In any financial environment, security of information is of paramount importance. Access to information must be made available in a carefully monitored manner. Controlling and maintaining these aspects also includes management of the people (or users) who will process this information on a day to day basis. Therefore, an efficient Security Management System is an important factor that will determine the strength and stability of a financial system.
This chapter takes you through the Security Maintenance features of the Oracle FLEXCUBE system. You will learn how to use the security features in the system to suit your requirements and customize them for your environment.
This chapter is intended for the following persons in your bank or AMC:
Person |
Operation |
Oracle FLEXCUBE Implementers |
To set up the initial start-up parameters in the individual client workstations. To set up security management parameters for the AMC or AMC branch. |
SMS Administrator for the Bank/ AMC |
To set the SMS AMC or AMC branch parameters. To identify the Branch level SMS Administrators. |
SMS Administrator for the Branch |
To create User and Role profiles for the branches of your AMC. Will also grant access to the various functions to the Users. |
A Oracle FLEXCUBE user |
Any user of Oracle FLEXCUBE whose activities are traced by the Security Management System. |
This chapter contains the following sections:
In Oracle FLEXCUBE, you can ensure security management at all levels in any kind of environment. This is due to a combination of the following features:
Simply translated, this means that a person within your environment can:
Before you operate the security management system of your Oracle FLEXCUBE installation, you must understand some important terms that you will encounter during the process.
Typically, at the time of installation, two users are created by default in the system database. These two users are the system administrators. The system administrators subsequently create all users and user roles in the system,
The system administrator user profiles would be typically created to enable the security managers in your bank or AMC, to log in to the system.
A function is any operation related to business maintenance or processing in the system. Most typically, each menu item appearing in the main menu could be thought of as a function. For a user, you can control access to different functions in the system.
Any functions related to the Fund Manager component can be thought of as back office functions, and any functions related to the Agency Branch could be thought of as front office components.
The functions are made available by the Oracle FLEXCUBE implementers, at the time of installation.
Each user who will use the system is given a unique profile in the database. This profile is known as a user profile.
The profile of a user contains the User ID, the password and the functions to which the user has access. A user can be assigned access to either back office (Fund Manager) functions, or front office (Agency Branch) functions, depending upon the tasks that the user must perform in your organization.
It is likely that users working in the same department at the same level of hierarchy need to have similar user profiles. In such cases, you can define a Role Profile, which includes access rights to the functions that are common to a group of users. A user can be linked to a Role Profile by which you give the user access rights to all the functions in the Role Profile.
A role profile could contain either back office (Fund Manager) functions or front office (Agency Branch) functions.
This section contains the following topics:
You can define the maximum number of unsuccessful attempts after which a User ID should be disabled. The password of a user can be made applicable only for a fixed period. This forces the user to change the password at regular intervals thus reducing security risks. Further, you can define passwords that could be commonly used by a user as Restrictive Passwords at the user, user role and bank level. A user cannot use any password that is listed as a Restrictive Password at any of these levels.
You can indicate the branches from where a user can operate. Click on the User Branch Restrictions button in the User Profile Definition screen to define the branches from where a user can operate.
For mutual fund account customers, you can indicate the branches of the AMC from where a user can operate. Click on the Module button in the User Profile Definition screen to define the branches of the AMC from where a user can be allowed to operate.
Extensive log is kept of all the activities on the system. You can generate reports on the usage of the system anytime. These reports give details of unsuccessful attempts at accessing the system along with the nature of these attempts. It could be an unauthorized user attempting to use the system, an authorized user trying to run a function without proper access rights, and so forth.
This section contains the following topics:
Role profiles are defined in the Role Definition screen. You can invoke the ‘Role Definition’ screen by typing ‘SMDROLDF’ in the field at the top right corner of the Application tool bar and clicking on the adjoining arrow button.
Role Identification
Alphanumeric, 15 Characters; Mandatory
Specify a unique identifier for the role profile.
Description
Alphanumeric, 35 Characters; Optional
Specify the key text which describes and qualifies the role profile, and is indicative of its characteristics.
Customer Specific
Optional
Check this box to indicate that the role profile has been set up for a specific customer of your AMC or AMC branch who might access the system from a remote terminal to inquire about their transactions or investor accounts.
Module
Optional
Select the default module for users linked to the role profile mfrom the drop-down list. The list displays the following values:
After you have defined the basic attributes of a role profile (the Role ID, Description, Module and whether it is customer- specific) you should define the functions to which the role profile has access. The various functions in the system fall under five categories, corresponding to the menu options in the Agency Branch main menu.
A role profile could contain either back office (Fund Manager) functions or front office (Agency Branch) functions.
Role Function
Alphanumeric; 8 Characters; Mandatory
Select the function that you want to link to the role profile.
For each function, you can allow or disallow specific record-level operations. These operations are displayed as a horizontal list, alongside the Maintenance Functions label, with each operation spelled out vertically.
In the selected function row, check the box pertaining to each operation you want to allow for the role profile.
You can allow any of the following operations at record level for the role profile in any function:
To delete the access rights you have specified for a function, select the required Function ID row and check the Delete box at the extreme right end of the row.
