3. Ensuring Security for Agency Branch

In any financial environment, security of information is of paramount importance. Access to information must be made available in a carefully monitored manner. Controlling and maintaining these aspects also includes management of the people (or users) who will process this information on a day to day basis. Therefore, an efficient Security Management System is an important factor that will determine the strength and stability of a financial system.

This chapter takes you through the Security Maintenance features of the Oracle FLEXCUBE system. You will learn how to use the security features in the system to suit your requirements and customize them for your environment.

This chapter is intended for the following persons in your bank or AMC:

Person

Operation

Oracle FLEXCUBE Implementers

To set up the initial start-up parameters in the individual client workstations.

To set up security management parameters for the AMC or AMC branch.

SMS Administrator for the Bank/ AMC

To set the SMS AMC or AMC branch parameters.

To identify the Branch level SMS Administrators.

SMS Administrator for the Branch

To create User and Role profiles for the branches of your AMC. Will also grant access to the various functions to the Users.

A Oracle FLEX­CUBE user

Any user of Oracle FLEXCUBE whose activities are traced by the Security Management System.

This chapter contains the following sections:

3.1 Security Management

In Oracle FLEXCUBE, you can ensure security management at all levels in any kind of environment. This is due to a combination of the following features:

Simply translated, this means that a person within your environment can:

3.2 Some Important Terms

Before you operate the security management system of your Oracle FLEXCUBE installation, you must understand some important terms that you will encounter during the process.

System Administrators

Typically, at the time of installation, two users are created by default in the system database. These two users are the system administrators.

The system administrators subsequently create all users and user roles in the system, enabled by the logging in of the control clerks.

The system administrator user profiles would be typically created to enable the security managers in your bank or AMC, to log in to the system.

Functions

A function is any operation related to business maintenance or processing in the system. Most typically, each menu item appearing in the main menu could be thought of as a function. For a user, you can control access to different functions in the system.

Any functions related to the Fund Manager component can be thought of as back office functions, and any functions related to the Agency Branch could be thought of as front office components.

The functions are made available by the Oracle FLEXCUBE implementers, at the time of installation.

User Profile

Each user who will use the system is given a unique profile in the database. This profile is known as a user profile.

The profile of a user contains the User ID, the password and the functions to which the user has access. A user can be assigned access to either back office (Fund Manager) functions, or front office (Agency Branch) functions, depending upon the tasks that the user must perform in your organization.

Roles

It is likely that users working in the same department at the same level of hierarchy need to have similar user profiles. In such cases, you can define a Role Profile, which includes access rights to the functions that are common to a group of users. A user can be linked to a Role Profile by which you give the user access rights to all the functions in the Role Profile.

A role profile could contain either back office (Fund Manager) functions or front office (Agency Branch) functions.

3.3 Other Features of Security Management System

This section contains the following topics:

3.3.1 Restricted Number of Unsuccessful Attempts

You can define the maximum number of unsuccessful attempts after which a User ID should be disabled. When a User ID has been disabled, the system administrators can enable it. The password of a user can be made applicable only for a fixed period. This forces the user to change the password at regular intervals thus reducing security risks. Further, you can define passwords that could be commonly used by a user as Restrictive Passwords at the user, user role and bank level. A user cannot use any password that is listed as a Restrictive Password at any of these levels.

3.3.2 Restricted Access to Branches

You can indicate the branches from where a user can operate. Click on the User Branch Restrictions button in the User Profile Definition screen to define the branches from where a user can operate.

3.3.3 Restricted Access to AMC Branches

For mutual fund account customers, you can indicate the branches of the AMC from where a user can operate. Click on the AMC button in the User Profile Definition screen to define the branches of the AMC from where a user can be allowed to operate.

3.3.4 Restricted Access to Unit Holder Information

In FCIS, you can view all details related to any unit holder (UH) account or CIF customer account at any point of time using the Consolidated Inquiry query. It is therefore necessary to ensure that users’ (agents) access is restricted only to data they require. This is possible by defining groups and mapping users to these groups so as to make certain the users view data pertaining only to the groups and agency branches they are mapped to.

