In any financial environment, security of information is of paramount importance. Access to information must be made available in a carefully monitored manner. Controlling and maintaining these aspects also includes management of the people (or users) who will process this information on a day to day basis. Therefore, an efficient Security Management System is an important factor that will determine the strength and stability of a financial system.
This chapter takes you through the Security Maintenance features of the Oracle FLEXCUBE system. You will learn how to use the security features in the system to suit your requirements and customize them for your environment.
This chapter is intended for the following persons in your bank or AMC:
Person |
Operation |
Oracle FLEXCUBE Implementers |
To set up the initial start-up parameters in the individual client workstations. To set up security management parameters for the AMC or AMC branch. |
SMS Administrator for the Bank/ AMC |
To set the SMS AMC or AMC branch parameters. To identify the Branch level SMS Administrators. |
SMS Administrator for the Branch |
To create User and Role profiles for the branches of your AMC. Will also grant access to the various functions to the Users. |
A Oracle FLEXCUBE user |
Any user of Oracle FLEXCUBE whose activities are traced by the Security Management System. |
This chapter contains the following sections:
In Oracle FLEXCUBE, you can ensure security management at all levels in any kind of environment. This is due to a combination of the following features:
Simply translated, this means that a person within your environment can:
Before you operate the security management system of your Oracle FLEXCUBE installation, you must understand some important terms that you will encounter during the process.
Typically, at the time of installation, two users are created by default in the system database. These two users are the system administrators.
The system administrators subsequently create all users and user roles in the system, enabled by the logging in of the control clerks.
The system administrator user profiles would be typically created to enable the security managers in your bank or AMC, to log in to the system.
A function is any operation related to business maintenance or processing in the system. Most typically, each menu item appearing in the main menu could be thought of as a function. For a user, you can control access to different functions in the system.
Any functions related to the Fund Manager component can be thought of as back office functions, and any functions related to the Agency Branch could be thought of as front office components.
The functions are made available by the Oracle FLEXCUBE implementers, at the time of installation.
Each user who will use the system is given a unique profile in the database. This profile is known as a user profile.
The profile of a user contains the User ID, the password and the functions to which the user has access. A user can be assigned access to either back office (Fund Manager) functions, or front office (Agency Branch) functions, depending upon the tasks that the user must perform in your organization.
It is likely that users working in the same department at the same level of hierarchy need to have similar user profiles. In such cases, you can define a Role Profile, which includes access rights to the functions that are common to a group of users. A user can be linked to a Role Profile by which you give the user access rights to all the functions in the Role Profile.
A role profile could contain either back office (Fund Manager) functions or front office (Agency Branch) functions.
This section contains the following topics:
You can define the maximum number of unsuccessful attempts after which a User ID should be disabled. When a User ID has been disabled, the system administrators can enable it. The password of a user can be made applicable only for a fixed period. This forces the user to change the password at regular intervals thus reducing security risks. Further, you can define passwords that could be commonly used by a user as Restrictive Passwords at the user, user role and bank level. A user cannot use any password that is listed as a Restrictive Password at any of these levels.
You can indicate the branches from where a user can operate. Click on the User Branch Restrictions button in the User Profile Definition screen to define the branches from where a user can operate.
For mutual fund account customers, you can indicate the branches of the AMC from where a user can operate. Click on the AMC button in the User Profile Definition screen to define the branches of the AMC from where a user can be allowed to operate.
In FCIS, you can view all details related to any unit holder (UH) account or CIF customer account at any point of time using the Consolidated Inquiry query. It is therefore necessary to ensure that users’ (agents) access is restricted only to data they require. This is possible by defining groups and mapping users to these groups so as to make certain the users view data pertaining only to the groups and agency branches they are mapped to.
Assume the following:
Agency Branches |
HK (Hong Kong), TA (Taiwan) and LUX (Luxembourg) |
Users |
PB, JC and JY |
Existing Groups in the agency branches |
IS (Intermediary Sales) & DS (Direct Sales) |
Let us consider the following examples to see the data available to a user, based on his group and agency branch mappings, when he queries a unit holder in the Consolidated Inquiry screen:
Case 1
Assume a user ‘PB’ is mapped to the agency branch ‘HK’ and the groups ‘DS’ and ‘IS’. In such a case, the user ‘PB’ is restricted to accessing details of only ‘DS’ and ‘IS’ unit holders maintained in the ‘HK’ agency branch (i.e. HK-DS and HK-IS). He cannot access unit holder details maintained in’ LUX’ or ‘TA’ agency branches.