To edit the access rights you have specified for a function, select the required Function ID row and check the Edit box at the extreme right end of the row.
By default, a Role Profile you define will be for the users who are employees of your AMC or AMC branch. You can indicate that the profile is for customers who might login from remote terminals to inquire on their transactions and balances.
Often, you may have to create a Role Profile that closely resembles an existing one. In such a case, you can copy the existing profile on to the new one.
To copy a role, you need to retrieve the record whose attributes you wish to copy. This is done as follows:
All the details related to the particular Role Id are displayed by the system. Choose the Copy button from the row of buttons at the topmost row of the screen All the details of the profile except the Role ID will be copied and displayed. Enter a unique Role ID. You can change any of the details of the profile before saving it.
If you have retrieved an existing role profile and you want to copy it to a new role profile, click the Copy button in the topmost row of buttons in the screen. The Copy Information screen is opened, and you can specify the Role ID and Description for the new role profile.
All the details of the existing profile are copied onto the new role profile. Again, you can change any of the details of the profile before saving it.
A Role Profile should be deleted only if there are no users linked to it. Thus, before deleting a role profile, you should modify each user profile attached to it and delete the link to the role.
To delete an existing role profile, you have to retrieve the record that you wish to delete. This is done as follows:
All the details related to the particular Role Id are displayed by the system. Then select the Delete button from the topmost row of buttons in the screen. If the role is linked to any user, a warning message will be displayed. This message will bring your attention to the fact that the user profile to which the role is linked will not be the same if the role profile is deleted.
You will be prompted to confirm the deletion. The Role Profile will be deleted only if you confirm the deletion.
To retrieve a role profile that you have previously set up in the Role Definition screen, choose the ‘Query’ button from the topmost row of buttons in the screen. The Query screen is opened.
All the details related to the particular Role ID are displayed by the system.
Before you link any users to a role, a user other than the one that defined it must authorize it. To authorize a role profile,
When you have marked the required modifications for authorization, click the OK button to effect the authorization. The Maintenance Authorization Details screen is closed, and you are returned to the Role Definition screen.
You can make changes to an authorized role profile as follows:
This section contains the following topics:
A User Profile defines the activities that a user can carry out on the system. It also contains the user ID, the name through which the user will access the system and the password.
You can invoke the ‘User Admin’ screen by typing ‘SMDUSRDF’ in the field at the top right corner of the Application tool bar and clicking on the adjoining arrow button.
Specify the following basic information for the user profile, in the User Details section in this screen:
User Identification
Alphanumeric; 12 Characters; Mandatory
Specify a unique identifier for the user.
Name
Alphanumeric; 35 Characters; Mandatory
Specify the name of the user.
External Identifier
Alphanumeric; 20 Characters; Optional
Specify the External Identifier. External user is an alternative name for user id where two users cannot have same External identifier.
LDAP DN
Alphanumeric; 500 Characters; Optional
Specify LDAP DN details that is maintained in SSO screen.
The application will verify if only one user ID in FLEXCUBE Investor Service is mapped to the subject (DN) while authentication via SSO.
MFA Applicable
Optional
Select if Multi Factor Authorization (MFA) is applicable or not from the drop-down list. The list displays the following values:
MFA ID
Alphanumeric; 50 Characters; Optional
Specify the multi factor authorization ID.
If ‘MFA Applicable’ field is selected as ‘Yes’, then ‘MFA ID’ is mandatory.
Language
Alphanumeric; 3 Characters; Mandatory
Specify the preferred language for the user profile. Alternatively, you can also select language from the option list. The list displays all valid language code maintained in the system.
Home Branch
Alphanumeric; 3 Characters; Mandatory
Specify the home branch details.
Home Module
Alphanumeric; 30 Characters; Mandatory
Specify the default module from which the user profile will operate.
Debug Window Enabled
Optional
Check this box to enable debug window.
Show Dashboard
Optional
Check this box to show dashboard.
Classification
Optional
Select one of the classification options:
You can classify a user as belonging to one of the following categories:
User |
Description |
Staff |
A user of the system who is an employee of your AMC. You can include any of the functions available in the system in the user profile. Ideally, you should not include functions that are part of End of Cycle or End of Day operations in the profile of a Staff user. |
Customer |
A customer who would want to log into the system from a remote terminal. You can include only those functions through which the customer can inquire into balances and transactions. |
AEOD |
A user at the AMC who is responsible for running the automated End of Day operations. You can include any of the functions available in the system in the user profile. Ideally, you should include only functions that are part of End of Cycle operations in the profile of a AEOD user. |
You can indicate this through the Classification field in the User Profile Definition screen.
Access To Classified Information
Optional
Select if access to classified information is allowed or not from the drop-down list. The list displays the following values:
View PII
Optional
Select if Personal Identifiable Information has to be viewed or not from the drop-down list. The list displays the following values:
By default, ‘View PII’ field is set to ‘Yes’.
If you select ‘No’, then you need to amend user roles with View only Roles to all ‘Personal Identifiable Information’ related screens. This is usually applicable to a user with only back-office role.
Investments
Optional
Check this box if the user is investment module user.