Assume the following:

Agency Branches

HK (Hong Kong), TA (Taiwan) and LUX (Luxembourg)

Users

PB, JC and JY

Existing Groups in the agency branches

IS (Intermediary Sales) & DS (Direct Sales)

Let us consider the following examples to see the data available to a user, based on his group and agency branch mappings, when he queries a unit holder in the Consolidated Inquiry screen:

Case 1

Assume a user ‘PB’ is mapped to the agency branch ‘HK’ and the groups ‘DS’ and ‘IS’. In such a case, the user ‘PB’ is restricted to accessing details of only ‘DS’ and ‘IS’ unit holders maintained in the ‘HK’ agency branch (i.e. HK-DS and HK-IS). He cannot access unit holder details maintained in’ LUX’ or ‘TA’ agency branches.

Case 2

Assume a user ‘JC’ is mapped only to the agency branch TA and to the groups ‘IS’ and ‘DS’. He can access all details of unit holders belonging to the two groups (TA-DS and TA-IS). However, he cannot access unit holder details maintained in ‘LUX’ or ‘HK’ agency branches.

Case 3

Assume a user ‘JY’ is mapped to the agency branches ‘HK’ and ‘TA’ and to the groups ‘IS’ and ‘DS’. This user can access unit holder details for the two groups in both the agency branches (i.e. HK-IS, HK-DS, TA-IS, TA-DS). However, he cannot access unit holder details maintained in the ‘LUX’ agency branch.

In the case of a UH, the system assigns the group of the UH’s default intermediary agent as the group of the UH. Therefore, when a user queries a UH in the Consolidated Inquiry screen, information is made available only if:

For instance, if the default intermediary agent of a unit holder UH1 in the ‘HK’ agency branch is ‘CITI’ and ‘CITI’ belongs to the group ‘IS’, the user ‘PB’ (specified earlier) would have access to details regarding UH1.

But in both the following cases the user ‘PB’ would not be able to access the details for UH1:

The process of such data segregation (creating restrictions on data access for different users) is explained below:

3.3.5 All Activities Tracked

An extensive log is kept of all the activities on the system. You can generate reports on the usage of the system anytime. These reports give details of unsuccessful attempts at accessing the system along with the nature of these attempts. It could be an unauthorized user attempting to use the system, an authorized user trying to run a function without proper access rights, etc.

3.4 User Role

This section contains the following topics:

3.4.1 Procedure for Defining Role Profiles

To recall, a Role Profile includes access rights to the functions that are common to a group of users.

After you have a defined a Role Profile, you can link any user to it, thereby giving the linked user access rights to all the functions included in the Role Profile.

Role profiles are defined in the Role Definition screen. You can access the Role Definition screen by typing ‘SMDROLDF’ in the field at the top right corner of the Application tool bar and click the adjoining arrow.

Role Identification

Alphanumeric, Mandatory

Specify a unique identifier for the role profile.

Description

Alphanumeric, Mandatory

Key in some text that describes and qualifies the role profile, and is indicative of its characteristics.

Customer Specific

Optional

Check this box to indicate that the role profile has been set up for a specific customer of your AMC or AMC branch who might access the system from a remote terminal to inquire about their transactions or investor accounts.

Module

Optional

Select the default module for users linked to the role profile.

In this screen, you define a role profile as follows:

  1. Click the Add button in the topmost row of buttons in the Role Definition screen. The screen is now in readiness for you to enter a new record.
  2. Assign a unique identifier (ID) for the role, and a description.
  3. You can then indicate that the role is to be deemed as specific to a customer, by checking the Customer Specific box.
  4. You can also link it to a module in the system, either the Corporate Module or the Investment Module.
  5. Then, you must indicate the functions that the role profile has access to.

You can allow any of the following operations at record level for the role profile in any function:

3.4.1.1 Static Tables

3.4.1.2 Contracts And On-Line Transaction Processing

3.4.1.3 Reports

To delete the access rights you have specified for a function, select the required Function ID row and check the Delete box at the extreme right end of the row.

To edit the access rights you have specified for a function, select the required Function ID row and check the Edit box at the extreme right end of the row.

3.4.2 Classifying Role Profile

By default, a Role Profile you define will be for the users who are employees of your AMC or AMC branch. You can indicate that the profile is for customers who might login from remote terminals to inquire on their transactions and balances.

3.4.3 Copying Role Profile

Often, you may have to create a Role Profile that closely resembles an existing one. In such a case, you can copy the existing profile on to the new one.

Choose the Copy button from the row of buttons at the topmost row of the screen. A list of existing role profiles will be displayed. Click on the one you want to copy. All the details of the profile except the Role ID will be copied and displayed. Enter a unique Role ID. You can change any of the details of the profile before saving it.