Case 2
Assume a user ‘JC’ is mapped only to the agency branch TA and to the groups ‘IS’ and ‘DS’. He can access all details of unit holders belonging to the two groups (TA-DS and TA-IS). However, he cannot access unit holder details maintained in ‘LUX’ or ‘HK’ agency branches.
Case 3
Assume a user ‘JY’ is mapped to the agency branches ‘HK’ and ‘TA’ and to the groups ‘IS’ and ‘DS’. This user can access unit holder details for the two groups in both the agency branches (i.e. HK-IS, HK-DS, TA-IS, TA-DS). However, he cannot access unit holder details maintained in the ‘LUX’ agency branch.
In the case of a UH, the system assigns the group of the UH’s default intermediary agent as the group of the UH. Therefore, when a user queries a UH in the Consolidated Inquiry screen, information is made available only if:
For instance, if the default intermediary agent of a unit holder UH1 in the ‘HK’ agency branch is ‘CITI’ and ‘CITI’ belongs to the group ‘IS’, the user ‘PB’ (specified earlier) would have access to details regarding UH1.
But in both the following cases the user ‘PB’ would not be able to access the details for UH1:
The process of such data segregation (creating restrictions on data access for different users) is explained below:
An extensive log is kept of all the activities on the system. You can generate reports on the usage of the system anytime. These reports give details of unsuccessful attempts at accessing the system along with the nature of these attempts. It could be an unauthorized user attempting to use the system, an authorized user trying to run a function without proper access rights, etc.
This section contains the following topics:
To recall, a Role Profile includes access rights to the functions that are common to a group of users.
After you have a defined a Role Profile, you can link any user to it, thereby giving the linked user access rights to all the functions included in the Role Profile.
Role profiles are defined in the Role Definition screen. You can access the Role Definition screen by typing ‘SMDROLDF’ in the field at the top right corner of the Application tool bar and click the adjoining arrow.
Role Identification
Alphanumeric, Mandatory
Specify a unique identifier for the role profile.
Description
Alphanumeric, Mandatory
Key in some text that describes and qualifies the role profile, and is indicative of its characteristics.
Customer Specific
Optional
Check this box to indicate that the role profile has been set up for a specific customer of your AMC or AMC branch who might access the system from a remote terminal to inquire about their transactions or investor accounts.
Module
Optional
Select the default module for users linked to the role profile.
In this screen, you define a role profile as follows:
You can allow any of the following operations at record level for the role profile in any function:
To delete the access rights you have specified for a function, select the required Function ID row and check the Delete box at the extreme right end of the row.
To edit the access rights you have specified for a function, select the required Function ID row and check the Edit box at the extreme right end of the row.
By default, a Role Profile you define will be for the users who are employees of your AMC or AMC branch. You can indicate that the profile is for customers who might login from remote terminals to inquire on their transactions and balances.
Often, you may have to create a Role Profile that closely resembles an existing one. In such a case, you can copy the existing profile on to the new one.
Choose the Copy button from the row of buttons at the topmost row of the screen. A list of existing role profiles will be displayed. Click on the one you want to copy. All the details of the profile except the Role ID will be copied and displayed. Enter a unique Role ID. You can change any of the details of the profile before saving it.
If you have retrieved an existing role profile and you want to copy it to a new role profile, click the Copy button in the topmost row of buttons in the screen. The Copy Information screen is opened, and you can specify the Role ID and Description for the new role profile.
You can invoke ‘Role Definition’ screen by typing ‘SMDROLDF’ in the field at the top right corner of the Application tool bar and click the adjoining arrow.
All the details of the existing profile are copied onto the new role profile. Again, you can change any of the details of the profile before saving it.
A Role Profile should be deleted only if there are no users linked to it. Thus, before deleting a role profile, you should modify each user profile attached to it and delete the link to the role.
To delete an existing role profile, retrieve the record of the role profile so that it is displayed in the main portion of the Role Definition screen. Then select the Delete button from the topmost row of buttons in the screen. If the role is linked to any user, a warning message will be displayed. This message will bring your attention to the fact that the user profile to which the role is linked will not be the same if the role profile is deleted.
You will be prompted to confirm the deletion. The Role Profile will be deleted only if you confirm the deletion.