Corporate
Optional
Check this box if the user is corporate module user.
User Status
Optional
Check one of the user status by checking the appropriate radio button:
Time Level
Numeric; 1 Character; Mandatory
Specify the time level.
Status Changed On
Display
The system displays the most recent date of status change of user profile.
Last Signed On
Display
The system displays the last logged in details
Cumulative
Display
The system displays the number of successive invalid login attempts (in a single session) after which the user ID will be disabled for this profile.
Successive
Display
The system displays the number of successive invalid login attempts (spread across different sessions) after which the user ID will be disabled for this profile.
After you have entered these basic details, you can specify any of the following information for the user profile, depending upon the necessity.
Note
When authentication of credentials is unsuccessful due to an incorrect user ID, then the user ID will not be logged in the audit logs. In case the user ID is correct and the password is wrong, the attempt is logged in the audit log and the successive and cumulative failure count is incremented. When the user ID and password are correct, this is logged into the audit logs.
Password
Alphanumeric; 32 Characters; Optional
Specify the user password to login. The static data AUTO_GEN_PASS_REQ is provided. The defaulted value ‘Y’ indicates whether the auto generation of the password is required or not.
Note
If the application level parameter which indicates the auto generation of the password is required or not is set to Y (Yes), then this field will be disabled and the system will create a random password in accordance with the parameters maintained at the level of the bank. The new password will be send to the respective user via mail.
At the time of setting up the Oracle FLEXCUBE Investor Servicing, the number of repeated successive parameters allowed in a password will be indicated.
For instance, if the number of repeated successive parameters allowed in a password has been set as ‘2’, then the user password can have a character repeating only twice. Suppose, if the number of repeated successive parameters has been specified as 2, a user password like AAA777 will be invalid. A valid password would be AA77.
Password Changed On
Display
The system displays the date when the password was last changed.
Alphanumeric; 50 Characters; Optional
Specify the e-mail ID of the user.
Start Date
Date Format; Mandatory
Select the start date for the user password from the adjoining calendar.
End Date
Date Format; Optional
Select the end date for the user password from the adjoining calendar.
Note
The System is also configured to disallow the use of a pre-set number of previous passwords. This pre-set number is assigned at the time of installation, as a system parameter; the number can be subsequently changed if required, by changing this system parameter.
Access Control
Optional
Select the access control from the drop-down list. The list displays the following values:
The system is configured to disallow the use of a pre-set number of previous passwords. This pre-set number is assigned at the time of installation. As a system parameter; the number can be subsequently changed if required by changing this system parameter.
Limit Currency
Alphanumeric; 3 Characters; Mandatory
Specify the currency to be mapped for transaction amount and auth amount.
Transaction Amount
Numeric; 18 Characters; Mandatory
Specify the maximum amount value that the user can specify while entering a transaction request from an investor.
Auth Amount
Numeric; 18 Characters; Mandatory
Specify the maximum amount value of an investor transaction that the user can authorize.
Date Format
Optional
Select the date format from the drop-down list. The list displays the following values:
Auto Auth
Optional
Select auto authorization status from the drop-down list. The list displays the following values:
Amount Format
Optional
Select the amount format from the drop-down list. The list displays the following values:
Number Format
Optional
Select one of the number format options to be used:
You can maintain a list of passwords that the user is most likely to use. For example, a user may tend to use the names of loved ones, the AMC or AMC branch, department, etc. as a password as they are easy to remember. This might be a security risk as it will be easy for another person to guess a password. To prevent this, you can maintain a list of passwords that the user should not use. This list of restrictive passwords will be checked before a password is accepted when the user is changing passwords. If the password entered by the user is listed, it will not be accepted.
Click ‘Restricted Passwords’ button in the User Profile Definition screen, left margin of the screen. The Restricted Passwords screen is opened, where you can define a list of such passwords.
Password
Alphanumeric; 12 Characters; Mandatory
Specify the restricted password.
The user for whom you are defining the restrictive passwords cannot use the restrictive passwords defined in this screen.
Click ‘Roles’ button to attach the user profile you are defining to a role. The User Roles screen will be displayed.
Branch Code
Alphanumeric; 3 Characters; Mandatory
You can attach a role to the user profile, to be operable at a specific branch. Specify the branch code. Alternatively, you can select branch code from the option list. The list displays all valid branch code maintained in the system.
Role
Alphanumeric; 15 Characters; Mandatory
Specify the role defined to the user.
Description
Display
The system displays the description for the selected role.
A role profile could contain either back office (Fund Manager) functions or front office (Agency Branch) functions.
When you have selected the required roles, click the OK button to save your changes.
In addition to attaching a user profile to a role, you can give rights to individual functions. For a user profile to which no role is attached, you can give access to specific functions. If you have one of the following:
A user profile could be given access to either back office (Fund Manager) functions or front office (Agency Branch) functions, depending upon the tasks that the user has to perform within your organization.
The rights for Function IDs that figure in both the role and user specific functions will be applied as explained in the following example.
Click ‘Functions’ button in the User Profile Definition screen to give access to functions for the user profile you are defining. The User Functions screen will be displayed.