If you have retrieved an existing role profile and you want to copy it to a new role profile, click the Copy button in the topmost row of buttons in the screen. The Copy Information screen is opened, and you can specify the Role ID and Description for the new role profile.

You can invoke ‘Role Definition’ screen by typing ‘SMDROLDF’ in the field at the top right corner of the Application tool bar and click the adjoining arrow.

All the details of the existing profile are copied onto the new role profile. Again, you can change any of the details of the profile before saving it.

3.4.4 Deleting Role Profile

A Role Profile should be deleted only if there are no users linked to it. Thus, before deleting a role profile, you should modify each user profile attached to it and delete the link to the role.

To delete an existing role profile, retrieve the record of the role profile so that it is displayed in the main portion of the Role Definition screen. Then select the Delete button from the topmost row of buttons in the screen. If the role is linked to any user, a warning message will be displayed. This message will bring your attention to the fact that the user profile to which the role is linked will not be the same if the role profile is deleted.

You will be prompted to confirm the deletion. The Role Profile will be deleted only if you confirm the deletion.

3.4.5 Authorizing Role Profile

Before you link any users to a role, a user other than the one that defined it must authorize it. To authorize a role profile,

  1. Retrieve the role profile record so that it is displayed in the Role Definition screen.
  2. Click the Auth button from the topmost row of buttons in the screen. The Maintenance Authorization Details screen is displayed. The detail of each modification that was made to the record, in the sequence of occurrence is shown i n this screen. For each modification, the following details are displayed:
  1. You can authorize any of the modified records, or all of them. Check the box in the Authorize? field in the desired row, to mark it for authorization.

When you have marked the required modifications for authorization, click the OK button to effect the authorization. The Maintenance Authorization Details screen is closed, and you are returned to the Role Definition screen.

3.4.6 Editing Role Profile

You can make changes to an authorized role profile as follows:

  1. Retrieve the role profile record so that it is displayed in the Role Definition screen.
  2. Click the Edit button from the topmost row of buttons in the screen. The record is now in readiness for modification.
  3. After making your changes, click the Save button from the topmost row of buttons in the screen to save your changes. The record is now an edited, unauthorized record. Another user must now authorize it for it to be effective again.

3.5 User Profile

This section contains the following topics:

3.5.1 Defining User Profile

A User Profile defines the activities that a user can carry out on the system. It also contains the user ID, the name through which the user will access the system and the password.

3.5.2 Maintaining User Admin Details

You can invoke ‘User Admin’ screen by typing ‘SMDUSRDF’ in the field at the top right corner of the Application tool bar and click the adjoining arrow. The screen is displayed below:

Select 'New' from the Actions menu in the Application tool bar or click new icon to enter the details of the User Admin screen.

Specify the following basic information for the user profile, in the User Details section in this screen.

User Details Section

User Identification

Enter the unique identifier for the user, in the User Identification field. The minimum length of User Id must be six and the maximum number can be 12 characters.

External Identifier

Specify the External Identifier. External user is an alternative name for user id where two users can not have same External identifier.

Home Branch

The default branch that the user will login to the system from, in the Home Branch field

LDAP DN

The LDAP Details that have been maintained in the SSO screen have to be input here. Clicking on the ‘Validate’ button validates the LDAP details entered in the Single Sign On. The application will verify if only one user ID in FLEXCUBE Investor Service is mapped to the subject (DN) while authentication via SSO.

Name

The name of the user, in the Name field

Language

The default preferred language for the user, in the Language field

Classification

Select the classification of the user, that is, whether ‘Staff’, ‘Customer’ or ‘Auto End of Day’ from the options.

Modules Section

Select whether the user is a corporate modules user or an investment modules user.

Home Module

When you log into the system, you will be in the default module known as Home Module. Later you change the module according to your requirement.

User Status Module

Mandatory

The status of the user profile in the system is shown in this field. By default, every user profile is created as an enabled profile.

The status could be:

Status Changed On

Display Only

The most recent date on which the status of the user profile was changed is displayed here.

Time Level

Display Only

The most recent time at which the status of the user profile was changed is displayed here.

Last Signed On

Display Only

The most recent date on which the user logged in to the system is displayed here.

