disableSwiftNetUser

Purpose

Use this command to permanently remove a user certificate from the SWIFT directory, because the user no longer needs access. You cannot recover or recertify a disabled user.

The authoriser DN you specify for this command must have one of the following SWIFT roles:

CertificateAdministration: Issue the command without a four-eyes token. The command is processed.
CertificateAdministration4eyes: Issue the command without a four-eyes token. The command returns a four-eyes token. Another user with a similar role must then reissue this command with that four-eyes token.

Note: This command can take a few minutes to process. To ensure that you receive the result, use the .set command to set the timeout interval to a higher value. For example, to set the timeout interval to 300 seconds (=300 000 milliseconds), enter:

INST1.DNFSYSOU.DNFSAGCFG>.set -to 300000

For more information about setting the timeout interval, see Setting environment variables for the CLI.

Required access rights:	See Table 4
Predefined roles that provide required access rights:	See Table 2
Required SWIFTNet role:	CertificateAdministration or CertificateAdministration4eyes
Issue for OU:	DNFSYSOU
Issue to service:	DNFSAGCFG

Format

Parameters

-sag sag: Name of the SAG.
-ou ou: Name of the business OU defined for FTM SWIFT. FTM SWIFT checks if the user who invokes the command is authorized to use the distinguished names (DN) specified in this command, for example, if the FTM SWIFT user is authorized to act on behalf of the specified DNs. The user must have the role DnfDNSec. The -ou parameter is only used by FTM SWIFT for access checking and is not attached to the command sent to SWIFTNet (see Configuring DNs and access to them).
-user user: User ID.
-foureyestoken token: Specify the four-eyes token that was returned after another user with the SWIFTNet role CertificateAdministration4eyes entered this command.
-authDn authoriserDN: Distinguished name (DN) of the authoriser of this command. FTM SWIFT attaches the DN to the command and sends it to the SIPN. The SIPN checks if the DN is authorized to invoke this command. The specified DN must be certified and have the necessary roles assigned. You can use the DN of your local SWIFT security officer. See Configuring DNs and access to them.
-reqDn requestorDN: Distinguished name (DN) of the requestor of this command. FTM SWIFT attaches the DN to the command to specify the sender of the command and sends it to the SIPN. You can use the DN of your local SWIFT security officer. See Configuring DNs and access to them.
-signDn signerDN: Distinguished name (DN) of the signer of this command. FTM SWIFT attaches the DN to the command and sends it to the SIPN. The SIPN uses this DN for auditing purposes. The specified DN must be certified. You can use the DN of your local SWIFT security officer. See Configuring DNs and access to them.

Examples

The following command, entered on a single line, disables the SWIFTNet user john-smith and removes his certificate from the SAG SAG1:

INST1.DNFSYSOU.DNFSAGCFG>disnu -sag SAG1
                               -ou BANKA
                               -user cn=john-smith,o=xxxxdeff,o=swift
                               -foureyestoken AB-CD
                               -authDn cn=ia-authoriser,o=xxxxdeff,o=swift
                               -reqDn cn=ia-requestor,o=xxxxdeff,o=swift
                               -signDn cn=ia-signer,o=xxxxdeff,o=swift