Before you link any users to a role, a user other than the one that defined it must authorize it. To authorize a role profile,
When you have marked the required modifications for authorization, click the OK button to effect the authorization. The Maintenance Authorization Details screen is closed, and you are returned to the Role Definition screen.
You can make changes to an authorized role profile as follows:
This section contains the following topics:
A User Profile defines the activities that a user can carry out on the system. It also contains the user ID, the name through which the user will access the system and the password.
You can invoke ‘User Admin’ screen by typing ‘SMDUSRDF’ in the field at the top right corner of the Application tool bar and click the adjoining arrow. The screen is displayed below:
Select 'New' from the Actions menu in the Application tool bar or click new icon to enter the details of the User Admin screen.
Specify the following basic information for the user profile, in the User Details section in this screen.
User Identification
Enter the unique identifier for the user, in the User Identification field. The minimum length of User Id must be six and the maximum number can be 12 characters.
External Identifier
Specify the External Identifier. External user is an alternative name for user id where two users can not have same External identifier.
Home Branch
The default branch that the user will login to the system from, in the Home Branch field
LDAP DN
The LDAP Details that have been maintained in the SSO screen have to be input here. Clicking on the ‘Validate’ button validates the LDAP details entered in the Single Sign On. The application will verify if only one user ID in FLEXCUBE Investor Service is mapped to the subject (DN) while authentication via SSO.
Name
The name of the user, in the Name field
Language
The default preferred language for the user, in the Language field
Classification
Select the classification of the user, that is, whether ‘Staff’, ‘Customer’ or ‘Auto End of Day’ from the options.
Select whether the user is a corporate modules user or an investment modules user.
Home Module
When you log into the system, you will be in the default module known as Home Module. Later you change the module according to your requirement.
Mandatory
The status of the user profile in the system is shown in this field. By default, every user profile is created as an enabled profile.
The status could be:
Status Changed On
Display Only
The most recent date on which the status of the user profile was changed is displayed here.
Time Level
Display Only
The most recent time at which the status of the user profile was changed is displayed here.
Last Signed On
Display Only
The most recent date on which the user logged in to the system is displayed here.
Password
Alphanumeric, Mandatory
Specify the password using which the user will log in to the system. The static data AUTO_GEN_PASS_REQ is provided. The defaulted value ‘Y’ indicates whether the auto generation of the password is required or not.
Note
If the application level parameter which indicates the auto generation of the password is required or not is set to Y (Yes), then this field will be disabled and the system will create a random password in accordance with the parameters maintained at the level of the bank. The new password will be send to the respective user via mail.
At the time of setting up the Oracle FLEXCUBE Investor Servicing, the number of repeated successive parameters allowed in a password will be indicated.
For example, if the number of repeated successive parameters allowed in a password has been set as ‘2’, then the user password can have a character repeating only twice. Suppose, if the number of repeated successive parameters has been specified as 2, a user password like AAA777 will be invalid. A valid password would be AA77.
Password Changed On
Display Only
The most recent date on which the password was changed is displayed here. When you are entering a new record, this field is blank and locked.
Optional
Specify a valid Email id at the time of user creation. All system generated passwords shall be communicated to the user via this mail id.
Start Date
Date format, Optional
Specify the date on and following which the password is valid.
End Date
Date Format, Optional
Specify the date up to which the password is valid.
Note
The System is also configured to disallow the use of a pre-set number of previous passwords. This pre-set number is assigned at the time of installation, as a system parameter; the number can be subsequently changed if required, by changing this system parameter.
Transaction Amount
Numeric, Mandatory
Specify the maximum amount value that the user can specify while entering a transaction request from an investor.
Auth Amount
Numeric, Mandatory
Specify the maximum amount value of an investor transaction that the user can authorize.
Override Amount
Numeric, Mandatory
Specify the maximum amount value that the user can override while entering a transaction request from an investor.
Auto Auth
Select one of the following from the drop-down to indicate if auto authorisation is required or not:
Amount Format
Enter the amount format.
Successive
Numeric, Optional
Specify the number of successive invalid login attempts (in a single session) after which the user ID will be disabled for this profile.
Cumulative
Numeric, Optional
Specify the number of successive invalid login attempts (spread across different sessions) after which the user ID will be disabled for this profile.
After you have entered these basic details, you can specify any of the following information for the user profile, depending upon the necessity.