Password Section

Password

Alphanumeric, Mandatory

Specify the password using which the user will log in to the system. The static data AUTO_GEN_PASS_REQ is provided. The defaulted value ‘Y’ indicates whether the auto generation of the password is required or not.

Note

If the application level parameter which indicates the auto generation of the password is required or not is set to Y (Yes), then this field will be disabled and the system will create a random password in accordance with the parameters maintained at the level of the bank. The new password will be send to the respective user via mail.

At the time of setting up the Oracle FLEXCUBE Investor Servicing, the number of repeated successive parameters allowed in a password will be indicated.

For example, if the number of repeated successive parameters allowed in a password has been set as ‘2’, then the user password can have a character repeating only twice. Suppose, if the number of repeated successive parameters has been specified as 2, a user password like AAA777 will be invalid. A valid password would be AA77.

Password Changed On

Display Only

The most recent date on which the password was changed is displayed here. When you are entering a new record, this field is blank and locked.

Email

Optional

Specify a valid Email id at the time of user creation. All system generated passwords shall be communicated to the user via this mail id.

Start Date

Date format, Optional

Specify the date on and following which the password is valid.

End Date

Date Format, Optional

Specify the date up to which the password is valid.

Note

The System is also configured to disallow the use of a pre-set number of previous pass­words. This pre-set number is assigned at the time of installation, as a system parameter; the number can be subsequently changed if required, by changing this system parameter.

Amounts Limit Section

Transaction Amount

Numeric, Mandatory

Specify the maximum amount value that the user can specify while entering a transaction request from an investor.

Auth Amount

Numeric, Mandatory

Specify the maximum amount value of an investor transaction that the user can authorize.

Override Amount

Numeric, Mandatory

Specify the maximum amount value that the user can override while entering a transaction request from an investor.

Auto Auth

Select one of the following from the drop-down to indicate if auto authorisation is required or not:

Amount Format

Enter the amount format.

Invalid Logins Section

Successive

Numeric, Optional

Specify the number of successive invalid login attempts (in a single session) after which the user ID will be disabled for this profile.

Cumulative

Numeric, Optional

Specify the number of successive invalid login attempts (spread across different sessions) after which the user ID will be disabled for this profile.

After you have entered these basic details, you can specify any of the following information for the user profile, depending upon the necessity.

Note

When authentication of credentials is unsuccessful due to an incorrect user ID, then the user id will not be logged in the audit logs. In case the user id is correct and the password is wrong, the attempt is logged in the audit log and the successive and cumulative failure count is incremented. When the user id and password are correct, this is logged into the audit logs.

3.5.3 Classifying User

You can classify a user as belonging to one of the following categories:

Staff

A user of the system who is an employee of your bank or AMC. You can include any of the functions available in the system in the user profile. Ide­ally, you should not include functions that are part of End of Cycle or End of Day operations in the profile of a Staff user.

Customer

A customer who would want to log into the system from a remote terminal. You can include only those functions through which the customer can inquire into balances and transactions.

AEOD

A user at the bank or AMC who is responsible for running the automated End of Day operations. You can include any of the functions available in the system in the user profile. Ideally, you should include only functions that are part of End of Cycle operations in the profile of an AEOD user.

You can indicate this through the Classification field in the User Profile Definition screen.

3.5.4 Interfacing with External Systems for Authentication

An external system can be used for level authentications. While logging into Oracle FLEXCUBE the authentication details are authenticated with the Oracle FLEXCUBE database and also with the external system database.

For instance, if the LDAP server is used level authentications, while logging into Oracle FLEXCUBE the authentication details are authenticated with the Oracle FLEXCUBE database and also with the LDAP database.

If LDAP is enabled for your installation, a user can log-in to FCIS using the ‘Alternate User ID’. However, the maker and checked IDs will display the FCIS user ID only.

Note

Alternate User Id is mandatory if your installation is LDAP enabled.

3.5.5 Allowing User to Operate from Different Branches

When you create a User Profile, it will be attached to the branch where it is created. This means that the user can execute the functions defined for the profile from this branch. For a user profile, you can indicate that the user can access other branches also. The kind of functions a user can perform in a branch other than the one where the user profile is created depends on the category of the user.

3.5.5.1 Allowing User to Operate from Different Branches of AMC

For mutual fund account customers, you can define a list of branches of the AMC from which the user would be allowed to operate. To define this list, click the AMC button in the User Profile Definition screen.