Branch Code
Alphanumeric; 3 Characters; Mandatory
Specify the branch code from the option list.
Function
Alphanumeric; 3 Characters; Mandatory
Specify the branch code from the option list.
You can allow any of the following operations at record level for the user profile, in any function:
To delete the access rights you have specified for a function, select the required Function ID row and check the Delete box to the left of the Function ID field.
To edit the access rights you have specified for a function, select the required Function ID row and check the Edit box to the left of the Delete field.
For Staff and End of Day users, you can specify the branches from which they can operate. Click ‘Branches’ button in the User Profile Definition screen to define the branches in which the user should be allowed to operate.
Branches
Optional
Select one of the options from the following list:
To prepare a list of branches from which the user is disallowed, choose the Disallowed option. Specify the branches that are disallowed for a user.
Similarly, to prepare a list of branches from which the user is allowed to operate, choose the Allowed option.
Branch
Alphanumeric; 3 Characters; Optional
Specify the branch code.
Branch Name
Display
The system displays the name of the branch for the selected branch code.
When you create a User Profile, it will be attached to the branch where it is created. This means that the user can execute the functions defined for the profile from this branch. For a user profile, you can indicate that the user can access other branches also. The kind of functions a user can perform in a branch other than the one where the user profile is created depends on the category of the user.
Allowing User to Operate from Different Branches of AMC
For mutual fund account customers, you can define a list of branches of the AMC from which the user would be allowed to operate. To define this list, click the AMC button in the User Profile Definition screen.
User Belonging to Staff Category
In each branch, you should create a user profile called the Guest. The functions defined for this branch will be applicable for a user of a different branch. Typically, this profile should have access to functions like inquiry into balances, etc. If this Guest profile is not created in a branch, a user not belonging to that branch will not be allowed to change branch to it.
The branch where the user profile is created is called the Home branch and the other branches are called Host branches.
User Belonging to AEOD Category
For such a user, the functions defined for the user profile where the profile created (the Home branch) will be applicable in every branch (Host branch).
User Belonging to Customer Category
A user of this category can log on only to the branch where the profile is created.
You cannot capture any transaction, if the transaction amount is greater than the maximum transaction amount. Also, you cannot authorise any transaction if the transaction amount is greater than the maximum authorization amount.
This validation is applicable only for UT transactions, Bulk transaction, adjustment transaction, light weight transaction and LEP – initial investment, top up, surrender and switch transaction types.
The validation will not be applied if there is no exchange rate currency maintained for the limit currency of the user and the transaction currency.
You can restrict the user to operate only from certain Modules, or certain branches of an AMC. To define such a restrictive list of AMC’s or AMC branches, click ‘Module’ button in the left margin of the User Profile Definition screen. The Module screen is displayed.
Module
Alphanumeric; 30 Characters; Optional
Specify the module ID. Alternatively, you can select module ID from option list. The list displays all valid module ID maintained in the system.
You can define a list of functions that the user is not allowed to operate, out of the functions list already associated with the user profile. To define such a restrictive list of functions, click ‘Disallowed Functions’ button in the left margin of the User Profile Definition screen.
The ‘Disallowed Functions’ screen is displayed. All the functions that are associated with the user profile are listed in the Available box.
Function
Alphanumeric; 8 Characters; Mandatory
Select the functions that you wish to disallow for the user.
Click ‘Dashboard Maintenance’ button in ‘User Admin’ screen to map the dashboards. The ‘Dashboard Maintenance’ screen is invoked.
User ID
Display
The system displays the user ID.
User Name
Display
The system displays the user name for the selected user ID.
Click ‘Populate’ button, to view the following details:
Clause Wizard
Click ‘Clause Wizard’ button to invoke the following screen:
You can specify the following details:
Column Name
Alphanumeric; 35 Characters; Optional
Specify the column name. Alternatively, you can select column name from the option list. The list displays all valid column names maintained in the system.
Condition
Optional
Select the conditions from the drop-down list.
Where Clause
Alphanumeric; 35 Characters; Optional
Specify the where clause.
Show In Dashboard
Optional
Check this box to show in dashboard.
The system will default the value based on the value set at ‘User settings’ screen. If you uncheck this box, then the value will be applied upon change in modules.
Other than the attributes you have defined for a user profile, such as the role association, function access rights, restrictive passwords and branch restrictions, you can define any of the following attributes. Click on the appropriate button in the group of buttons displayed in the left margin of the screen:
Often, you may have to create a user profile that closely resembles an existing one. In such a case, you can copy the existing profile on to the new one.
Click F7, input the User Identification and click F8. All the details pertaining to the User Identification specified are displayed. Choose the Copy button from the row of buttons at the topmost row of the screen. All the details of the profile except the User ID will be copied and displayed. Enter a unique User ID. You can change any of the details of the profile before saving it.
If you have retrieved an existing user profile and you want to copy it to a new user profile, click the Copy button in the topmost row of buttons in the screen. The Copy Information screen is opened, and you can specify the User ID for the new user profile.
All the details of the existing profile are copied onto the new user profile. Again, you can change any of the details of the profile before saving it.