Note
When authentication of credentials is unsuccessful due to an incorrect user ID, then the user id will not be logged in the audit logs. In case the user id is correct and the password is wrong, the attempt is logged in the audit log and the successive and cumulative failure count is incremented. When the user id and password are correct, this is logged into the audit logs.
You can classify a user as belonging to one of the following categories:
Staff |
A user of the system who is an employee of your bank or AMC. You can include any of the functions available in the system in the user profile. Ideally, you should not include functions that are part of End of Cycle or End of Day operations in the profile of a Staff user. |
Customer |
A customer who would want to log into the system from a remote terminal. You can include only those functions through which the customer can inquire into balances and transactions. |
AEOD |
A user at the bank or AMC who is responsible for running the automated End of Day operations. You can include any of the functions available in the system in the user profile. Ideally, you should include only functions that are part of End of Cycle operations in the profile of an AEOD user. |
You can indicate this through the Classification field in the User Profile Definition screen.
An external system can be used for level authentications. While logging into Oracle FLEXCUBE the authentication details are authenticated with the Oracle FLEXCUBE database and also with the external system database.
For instance, if the LDAP server is used level authentications, while logging into Oracle FLEXCUBE the authentication details are authenticated with the Oracle FLEXCUBE database and also with the LDAP database.
If LDAP is enabled for your installation, a user can log-in to FCIS using the ‘Alternate User ID’. However, the maker and checked IDs will display the FCIS user ID only.
Note
Alternate User Id is mandatory if your installation is LDAP enabled.
When you create a User Profile, it will be attached to the branch where it is created. This means that the user can execute the functions defined for the profile from this branch. For a user profile, you can indicate that the user can access other branches also. The kind of functions a user can perform in a branch other than the one where the user profile is created depends on the category of the user.
For mutual fund account customers, you can define a list of branches of the AMC from which the user would be allowed to operate. To define this list, click the AMC button in the User Profile Definition screen.
In each branch, you should create a user profile called the Guest. The functions defined for this branch will be applicable for a user of a different branch. Typically, this profile should have access to functions like inquiry into balances, etc. If this Guest profile is not created in a branch, a user not belonging to that branch will not be allowed to change branch to it.
The branch where the user profile is created is called the Home branch and the other branches are called Host branches.
For such a user, the functions defined for the user profile where the profile created (the Home branch) will be applicable in every branch (Host branch).
A user of this category can log on only to the branch where the profile is created.
Click ‘Roles’ button in the bottom of the ‘User Admin’ screen to attach the user profile you are defining to a role. The User Roles screen will be displayed.
You can attach a role to the user profile, to be operable at a specific branch. Select a branch from the Branch Code field option list. Then click the Role ID field option list in the same branch row, to select the required rule profile. Click the option list icon for a list of role profiles that have been defined. To pick up a role from that list, double click on the role when it is highlighted.
To view the functions associated with the selected role, click the View button in the View Functions field. The User Role Functions view screen is displayed, with all the functions associated with the role.
A role profile could contain either back office (Fund Manager) functions or front office (Agency Branch) functions.
When you have selected the required roles, click the OK button to save your changes.
In addition to attaching a user profile to a role, you can give rights to individual functions. For a user profile to which no role is attached, you can give access to specific functions. If you have:
A user profile could be given access to either back office (Fund Manager) functions or front office (Agency Branch) functions, depending upon the tasks that the user has to perform within your organization.
The rights for Function IDs that figure in both the role and user specific functions will be applied as explained in the following example.
Click ‘Functions’ button in the bottom of the ‘User Admin’ screen to give access to functions for the user profile you are defining. The User Functions screen will be displayed.
The various functions in the system come under five categories. These categories and the icon in the User Functions screen that lets you define the rights for these categories are as follows:
Category |
Description |
Button Name |
Maintenance |
Functions relating to the setting up of investor accounts and brokers. |
Maintenance |
Transactions Input |
Functions relating to the entry of investor transactions. |
|
Batch |
Functions relating to the automated operations like End of Day Processes. |
Batch |
Reports |
Functions relating to the generation of reports in the various modules. |
Reports |
On-line |
Functions relating to contract processing. |
On-line |
When the functions in a selected menu are listed, select the row representing the function that you want to link to the user profile.
For each function, you can allow or disallow specific record-level operations. These operations are displayed as a horizontal list, alongside the Maintenance Functions label, with each operation spelled out vertically.