3.5.5.2 User Belonging to Staff Category

In each branch, you should create a user profile called the Guest. The functions defined for this branch will be applicable for a user of a different branch. Typically, this profile should have access to functions like inquiry into balances, etc. If this Guest profile is not created in a branch, a user not belonging to that branch will not be allowed to change branch to it.

The branch where the user profile is created is called the Home branch and the other branches are called Host branches.

3.5.5.3 User Belonging to AEOD Category

For such a user, the functions defined for the user profile where the profile created (the Home branch) will be applicable in every branch (Host branch).

3.5.5.4 User Belonging to Customer Category

A user of this category can log on only to the branch where the profile is created.

3.5.6 Roles Button

Click ‘Roles’ button in the bottom of the ‘User Admin’ screen to attach the user profile you are defining to a role. The User Roles screen will be displayed.

You can attach a role to the user profile, to be operable at a specific branch. Select a branch from the Branch Code field option list. Then click the Role ID field option list in the same branch row, to select the required rule profile. Click the option list icon for a list of role profiles that have been defined. To pick up a role from that list, double click on the role when it is highlighted.

To view the functions associated with the selected role, click the View button in the View Functions field. The User Role Functions view screen is displayed, with all the functions associated with the role.

A role profile could contain either back office (Fund Manager) functions or front office (Agency Branch) functions.

When you have selected the required roles, click the OK button to save your changes.

3.5.7 Functions Button

In addition to attaching a user profile to a role, you can give rights to individual functions. For a user profile to which no role is attached, you can give access to specific functions. If you have:

  1. Attached one or more roles to a user profile, or
  2. You have given access to individual functions to a profile to which roles are attached.

A user profile could be given access to either back office (Fund Manager) functions or front office (Agency Branch) functions, depending upon the tasks that the user has to perform within your organization.

The rights for Function IDs that figure in both the role and user specific functions will be applied as explained in the following example.

Click ‘Functions’ button in the bottom of the ‘User Admin’ screen to give access to functions for the user profile you are defining. The User Functions screen will be displayed.

The various functions in the system come under five categories. These categories and the icon in the User Functions screen that lets you define the rights for these categories are as follows:

Category

Description

Button Name

Maintenance

Functions relating to the setting up of investor accounts and brokers.

Mainte­nance

Transactions Input

Functions relating to the entry of investor transactions.

 

Batch

Functions relating to the automated operations like End of Day Processes.

Batch

Reports

Functions relating to the generation of reports in the various modules.

Reports

On-line

Functions relating to contract processing.

On-line

When the functions in a selected menu are listed, select the row representing the function that you want to link to the user profile.

For each function, you can allow or disallow specific record-level operations. These operations are displayed as a horizontal list, alongside the Maintenance Functions label, with each operation spelled out vertically.

In the selected function row, check the box pertaining to each operation you want to allow for the user profile.

You can allow any of the following operations at record level for the user profile, in any function:

3.5.7.1 Static Screens

3.5.7.2 Contracts and On-Line Transaction Processing

3.5.7.3 Reports

To delete the access rights you have specified for a function, select the required Function ID row and check the Delete box to the left of the Function ID field.

To edit the access rights you have specified for a function, select the required Function ID row and check the Edit box to the left of the Delete field.

3.5.8 Branches Button

For Staff and End of Day users, you can specify the branches from which they can operate. Click ‘Branches’ button in the bottom of the ‘User Admin’ screen to define the branches in which the user should be allowed to operate.

To prepare a list of branches from which the user is disallowed, choose the Disallowed option.

Then, using the arrows, move any required branch found in the Available box to the Disallowed box, and click ‘Ok’ button.

Similarly, to prepare a list of branches from which the user is allowed to operate, choose the Allowed option.

Then, using the arrows, move any required branch found in the Available box to the Allowed box, and click ‘Ok’ button.

3.5.9 Restrictive Passwords Button

You can maintain a list of passwords that the user is most likely to use. For example, a user may tend to use the names of loved ones, the AMC or AMC branch, department, etc. as a password as they are easy to remember. This might be a security risk as it will be easy for another person to guess a password. To prevent this, you can maintain a list of passwords that the user should not use. This list of restrictive passwords will be checked before a password is accepted when the user is changing passwords. If the password entered by the user is listed, it will not be accepted.

Click ‘Restricted Passwords’ button in the bottom of the ‘User Admin’ screen, left margin of the screen. The Restrictive Passwords screen is opened, where you can define a list of such passwords.