A user profile can be deleted only if the user is currently not logged on to the system.
To delete an existing user profile, retrieve the record of the user profile so that it is displayed in the main portion of the User Profile Definition screen. Then select the Delete button from the topmost row of buttons in the screen. If the user is logged in to the system, a warning message will be displayed and you cannot delete the profile.
If the user is not logged in, you will be prompted to confirm the deletion. The user profile will be deleted only if you confirm the deletion.
To retrieve a user profile that you have previously set up in the User Profile Definition screen, choose the Query button from the topmost row of buttons in the screen. The Query User screen is opened.
To retrieve a record:
In this screen, you can specify the parameters that will the system will use to locate the user profile in the database and retrieve it.
When the record is retrieved based on your search specifications, it is displayed in the User Definition screen.
Before you link any users to a user, a user other than the one that defined it must authorize it.
To authorize a user profile:
When you have marked the required modifications for authorization, click ‘Ok’ button to effect the authorization. The Maintenance Authorization Details screen is closed, and you are returned to the User Definition screen.
You can make changes to an authorized user profile as follows:
Status Bar Information
In this section, the following details are displayed for any user profile record:
This section contains the following topics:
You can retrieve a previously entered record in the Summary Screen, as follows:
Invoke the ‘User Admin Summary’ screen by typing ‘SMSUSRDF’ in the field at the top right corner of the Application tool bar. Click on the adjoining arrow button and specify any or all of the following details in the corresponding details.
Click ‘Search’ button to view the records. All the records with the specified details are retrieved and displayed in the lower portion of the screen.
Note
You can also retrieve the individual record detail from the detail screen by querying in the following manner:
You can perform Edit, Delete, Amend, Authorize, Reverse, Confirm operations by selecting the operation from the Action list. You can also search a record by using a combination of % and alphanumeric value
You can modify the details of User Admin record that you have already entered into the system, provided it has not subsequently authorized. You can perform this operation as follows:
Click Save to save your changes. The User Admin screen is closed and the changes made are reflected in the User Admin Summary screen.
To view a record that you have previously input, you must retrieve the same in the User Admin Summary screen as follows:
You can delete only unauthorized records in the system. To delete a record that you have previously entered:
When a checker authorizes a record, details of validation, if any, that were overridden by the maker of the record during the Save operation are displayed. If any of these overrides results in an error, the checker must reject the record.
After a User Admin record is authorized, it can be modified using the Unlock operation from the Action List. To make changes to a record after authorization:
An amended User Admin record must be authorized for the amendment to be made effective in the system. The authorization of amended records can be done only from Fund Manager Module and Agency Branch module.
The subsequent process of authorization is the same as that for normal transactions.
This section contains the following topics:
You can set the most used screens in hot keys and launch the same using the hot key combination. By using the hot keys, you can avoid typing function IDs or using the menu path.
You can use hot keys with the key combinations from Ctrl+1 to Ctrl+9. In the predefined key combination, you can save the required function IDs. Based on the role/ function mapped the function ID will be listed in the screen.
When you click any of the function ID saved for particular key stroke from fast track the corresponding screen will be launched.
Note
Maximum number of Hot keys that can be entered is 9. Same key combination cannot be used for different function id in different modules.
You can invoke ‘Hot Keys Maintenance’ screen by typing ‘SMDHOTKY/ UTDHOTKY’ based on the module in the field at the top right corner of the Application tool bar and clicking on the adjoining arrow button.
You can specify the following details:
User ID
Display
The system displays the logged in user ID.
Ctr+1
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
Ctr+2
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
Ctr+3
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
Ctr+4
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
Ctr+5
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
Ctr+6
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
Ctr+7
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
Ctr+8
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
Ctr+9
Alphanumeric; 8 Characters; Optional
Specify the valid function ID for the logged in user. Alternatively, you can select the valid function IDs from the option list. The list displays all valid function IDs maintained in the system.
This section contains the following topics:
If a user exits the system abnormally, the administrative users can clear the logged in user profile so that the user can log in normally again
To clear a user, log in to the system as an administrative user, and type ‘SMDCLUSR/ UTDCLUSR’ in the field at the top right corner of the Application tool bar and click the adjoining arrow. The ‘Clear User Profile’ screen is displayed.
User ID
Display
The system displays the user ID.
The system displays the following values:
Clear
Optional
Select if the specified user has to be cleared or not from he drop-down list. The list displays the following values:
In this screen, press F7 and select the User Id from the adjoining option list which displays the users logged in currently. After specifying the user id to be cleared, press F8. Upon pressing F8, system displays the User ID, terminal and start time information. Select the option ‘Yes’ from ‘Clear’ drop-down to clear the selected user.
Now click on the unlock icon from the toolbar menu and then click on save icon. The system will clear the selected user id and will display the Information message:
Click on OK to confirm.
To clear a user, check ‘Clear’ in the required row, and then click ‘Clear’ button.
This section contains the following topics:
You can set up certain parameters related to invalid logins and passwords using the ‘SMS Parameters Maintenance’ screen. You can invoke the ‘SMS Parameters Maintenance’ screen by typing ‘SMDPARAM’ in the field at the top right corner of the Application tool bar and clicking on the adjoining arrow button.