In the selected function row, check the box pertaining to each operation you want to allow for the user profile.
You can allow any of the following operations at record level for the user profile, in any function:
To delete the access rights you have specified for a function, select the required Function ID row and check the Delete box to the left of the Function ID field.
To edit the access rights you have specified for a function, select the required Function ID row and check the Edit box to the left of the Delete field.
For Staff and End of Day users, you can specify the branches from which they can operate. Click ‘Branches’ button in the bottom of the ‘User Admin’ screen to define the branches in which the user should be allowed to operate.
To prepare a list of branches from which the user is disallowed, choose the Disallowed option.
Then, using the arrows, move any required branch found in the Available box to the Disallowed box, and click ‘Ok’ button.
Similarly, to prepare a list of branches from which the user is allowed to operate, choose the Allowed option.
Then, using the arrows, move any required branch found in the Available box to the Allowed box, and click ‘Ok’ button.
You can maintain a list of passwords that the user is most likely to use. For example, a user may tend to use the names of loved ones, the AMC or AMC branch, department, etc. as a password as they are easy to remember. This might be a security risk as it will be easy for another person to guess a password. To prevent this, you can maintain a list of passwords that the user should not use. This list of restrictive passwords will be checked before a password is accepted when the user is changing passwords. If the password entered by the user is listed, it will not be accepted.
Click ‘Restricted Passwords’ button in the bottom of the ‘User Admin’ screen, left margin of the screen. The Restrictive Passwords screen is opened, where you can define a list of such passwords.
The user for whom you are defining the restrictive passwords cannot use restrictive passwords defined in the Role Profile screen.
You can restrict the user to operate only from certain AMCs, or certain branches of an AMC. To define such a restrictive list of AMCs or AMC branches, click ‘Module’ button in the ‘User Admin’ screen.The User AMC screen is opened.
To allow the user to operate the system from a certain AMC, select it in the Available box, and move it to the Allowed box using the arrows. When you have selected the required AMCs, click the OK button to save your changes.
You can define a list of functions that the user is not allowed to operate, out of the functions list already associated with the user profile. To define such a restrictive list of functions, click ‘Disallowed Functions’ button in the bottom of the ‘User Admin’ screen.
The User Function Disallowed screen is opened. All the functions that are associated with the user profile are listed in the Available box.
To disallow a function, select it in the Available box and move it to the Disallowed box using the arrows. After selecting and moving all required functions in such a manner, click OK to save your changes.
Other than the attributes you have defined for a user profile, such as the role association, function access rights, restrictive passwords and branch restrictions, you can define any of the following attributes. Click on the appropriate button in the group of buttons displayed in the left margin of the screen:
Often, you may have to create a user profile that closely resembles an existing one. In such a case, you can copy the existing profile on to the new one.
Choose the Copy button from the row of buttons at the topmost row of the screen. A list of existing user profiles will be displayed. Click on the one you want to copy. All the details of the profile except the User ID will be copied and displayed. Enter a unique User ID. You can change any of the details of the profile before saving it.
If you have retrieved an existing user profile and you want to copy it to a new user profile, click the Copy button in the topmost row of buttons in the screen. The Copy Information screen is opened, and you can specify the User ID for the new user profile.
All the details of the existing profile are copied onto the new user profile. Again, you can change any of the details of the profile before saving it.
A user profile can be deleted only if the user is currently not logged on to the system.
To delete an existing user profile, retrieve the record of the user profile so that it is displayed in the main portion of the User Profile Definition screen. Then select the Delete button from the topmost row of buttons in the screen. If the user is logged in to the system, a warning message will be displayed and you cannot delete the profile.
If the user is not logged in, you will be prompted to confirm the deletion. The user profile will be deleted only if you confirm the deletion.
Before you link any users to a user, a user other than the one that defined it must authorize it.
To authorize a user profile,
When you have marked the required modifications for authorization, click the OK button to effect the authorization. The Maintenance Authorization Details screen is closed, and you are returned to the User Definition screen.
You can make changes to an authorized user profile as follows:
Status Bar Information
In this section, the following details are displayed for any user profile record:
This section contains the following topics:
If a user exits the system abnormally, the administrative users can clear the logged in user profile so that the user can log in normally again. To clear a logged-in user in this manner, the Control Clerks need not login also.