The user for whom you are defining the restrictive passwords cannot use restrictive passwords defined in the Role Profile screen.

3.5.10 Module Button

You can restrict the user to operate only from certain AMCs, or certain branches of an AMC. To define such a restrictive list of AMCs or AMC branches, click ‘Module’ button in the ‘User Admin’ screen.The User AMC screen is opened.

To allow the user to operate the system from a certain AMC, select it in the Available box, and move it to the Allowed box using the arrows. When you have selected the required AMCs, click the OK button to save your changes.

3.5.11 Disallowed Functions Button

You can define a list of functions that the user is not allowed to operate, out of the functions list already associated with the user profile. To define such a restrictive list of functions, click ‘Disallowed Functions’ button in the bottom of the ‘User Admin’ screen.

The User Function Disallowed screen is opened. All the functions that are associated with the user profile are listed in the Available box.

To disallow a function, select it in the Available box and move it to the Disallowed box using the arrows. After selecting and moving all required functions in such a manner, click OK to save your changes.

3.5.12 Other Attributes for User Profile

Other than the attributes you have defined for a user profile, such as the role association, function access rights, restrictive passwords and branch restrictions, you can define any of the following attributes. Click on the appropriate button in the group of buttons displayed in the left margin of the screen:

3.5.13 Copying User Profile of Existing User

Often, you may have to create a user profile that closely resembles an existing one. In such a case, you can copy the existing profile on to the new one.

Choose the Copy button from the row of buttons at the topmost row of the screen. A list of existing user profiles will be displayed. Click on the one you want to copy. All the details of the profile except the User ID will be copied and displayed. Enter a unique User ID. You can change any of the details of the profile before saving it.

If you have retrieved an existing user profile and you want to copy it to a new user profile, click the Copy button in the topmost row of buttons in the screen. The Copy Information screen is opened, and you can specify the User ID for the new user profile.

All the details of the existing profile are copied onto the new user profile. Again, you can change any of the details of the profile before saving it.

3.5.14 Deleting User Profile

A user profile can be deleted only if the user is currently not logged on to the system.

To delete an existing user profile, retrieve the record of the user profile so that it is displayed in the main portion of the User Profile Definition screen. Then select the Delete button from the topmost row of buttons in the screen. If the user is logged in to the system, a warning message will be displayed and you cannot delete the profile.

If the user is not logged in, you will be prompted to confirm the deletion. The user profile will be deleted only if you confirm the deletion.

3.5.15 Authorizing User Profile

Before you link any users to a user, a user other than the one that defined it must authorize it.

To authorize a user profile,

  1. Retrieve the user profile record so that it is displayed in the User Definition screen.
  2. Click the Auth button from the topmost row of buttons in the screen. The Maintenance Authorization Details screen is displayed. The details of each modification that was made to the record, in the sequence of occurrence is shown in this screen. For each modification, the following details are displayed:
  1. You can authorize any of the modified records, or all of them. Check the box in the Authorize? field in the desired row, to mark it for authorization.

When you have marked the required modifications for authorization, click the OK button to effect the authorization. The Maintenance Authorization Details screen is closed, and you are returned to the User Definition screen.

3.5.16 Editing User Profile

You can make changes to an authorized user profile as follows:

  1. Retrieve the user profile record so that it is displayed in the User Profile Definition screen.
  2. Click the Edit button from the topmost row of buttons in the screen. The record is now in readiness for modification.
  3. After making your changes, click the Save button from the topmost row of buttons in the screen to save your changes. The record is now an edited, unauthorized record. Another user must now authorize it for it to be effective again.

Status Bar Information

In this section, the following details are displayed for any user profile record:

3.6 Clearing User

This section contains the following topics:

3.6.1 Clearing User That Has Exited

If a user exits the system abnormally, the administrative users can clear the logged in user profile so that the user can log in normally again. To clear a logged-in user in this manner, the Control Clerks need not login also.

To clear a user, log in to the system as an administrative user, and typing ‘SMDCLUSR’ in the field at the top right corner of the Application tool bar and click the adjoining arrow. The Clear Users screen is displayed.

To clear a user, you need to unlock and save after entering the above mentioned details.

