Users not involved in installation, customization, and configuration

The users described here use, operate, and administer FTM SWIFT after it was installed, customized, and configured.

Table 1. Users not involved in installation, customization, or configuration
User Description Authorization
Accounting administrator This user employs the accounting administration service to administer (for example, list and delete) accounting data. This user requires the role DniAccAdmin for the OU to which the data applies.
Application programmer This user creates and maintains application programs that use FTM SWIFT services. (none)
ASP administrator This user administers application service profile (ASP) data. This user requires the role DnfAspAdmin for the OU to which the RM data applies.
Auditor This user views or queries audit data on behalf of a business OU. This user requires:
  • For message audit data, authorization to select data from the message audit table. For example, to grant this right to user3 when the owner of the underlying table is udb2adm1 and the name of the business OU is BANKA, the database administrator enters the following command: 
    GRANT SELECT ON UDB2ADM1.DNI_A_MSG_BANKA
 TO USER3
  • For user audit data, authorization to select the data of certain audit views and table. For example, to grant this right to user4 when the owner of the underlying views and table is udb2adm1 and the name of the business OU is BANKA, the database administrator enters the following commands: 
    GRANT SELECT ON UDB2ADM1.DNI_A_USR_BANKA
TO USER4
GRANT SELECT ON UDB2ADM1.DNI_VW_OU_BANKA
TO USER4
GRANT SELECT ON UDB2ADM1.DNI_VW_URO_BANKA
 TO USER4
GRANT SELECT ON UDB2ADM1.DNI_VW_URG_BANKA
 TO USER4
Data integrity administrator This user administers the data integrity framework, that is:
  • Creates the required vault by issuing the vault utility command create as described in step 2.a in Activating the data integrity framework
  • Initializes the data integrity framework by issuing the data integrity checker command init
  • Changes the framework's password by issuing the data integrity checker command changepw
 On the runtime system on which the database is located, this user requires:
  • Membership in user group dnilpp
  • Membership in user group specified by placeholder DNIvDAGRP
  • Write permission for the directory that is specified by parameter -dir when issuing the vault utility command create
  • Write permission for the vault that is specified by parameter -keystore when issuing the data integrity checker command init
Data integrity operator This user builds and repairs the data integrity control information by issuing the data integrity checker command build. This user can also run the data integrity checker command check. On the runtime system on which the database is located, this user requires:
  • Membership in user group dnilpp
  • Membership in user group specified by placeholder DNIvDBGRP
  • Read permission for the vault that was specified by parameter -keystore when the data integrity administrator issued the init command
Data integrity validator This user checks the FTM SWIFT database tables for integrity by issuing the data integrity checker command check. On the runtime system on which the database is located, this user requires:
  • Membership in user group dnilpp
  • Membership in user group specified by placeholder DNIvDCGRP
  • Read permission for the vault that was specified by parameter -keystore when the data integrity administrator issued the init command
Data integrity disposer This user disposes manipulated FTM SWIFT database entries by issuing the data integrity checker command dispose. On the runtime system on which the database is located, this user requires:
  • Membership in user group dnilpp
  • Membership in user group specified by placeholder DNIvDDGRP
  • Read permission for the vault that was specified by parameter -keystore when the data integrity administrator issued the init command
Event administrator This user employs the event service to administer (for example, to list or delete) events. This user requires the role DniEventAdmin for the OU to which the events apply.
FMT FIN remote sender This user employs the FMT FIN service to send FIN messages from a remote instance. This user requires the role DnfFmtFinRemoteSender for the OU for which the FMT service runs. The receiving instance must assign this role to a user with a user ID that is identical to the user ID of the started task of the sending broker.
FMT FIN sender This user employs the FMT FIN service to send FIN messages from a local instance. This user requires the role DnfFmtFinSender for the OU for which the FMT service runs.
FMT operator This user operates the FMT FIN service. For more information, refer to Operating FMT FIN processing. This user requires the role DnfFmtOperator for the OU for which the FMT service runs.
Management information system (MIS) user This user analyzes the contents of the FTM SWIFT Message Warehouse and message audit on behalf of a business OU.
This user requires the right to select data in the message warehouse and message audit tables. For example, to grant this right to user2 when the owner of the underlying table is udb2adm1 and the name of the business OU is BANKA, the database administrator enters the following commands: 
GRANT SELECT ON UDB2ADM1.DNI_MWH_BANKA
TO USER2
GRANT SELECT ON UDB2ADM1.DNI_A_MSG_BANKA
TO USER2
MER message administrator This user employs the MER Facility to administer (for example, view, delete, move, unlock, redirect, and retry routing of) messages, and to monitor redirect and backout queues. This user requires the role DnqERMsgAdmin (or an equivalent role) for the OU for which the MER Facility runs.
MER message editor This user employs the MER Facility to edit (for example, create, edit, authorize, retype, and view the history of) messages. This user requires the role DnqERMsgEditor (or an equivalent role) for the OU for which the MER Facility runs.
MER queue administrator This user employs the MER message administration utility to dispose of outdated messages in MER queues. This user requires:
  • For the file system, permission to write to:
    • The log directory and to any existing log files to which output is to be appended
    • The trace directory
  • For the runtime database:
    • CONNECT privilege for the runtime database
    • SELECT privilege for the table DNQE_MESSAGES
    • DELETE privilege for the tables DNQE_MESSAGES, DNQE_ME_DNIFIN, DNQE_ME_DNIFUNDS, DNQE_ME_DNIENI, and DNQE_MSGDESC
    • SELECT and UPDATE privileges for the view DNIV_MWH_ou for each OU for which the message warehouse is to be updated
  • In IBM® MQ, put access to queue instance.ou.DNI_R_EVENT.