To clear a user, log in to the system as an administrative user, and typing ‘SMDCLUSR’ in the field at the top right corner of the Application tool bar and click the adjoining arrow. The Clear Users screen is displayed.
To clear a user, you need to unlock and save after entering the above mentioned details.
This section contains the following topics:
Most of the information that you enter in to the system needs to be authorized to be effective. Except for the static information that you typically enter in to the system only once, all other information must be authorized. Authorization is required for all maintenance as well as transactional information in the system
When you enter information related to any of these events into the system, the record that is initially saved when you complete the data entry is retained in the system as unauthorized information, which must be subsequently authorized to become effective.
Usually, authorizing information in the system is an activity that follows a maker-checker concept, i.e., the user that enters the information must be necessarily different from the user that authorizes the information. Therefore, whereas one user group will have access to functions that involve entering information into the system, a different user group has access to the functions that involve information authorization, and there is no overlap of access privileges.
In some environments, the user that enters the information needs to be able to authorize it simultaneously. In such cases, the maker-checker concept leads to unnecessary delegation of activity, which is undesirable. This means that in such an environment, the user that enters the information must, on saving the entered record, be able to authorize the record. For such environments, the auto-authorization function is provided by the FC-IS system. When this function is used, the Save operation in any screen that involves data entry (apart from static information screens) will also invoke and perform the authorization for the records that have been entered.
It is possible to be selective about the business functions for which you need to use the auto-authorization feature. This means that you can enable the auto-authorization feature for the functions for which you require simultaneous authorization on saving the record, and you can keep it disabled for others, allowing them to go through the normal maker-checker process of authorization.
The following features comprise the auto-authorization facility in the system:
To allow the auto-authorization feature for a user group and a certain set of menu items, you must map the user groups to the menu items or the task for which auto-authorization is applicable, using the ‘Auto Auth Maintenance’ screen. You can access this screen by clicking Security Maintenance menu and selecting Auto Auth from the Browser.
You can use this screen to map user groups to the tasks for which auto-authorization is applicable. If the user administrator or the module administrator users do not maintain the setup for each of the user groups in this screen, the auto-authorization is not enabled for that user group.
When you open the Auto Auth Maintenance screen, the auto authorization features that have been enabled for the module and the group to which the logged in user belongs, are displayed.
You can invoke this screen by typing ‘SMDAUTAU’ in the field at the top right corner of the Application tool bar and click the adjoining arrow. The screen is displayed below:
Group ID
Mandatory
Select the Group ID from the option list.
Module ID
Mandatory
Select the Module ID from the option list.
Task Code
Mandatory
Select the Task Code from the option list.
New
Optional
You can select ‘Yes’ to indicate new.
Amend
Optional
You can select ‘Yes’ to amend.
Limit Currency
Optional
Select the limit currency from the option list.
Limit Amount
Optional
Enter the limit amount.
Restricted Transaction
To amend the displayed list, select ‘Unlock’ from the Actions menu in the Application toolbar or click unlock icon. The screen is displayed in Amend mode, where you can make your changes. The changes you make will apply to all users and roles in the Group ID to which the logged in user belongs, for the logged in Module.
You can make changes as follows:
When you have finished making your auto-authorization specifications for each user group in this screen, and saved your changes, the auto-authorization feature is enabled, and when the user invokes the Save operation in any of the applicable task screens, the entered records are saved as authorized records.
To enable auto authorization for a user group other than the logged in user group, click save icon in the Auto Auth Maintenance screen.
The system displays the message as “Are you sure you want to close the current record?”.
Click ‘Ok’ button. The auto authorization record of the logged in user group, which was on display, is closed, and the Auto Auth Maintenance screen is opened in New mode.
Select the user group for which you want to enable or disable the auto authorization rights, in the Group ID field. Select the corresponding module in the Module ID field, and click OK.
Subsequently, proceed to set up the auto authorization rights in the same manner as described above, for the amend operation.
The examples given below explain how auto authorization privileges could be granted, and how they are applied in the system:
After you have set up auto authorization for a user group, you must have another user authorize it so that it would be effective in the system.
Before the setup is authorized, you can edit its details as many times as necessary. You can also delete it before it is authorized.
After authorization, you can only make changes to any of the details through an amendment.
The Auto Auth Maintenance screen can be used for the following operations on auto authorization setups:
To perform these operations, click on the appropriate buttons in the horizontal array of buttons in the Auto Auth Maintenance screen.