Click ‘Enter Query’ to display the SMS parameters. However, you can amend the values by clicking ‘Unlock’ option.
Maximum
Numeric; 2 Characters; Optional
Indicate the maximum number of characters to be used for a password. The number of characters in a user password is not allowed to exceed the maximum length that you specify here.
The maximum length of password defaults to 15.
Minimum
Numeric; 2 Characters; Optional
Indicate the minimum number of characters to be used for a password. The number of characters in a user password is not allowed to fall below the minimum length that you specify here.
The minimum length of password defaults to 8. The minimum length that you specify must not exceed the maximum length that you have specified.
Cumulative
Numeric; 2 Characters; Optional
Specify the allowable number of cumulative invalid attempts made during the course of a day, as well as the allowable number of consecutive or successive invalid attempts made at a time. In either case, if the number of invalid attempts exceeds the stipulated number, the user ID is disabled.
Successive
Numeric; 1 Character; Optional
Specify the allowable number of times an invalid login attempt is made by a user. Each user accesses the system through a unique User ID and password. While logging on to the system, if either the User ID or the Password is wrong, it amounts to an invalid login attempt. If the number of invalid attempts exceeds the stipulated number, the user ID is disabled.
Note
When authentication of credentials is unsuccessful due to an incorrect user ID, then the user id will not be logged in the audit logs. In case the user id is correct and the password is wrong, the attempt is logged in the audit log and the successive and cumulative failure count is incremented. When the user id and password are correct, this is logged into the audit logs.
Password Repetitions
Numeric; 1 Character; Optional
Specify the number of previous passwords that cannot be set as the new current password, when a password change occurs.
Force Password Change after
Numeric; 3 Characters; Optional
Specify the number of calendar days for which the password should be valid. After the specified number of days has, it is no longer a valid password and the user will be forced to change the password.
Intimate Users (Before Password Expiry)
Numeric, 1 Character; Optional
Specify the number of working days before password expiry that a warning is to be issued to the user. When the user logs into the system (the stipulated number of days before the expiry date of the password), a warning message will continue to be displayed till the password expires or till the user changes it.
Archival Period in Days
Numeric; 3 Characters; Optional
Specify the archival period.
Minimum Days between Password Changes
Numeric; 3 Characters; Optional
Specify the minimum number of calendar days that must elapse between two password changes. After a user has changed the user password, it cannot be changed again until the minimum number of days you specify here have elapsed.
Password External
Optional
Check this box if the password is external.
Display Legal Notice
Optional
Check this box to display the legal notice.
Display Welcome Message
Alphanumeric; 4000 Characters; Optional
Specify the welcome text message to be displayed on launching the login screen,
Maximum Consecutive Repetitive Characters
Numeric; 2 Characters; Optional
Define the maximum number of allowable repetitive characters occurring consecutively, in a user password. This specification is validated whenever a user changes the user password.
Minimum Number of Numeric Characters in Password
Numeric; 2 Characters; Optional
Define the minimum number of numeric characters allowed in a password. The system validates the password at the time of creating a User ID in User admin screen and at the time when a user chooses to change his password.
Minimum Number of Special Characters in Password
Numeric; 2 Characters; Optional
Define the minimum number of special characters allowed in a password. The system validates the password at the time of creating a User ID in User admin screen and at the time when a user chooses to change his password.
Minimum Number of Upper Case Characters in Password
Numeric; 2 Characters; Optional
You can define the minimum number of upper case characters allowed in a user password. The allowed upper case characters are from the US-ASCII character set only. The system validates the password at the time of creating a User ID in User admin screen and at the time when a user chooses to change his password.
If you do not specify the limits, the following default values will be used:
Minimum Number of Lower Case Characters in Password
Numeric; 2 Characters; Optional
You can define the minimum number of lowercase characters allowed in a user password. The allowed lower case characters are from the US-ASCII character set only. The system validates the password at the time of creating a User ID in User admin screen and at the time when a user chooses to change his password.
If you do not specify the limits, the following default values will be used:
Screensaver Required
Optional
Check this box if screensaver is required.
Screensaver Interval Modifiable at User Level
Optional
Check this box if screensaver interval can be modified at user level.
Screensaver Interval (in seconds)
Numeric; 4 Characters; Optional
Specify the screen saver interval.
Restricted Passwords
Alphanumeric; 12 Characters; Optional
Specify the restricted password.
This section contains the following topics:
You can change or reset user passwords in bulk if you have the system admin rights. After modification of the user list, click ‘Save’. The modified user list will be stored in a temporary table. The lists of users which are modified and mapped with a unique sequence number will not be available until the particular sequence number is authorized. When the particular sequence number is authorized those user details will be changed and updated.
You can invoke this screen by typing ‘SMDCHPWD’ in the field at the top right corner of the Application tool bar and clicking on the adjoining arrow button.
In this screen, the following information is to be provided.
Sequence Number
Display
Click on ‘New’ icon to generate a new ‘Sequence Number’.