MER template administrator This user employs the MER Facility to create and maintain MER message templates. This user requires the role DnqERTemplateAdmin (or an equivalent role) for the OU for which the MER Facility runs.
Message print administrator This user can do everything that a message print operator can do, plus start and stop print queues, restart print processing after it stops due to an error, and delete messages or orders from a print queue. This user requires the role DnqPrintAdmin for the OU for which the Message Print Service runs.
Message print operator This user can display print queue status, confirm and release print orders, and resubmit failed print orders. This user requires the role DnqPrintOp for the OU for which the Message Print Service runs.
Monitor This user registers and deregisters subscriptions to receive events. This user requires the role DniMonitor.
MSIF administrator This user administers the MSIF transfer service, that is, lists, cancels, and recovers MSIF scenarios, and deletes information for a particular finished scenario from the MSIF database tables. This user requires the role DnfEfaAdministrator for the OU for which the MSIF service runs.
MSIF operator This user operates the MSIF transfer service, that is, starts, stops, and queries the MSIF transfer service for a particular OU, restarts the MSIF transfer service after it stops due to an error, and deletes obsolete information from the MSIF database tables. This user requires the role DnfEfaOperator for the OU for which the MSIF service runs.
MSIF SWIFT administrator This user creates and deletes SnF input or output channels. This user requires the role DnfEfaSwiftAdministrator for the OU for which the MSIF service runs.
MSIF SWIFT operator This user operates SnF channel sessions and subscribes to FileAct-related events from all SAGs. This user requires the role DnfEfaSwiftOperator for the OU for which the MSIF service runs.
MSIF user This user employs the MSIF transfer service to send and receive business messages, to send and download files, and to provide files for counterparts to download. See Configuring the MSIF services for more information. This user requires the role DnfEfaApplication for the OU for which the MSIF service runs.
Reference data administrator This user employs the reference data utility to load and maintain reference data, for example, BIC codes, currency codes, and country codes. This user requires:
  • Membership in the group specified for the placeholder DNIvRGRP
  • Membership in group dnilpp
Relationship administrator This user exports, imports, and queries RM data, delete stale RMA authorisations, and breaks user locks on authorisations. This user requires the role DnfRmAdmin for the OU to which the RM data applies.
Relationship manager This user works with RMA authorisations and conversations, that is, views, creates, accepts, changes, and resends RMA authorisations, and processes and deletes RMA queries. This user requires the role DnfRmRelMgr for the OU to which the RM data applies.
Relationship approver This user approves the actions of a relationship manager. This user requires the role DnfRmApprover for the OU to which the RM data applies.
SAG administrator This user employs the SAG configuration service to administer SAGs. See Administering and operating components, sessions, and services for more information. This user requires the role SagAdmin for DNFSYSOU.
This user also requires the role DnfDNSec for a business OU in order to issue the following SNL configuration commands for that OU:
  • addMessagePartner
  • updateMessagePartner
SAG configuration administrator This user employs the SAG configuration service to approve and deploy SAG configuration data. See Approving and deploying SAG configuration data for more information. This user requires the role SagCfgAdmin for DNFSYSOU.
This user also requires the role DnfDNSec for a business OU in order to issue the following SNL configuration commands for that OU:
  • disableSwiftNetUser
  • grantRole
  • listRoles
  • listSwiftNetUser
  • registerSwiftNetUser
  • revokeSwiftNetUser
  • setupUserForCert
  • setupUserForRecovery
  • ungrantRole
SAG configuration PKI administrator This user employs the SAG configuration service to configure SWIFTNet user and security information. See Managing SWIFTNet users and SWIFTNet security for more information. This user requires the role SagCfgPKIAdmin for DNFSYSOU.
SAG operator This user employs the SAG operation service to operate SAGs. See Administering and operating components, sessions, and services for more information. This user requires the role SagOperator for DNFSYSOU.
SDF operator This user employs the SDF to import or export messages from and into files or data sets. This user requires:
  • The role DnqSdf
  • Membership in group dnilpp
  • Membership in the group specified by the placeholder DNIvYGRP
  • Membership in the group specified by the placeholder DNIvOGRP
Software integrity administrator This user supervises the integrity of the FTM SWIFT software by running the software integrity checker command. This user requires the following:
  • Membership in the following user group:
    • dniadmin if the command is issued on the customization system
    • dnilpp if the command is issued on the installation or runtime system
  • Read permission on the file system(s) to be checked (specified by parameter -check)
  • The following IBM MQ permissions if event option parameters are specified:
    • Permission to connect to the queue manager specified by parameter -qmgr
    • Put permission for alias queue instance.SYSOU.DNI_R_EVENT (where instance is the instance specified by the instance parameter)
SWIFTNet FIN operator This user issues SIPN FIN LT operation commands. See Administering and operating components, sessions, and services and Monitoring resources for more information. This user requires the role SWIFTNetFINOperator for the OU to which the LT sessions apply.
SWIFTNet FIN sender This user employs the SIPN FIN service to send FIN messages. See Configuring SIPN FIN services for more information. This user requires the role SWIFTNetFINSender for the OU to which the FIN messages apply.
System operator This user operates the controlled input node (CIN) of MSIF transfer, RM transfer, message printing, and RM import services. This user requires the role DniSystemOperator.
Verification administrator This user employs the signature verification service to reverify messages for which verification previously failed. This user requires the role DnfVerifAdmin for the OU to which the messages apply.