3.7 Auto Authorization

This section contains the following topics:

3.7.1 Auto-authorization Features in System

Most of the information that you enter in to the system needs to be authorized to be effective. Except for the static information that you typically enter in to the system only once, all other information must be authorized. Authorization is required for all maintenance as well as transactional information in the system

When you enter information related to any of these events into the system, the record that is initially saved when you complete the data entry is retained in the system as unauthorized information, which must be subsequently authorized to become effective.

Usually, authorizing information in the system is an activity that follows a maker-checker concept, i.e., the user that enters the information must be necessarily different from the user that authorizes the information. Therefore, whereas one user group will have access to functions that involve entering information into the system, a different user group has access to the functions that involve information authorization, and there is no overlap of access privileges.

In some environments, the user that enters the information needs to be able to authorize it simultaneously. In such cases, the maker-checker concept leads to unnecessary delegation of activity, which is undesirable. This means that in such an environment, the user that enters the information must, on saving the entered record, be able to authorize the record. For such environments, the auto-authorization function is provided by the FC-IS system. When this function is used, the Save operation in any screen that involves data entry (apart from static information screens) will also invoke and perform the authorization for the records that have been entered.

It is possible to be selective about the business functions for which you need to use the auto-authorization feature. This means that you can enable the auto-authorization feature for the functions for which you require simultaneous authorization on saving the record, and you can keep it disabled for others, allowing them to go through the normal maker-checker process of authorization.

The following features comprise the auto-authorization facility in the system:

3.7.2 Using Auto-authorization Feature

To allow the auto-authorization feature for a user group and a certain set of menu items, you must map the user groups to the menu items or the task for which auto-authorization is applicable, using the ‘Auto Auth Maintenance’ screen. You can access this screen by clicking Security Maintenance menu and selecting Auto Auth from the Browser.

3.7.3 Auto Auth Maintenance Screen

You can use this screen to map user groups to the tasks for which auto-authorization is applicable. If the user administrator or the module administrator users do not maintain the setup for each of the user groups in this screen, the auto-authorization is not enabled for that user group.

3.7.4 Enabling Or Disabling Auto-Authorization User Group

When you open the Auto Auth Maintenance screen, the auto authorization features that have been enabled for the module and the group to which the logged in user belongs, are displayed.

You can invoke this screen by typing ‘SMDAUTAU’ in the field at the top right corner of the Application tool bar and click the adjoining arrow. The screen is displayed below:

Group ID

Mandatory

Select the Group ID from the option list.

Module ID

Mandatory

Select the Module ID from the option list.

Task Code

Mandatory

Select the Task Code from the option list.

New

Optional

You can select ‘Yes’ to indicate new.

Amend

Optional

You can select ‘Yes’ to amend.

Limit Currency

Optional

Select the limit currency from the option list.

Limit Amount

Optional

Enter the limit amount.

Additional Setup Details Section

Restricted Transaction

To amend the displayed list, select ‘Unlock’ from the Actions menu in the Application toolbar or click unlock icon. The screen is displayed in Amend mode, where you can make your changes. The changes you make will apply to all users and roles in the Group ID to which the logged in user belongs, for the logged in Module.

You can make changes as follows:

When you have finished making your auto-authorization specifications for each user group in this screen, and saved your changes, the auto-authorization feature is enabled, and when the user invokes the Save operation in any of the applicable task screens, the entered records are saved as authorized records.

To enable auto authorization for a user group other than the logged in user group, click save icon in the Auto Auth Maintenance screen.

The system displays the message as “Are you sure you want to close the current record?”.

Click ‘Ok’ button. The auto authorization record of the logged in user group, which was on display, is closed, and the Auto Auth Maintenance screen is opened in New mode.

Select the user group for which you want to enable or disable the auto authorization rights, in the Group ID field. Select the corresponding module in the Module ID field, and click OK.

Subsequently, proceed to set up the auto authorization rights in the same manner as described above, for the amend operation.

How Auto Authorization Privileges Are Applied

The examples given below explain how auto authorization privileges could be granted, and how they are applied in the system:

3.7.5 Operations on Auto Authorization Records

After you have set up auto authorization for a user group, you must have another user authorize it so that it would be effective in the system.

Before the setup is authorized, you can edit its details as many times as necessary. You can also delete it before it is authorized.

After authorization, you can only make changes to any of the details through an amendment.

The Auto Auth Maintenance screen can be used for the following operations on auto authorization setups:

To perform these operations, click on the appropriate buttons in the horizontal array of buttons in the Auto Auth Maintenance screen.