Process Date
Date Format; Optional
Select a date by clicking on the calendar icon beside the field. This field is generally useful for querying purpose.
Description
Alphanumeric, 35 Characters; Optional
Specify a description of what modification is being done on selected user ids.
User Identification
Alphanumeric, 12 Characters; Mandatory
Select the User Id to be changed from the option list provided.
Name
Display
The system displays the name of the user specific to the selected user ID.
Password
Alphanumeric; 32 Characters; Optional
Password of the selected user id will be displayed here. This field will be editable only if the ‘Auto Generation Required’ option is not selected at the application level. If the ‘Auto Generation Required’ option is checked, the password will be auto generated by the application.
This section contains the following topics:
You can retrieve a previously entered record in the Summary screen, as follows:
Invoke the ‘User Credentials Change Summary’ screen by typing ‘SMSCHPWD’ in the field at the top right corner of the Application tool bar and clicking on the adjoining arrow button and specify any or all of the following details in the corresponding details.
Click ‘Search’ button to view the records. All the records with the specified details are retrieved and displayed in the lower portion of the screen.
Note
You can also retrieve the individual record detail from the detail screen by querying in the following manner:
You can perform Edit, Delete, Amend, Authorize, operations by selecting the operation from the Action list. You can also search a record by using a combination of % and alphanumeric value
You can modify the details of User Credentials Change record that you have already entered into the system, provided it has not subsequently authorized. You can perform this operation as follows:
Click Save to save your changes. The User Credentials Change Detail screen is closed and the changes made are reflected in the User Credentials Change Summary screen.
To view a record that you have previously input, you must retrieve the same in the User Credentials Change Summary screen as follows:
You can delete only unauthorized records in the system. To delete a record that you have previously entered:
When a checker authorizes a record, details of validation, if any, that were overridden by the maker of the record during the Save operation are displayed. If any of these overrides results in an error, the checker must reject the record.
After a User Credentials Change record is authorized, it can be modified using the Unlock operation from the Action List. To make changes to a record after authorization:
An amended User Credentials Change record must be authorized for the amendment to be made effective in the system. The authorization of amended records can be done only from Fund Manager Module and Agency Branch module.
The subsequent process of authorization is the same as that for normal transactions.
This section contains the following topics:
Typically, in an AMC, an installation of Oracle FLEXCUBE Investor Servicing installs the following components:
In a network scenario, the following situations are also possible:
In either case, each installation of any or all of the components may have a different instance, or schema. However, for the purpose of multi-networking and enabling a user to log in to the system with a single user ID from any component, a single Security Management System database is necessary that contains the repository of all users in all the different instances.
Each instance of the installation, in a multi-networked situation, is referred to a Module.
A Module, therefore, is an instance of either one of the components, connecting to a single SMS database.
At the time of installation, the installation process sets up the Fund Manager module in the system, with a default agent and branch code.
Subsequently, the system admin User must set up the Agency Branch module.
Subsequently, if any new agency branch modules need to be created, the system admin User can create them using the ‘Module Setup’ screen. You can invoke this screen by typing ‘SMDMODUL’ in the field at the top right corner of the Application tool bar and click the adjoining arrow.
To set up a module, specify the following details:
Module Type
Optional
Select the module type from the drop-down list. The list displays the following values:
Distribution Installation?
Optional
Select if distribution installation is required or not from the drop-down list. The list displays the following values:
Client ID
Alphanumeric; 15 Characters; Mandatory
Specify the client ID for which the module is being created.
This field is enabled only if you have selected ‘Fund Manager’ or ‘Service Provider’ option in ‘Module Type’ field.
Module ID
Alphanumeric; 30 Characters; Optional
Specify the module ID.
This must be unique, and if any duplicates are detected by the system, a warning message is displayed.
The system displays the client ID for the selected module in case of Fund Manager or Service Provider.
This field is disabled if you have selected ‘Fund Manager’ or ‘Service Provider’ option in ‘Module Type’ field.
Branch
Alphanumeric; 12 Characters; Mandatory
Specify the branch code.
AMC/Distributor Module
Alphanumeric; 30 Characters; Optional
Specify AMC or distributor module.
This field will be display field if you have selected ‘Fund Manager’ or ‘Service Provider’ option in ‘Module Type’ field.
Distributor
Alphanumeric; 12 Characters; Mandatory
Specify the distributor details.
Agent
Alphanumeric; 12 Characters; Mandatory
Specify the agent code.
AMC ID
Alphanumeric; 12 Characters; Optional
Specify the AMC ID.
Instance Name
Alphanumeric; 50 Characters; Optional
Specify the instance name. Alternatively, you can select instance name from the option list. The list displays all valid instance names maintained in the system.
Security Level
Alphanumeric; 2 Characters; Optional
Specify the security level.
Broker
Alphanumeric; 9 Characters; Optional
Specify the broker code.
Unit Holder ID
Alphanumeric; 12 Characters; Optional
Specify the unit holder ID.
Default Module
Optional
Select this option to set to default module.
Click save icon to save your user profile record. The system confirms the saving of the record.
The record is saved into the SMS database.
After you have set up a module, you must have another user authorize it so that it would be effective in the system.
