System administration concepts

System administration consists of the tasks needed to set up an FTM SWIFT system after the resource files that resulted from customization definition were deployed to the runtime systems. System administration tasks fall into one of the following categories:
Configuration administration
This entails creating and maintaining the entities within FTM SWIFT that correspond to the resources used by your applications, that is, configuration object types (CTs) and their attributes, OUs, configuration objects (COs) and their attribute values, and configuration object sets (COSs). Such entities are called configuration-related entities.
A configuration administrator determines which resources are available within an instance, and the attributes of these resources. A configuration administrator does this by:
  • Defining CTs and the attributes that COs that are based on these CTs can have
  • Defining COSs
  • Adding COs to and removing COs from OUs
  • Specifying or modifying the values of CO attributes
The scope of a configuration administrator can be either an entire instance or a specific OU:
  • A system configuration administrator (SA) can administer all the CTs, OUs, COs, and COSs of an instance. An SA has the role DniSA assigned to their user ID for SYSOU.
  • An OU configuration administrator (OSA) can administer certain COs of a particular OU. Which COs an OSA can administer is determined by roles assigned to them by a UA or OUA. An OSA has, assigned to their user ID for a particular business OU, a role containing at least one CT that corresponds to a command. An OSA can issue only those commands for which they have a role that contains the corresponding CTs.
Security administration
This entails creating and maintaining the entities that FTM SWIFT uses to control access to physical resources, that is, roles, role assignments, role groups, role group assignments, and users. Such entities are called security-related entities.
A security administrator controls access to resources by managing the assignment of roles and role groups to user IDs. A security administrator can also create new roles and role groups. The scope of a security administrator can be either system wide or OU specific:
  • A system security administrator (UA) has the role DniUA assigned for SYSOU. A UA can:
    • Create a new system security administrator (UA) by assigning the security administrator role (DniUA) to a user for SYSOU
    • Create an OU security administrator (OUA) by assigning the security administrator role (DniUA) to a user for the corresponding business OU
    • Create a new SA by assigning the system configuration administrator role (DniSA) to a user for SYSOU
    • Assign any role to a user for SYSOU
    • Assign any role group to a user for SYSOU
    • Revoke any of the aforementioned assignments by removing the corresponding role-OU pair or role group-OU pair from a user
    A UA cannot administer users for an OU other than SYSOU, unless the UA was explicitly granted the authority to do so by an OU security administrator (OUA).
  • An OU security administrator (OUA) has the role DniUA assigned to their user ID for a particular business OU. An OA can assign a role or role group to (or remove a role or role group from) any user for the OU.

For example, if a UA wants to see users of all OUs in the FTM SWIFT system, this administrator needs to ask each OUA for access. The OUA can provide this access by assigning a new role. This role, perhaps called "displayer", would allow the user to display all users of a particular OU. Each OUA would need to complete this step.