editing |
execute |
Allows execution |
view |
Allows viewing |
val_cat |
Restrict by value category. |
Permissions for resource type DATA_PARTY
Operational data within the Financial Transaction Manager (FTM) database can be assigned
to an owner (related to a party table entry) to support restricted viewing of operational data. It is this
mechanism that is used to enable FTM for multibank applications. For more information,
see Multibanking.
The DATA_PARTY permission entries can be used to apply a fine-grained view of operational data:
- DATA_PARTY
- Authorizes users to view operational data that belongs to the party specified by RESOURCE.
- DATA_PARTY_ALL
- Authorizes users to view data that belongs to all parties, this value does not require a valid Party ID on
its RESOURCE attribute.
- DATA_PARTY_TREE
- Authorizes users to view data that belongs to the party specified in RESOURCE, or of any party that
descends from that party.
Note: If
WebSphere® Application Server application security is enabled,
FTM requires that
all users that access the
OAC have a valid set of DATA_PARTY permission entries. At
a minimum, these permissions need to be a mapping to a DATA_PARTY_ALL entry, which allows a user to see all
operational data.
However, if WebSphere Application Server application security is disabled, FTM requires that no DATA_PARTY permission entries exist in the database. This requirement
means that enabling or disabling WebSphere Application Server security also requires changes to authorization
data in the database. This behavior is deliberate and is intended to ward against accidental changes in the
OAC security environment that allows users to view data they should
not.
Permissions for resource type VAL_CAT
The VAL_CAT permission entries can be used to restrict a user to create, delete, view, or edit for only
specific categories of configuration value entries. Use of these types of RES_PERM entries is enabled and
disabled by a RES_PERM entry of resource type GUI for the configuration value resource with permission
val_cat. An example is shown in the following table.
Resource name in the TYPE column |
Resource name in the RESOURCE column |
Value in the PERMISSIONS column |
GUI |
value |
val_cat |
When a VAL_CAT resource permission is defined, the resource must be set to the value category for
which the permission is needed. And, the permission must be set to create, delete, edit, or view as shown in
the following table.
Resource name in the TYPE column |
Resource name in the RESOURCE column |
Value in the PERMISSIONS column |
VAL_CAT |
value category |
create, delete, edit, view |
Permissions for resource type RES_ACT
The RES_ACT permission entries can be used to restrict a user to run only specific resolution actions.
These actions are actions that can be made available to the user when an object is either in an alert state or
in another state that the FSM model considers resolvable. Like other resources, user access to the resolution
action pages can be controlled by GUI permission entries. An example is shown in the following table.
Functional page area |
Resource name in the RESOURCE column |
Valid values in the PERMISSIONS column |
Resolution Actions |
resolution_action |
view, execute |
A user who is mapped to a resolution_action execute permission is granted global execute permission on
all resolution actions. However, a user who is mapped to only a resolution_action view permission can be
granted execute permission to specific resolution actions. When a RES_ACT resource permission is defined, the
resource must be set to the name of the FSM state that is associated with the resolution action. And, the
permission must be set to the name of the resolution action for which permission is to be granted. An example
is shown in the following table.
Resource name in column TYPE |
Resource name in the RESOURCE column |
Value in the PERMISSIONS column |
RES_ACT |
FSM object state |
resolution action name |