Before the module is authorized, you can edit its details as many times as necessary. You can also delete it before it is authorized.
After authorization, you can only make changes to any of the details through an amendment.
The Module Profile Maintenance screen can be used for the following operations on modules:
This section contains the following topics:
You can invoke ‘Printer Maintenance’ screen by typing ‘SMDPRTMN’ in the field at the top right corner of the Application tool bar and clicking the adjoining arrow button.
You can specify the following details:
Printer ID
Alphanumeric; 2 Characters; Optional
Specify the printer ID.
Printer Name
Alphanumeric; 105 Characters; Optional
Specify the printer name.
Branch
Alphanumeric; 3 Characters; Optional
Specify the branch code.
Role ID
Alphanumeric; 15 Characters; Optional
Specify the role ID. Alternatively, you can select role ID from the option list. The list displays all valid role ID maintained in the system.
User ID
Alphanumeric; 12 Characters; Optional
Specify the user ID. Alternatively, you can select user ID from the option list. The list displays all valid user ID maintained in the system.
You can invoke ‘Printer Maintenance’ screen by typing ‘SMSPRTMN’ in the field at the top right corner of the Application tool bar and clicking the adjoining arrow button.
You can retrieve a previously entered record in the ‘Printer Maintenance’ screen, as follows:. Specify any or all of the following details in the ‘Printer Maintenance’ screen:
Click save icon to save your record. The system confirms the saving of the record.
After you have set up a record, you must have another user authorize it so that it would be effective in the system.
Before the record is authorized, you can edit its details as many times as necessary. You can also delete it before it is authorized.
After authorization, you can only make changes to any of the details through an amendment.
The Printer Maintenance screen can be used for the following operations on records:
This section contains the following topics:
You can enable or disable RLS policy using ‘Row Level Security Maintenance’ screen. You can invoke this screen by typing ‘UTDRLSMT’ in the field at the top right corner of the Application tool bar and click the adjoining arrow.
You can specify the following details:
Table Name
Alphanumeric; 30 Characters; Optional
Specify the table name. Alternatively, you can select table name from the option list. The list displays all valid table name maintained in the system.
Enabled
Optional
Select if row level security to be enabled or not from the drop-down list. The list displays the following values:
Default Status To
Optional
Select the defaulted status from the drop-down list. The list displays the following values:
Click ‘Execute Query’ button to display the following details:
Enabled
Optional
Select if RLS policies to be enabled or not from the drop-down list. The list displays the following values:
By default all the policy will be disabled.
Note
You can create new maintenance but will be restricted to delete or amend existing/ created policies.
On enabling the policy rule, the system will create new RLS policy. On disabling the system will drop the RLS policy.
Note
In case of enabling or disabling RLS policy, you should either enable it or disable it all. In case of partial enabling, the system behaviour could differ.
This section contains the following topics:
You can maintain installed notifications using ‘Notifications Installed Maintenance’ screen. You can invoke this screen by typing ‘UTDNTFIN’ in the field at the top right corner of the Application tool bar and click the adjoining arrow.
You can specify the following details:
Branch Code
Alphanumeric; 12 Characters; Mandatory
Specify the branch code. Alternatively, you can select the branch code from option list. The list displays all valid branch code maintained in the system.
Description
Display
The system displays the description for the selected branch code.
Notification Code
Alphanumeric; 120 Characters; Mandatory
Specify the notification code. Alternatively, you can select the notification code from option list. The list displays all valid notification code maintained in the system.
Description
Display
The system displays the description for the selected notification code.
This section contains the following topics:
You can retrieve a previously entered record in the Summary Screen, as follows:
Invoke the ‘Notifications Installed Summary’ screen by typing ‘UTSNTFIN’ in the field at the top right corner of the Application tool bar. Click on the adjoining arrow button and specify any or all of the following details in the corresponding details.
Click ‘Search’ button to view the records. All the records with the specified details are retrieved and displayed in the lower portion of the screen.
Note
You can also retrieve the individual record detail from the detail screen by querying in the following manner:
You can perform Edit, Delete, Amend, Authorize, Reverse, Confirm operations by selecting the operation from the Action list. You can also search a record by using a combination of % and alphanumeric value
You can modify the details of Notifications Installed record that you have already entered into the system, provided it has not subsequently authorized. You can perform this operation as follows:
Click Save to save your changes. The Notifications Installed Maintenance screen is closed and the changes made are reflected in the Notifications Installed Summary screen.
To view a record that you have previously input, you must retrieve the same in the Notifications Installed Summary screen as follows:
You can delete only unauthorized records in the system. To delete a record that you have previously entered:
When a checker authorizes a record, details of validation, if any, that were overridden by the maker of the record during the Save operation are displayed. If any of these overrides results in an error, the checker must reject the record.
After a Notifications Installed Maintenance record is authorized, it can be modified using the Unlock operation from the Action List. To make changes to a record after authorization:
An amended Notifications Installed Maintenance record must be authorized for the amendment to be made effective in the system. The authorization of amended records can be done only from Fund Manager Module and Agency Branch module.
The subsequent process of authorization is the same as that for normal transactions.