A.23 Advanced Feature for ASC Use Case

This section explains about ASC Use case Advanced features.

Fine Grain Data Access Control for Workspace

Institutions often need to restrict data access to users based on jurisdiction to comply with data residency or other privacy regulations. This functionality can be used to ensure that users will be able to access data only from those jurisdictions they are entitled to.

Prerequisites
  • Assuming existing / new Users are created using AAI or third-party IDCS.
  • Security mapping between users to jurisdictions is done using AML BD application UI.
  • User Mapped Jurisdiction and Threshold set Jurisdictions should match.
    • User Mapped Jurisdiction will take the priority if they do not match.
  • User not mapped with any jurisdiction will not see/get all jurisdiction's data.
  • Provide the following grant through SYS user where the workspace schema is created.

    GRANT EXECUTE ON DBMS_RLS TO <ASC_Workspace_schema>;

    Note:

    If the accounts belonging to a customer do not belong to the same jurisdiction as the customer, but instead span multiple jurisdictions, the user executing the scenario should have access to all the relevant jurisdictions. If the user executing the scenario does not have access to the appropriate jurisdictions, then the scenario will not generate the expected number of alerts.
Sync up Security Mapper between BD Production and ASC BD Schema

Note:

This step is optional and can be skipped if user management and security mapping for ASC-BD is self-managed.
  • Generally, security mappings are done for BD production instances.
    • New user creations / user-security mapping happens in the BD Production
  • ASC BD instance is generally a non-prod BD, like BD UAT, BD Pre-Prod, etc.
  • If user management and security mapping happens outside of the ASC-BD instance ( say in BD Production ), then the security mapper table needs to be synced up between ASC-BD and BD-Prod. Here is the approach for sync up users.
    • Create a new Data Store in the Compliance Studio pointing to BD Production Schema.
    • During ASC workspace creation, add BD Production Data Source and source following tables:
      • kdd_jrsdcn
      • kdd_review_owner
      • kdd_review_owner_jrsdcn
  • Execute Workspace data population batch to sync up the security mapper with ASC-BD.

    Note:

    This step must be repeated every time when users/security-mappings are created/modified.

Enable/Disable Fine Grain Data Access Control

To enable/disable fine grain data access control, follow these steps:
  1. Login to Compliance Studio installed UNIX Machine.
  2. Navigate to <COMPLIANCE_STUDIO_INSTALLATION_PATH>/deployed/ml4aml/bin directory.
  3. Execute the following UNIX commands once against the ASC workspace. 
    ./enableVPD.sh -w <ASC_Workspace_Target_Wallet_Alias>

    Note:

    ASC_Workspace_Target_Wallet_Alias id is the placeholders to be replaced with actual values used to create ASC workspace.
  4. Log in to the configuration schema (Studio Schema) of the Compliance Studio.
    1. Run the following SQL to enable VPD.
      MERGE INTO NEXTGENEMF_CONFIG T USING (SELECT 'IS_VPD_ENABLED' V_NAME FROM DUAL) S
ON (T.V_NAME = S.V_NAME)
WHEN MATCHED THEN UPDATE SET V_VALUE = 'Y',
V_DESC = 'Is VPD Enabled'
WHEN NOT MATCHED THEN INSERT (V_NAME, V_VALUE, V_DESC)
VALUES('IS_VPD_ENABLED', 'N', 'Is VPD Enabled')
    2. Run the following SQL to disable VPD.
      MERGE INTO NEXTGENEMF_CONFIG T USING (SELECT 'IS_VPD_ENABLED' V_NAME FROM DUAL) S
ON (T.V_NAME = S.V_NAME)
WHEN MATCHED THEN UPDATE SET V_VALUE = 'N',
V_DESC = 'Is VPD Enabled'
WHEN NOT MATCHED THEN INSERT (V_NAME, V_VALUE, V_DESC)
VALUES('IS_VPD_ENABLED', 'Y', 'Is VPD Enabled')
Optimizing SQL performance

You can further optimize SQL performance for ASC using this configuration. Users can configure SQL hints with PARALLEL or NO_PARALLEL hints. It comes with a default configuration as PARALLEL(8). Table ml4aml_hint_config holds the default configuration. Users can change these values as per database capacity and its DBA activity to come up with the best possible values that suit the database.

Note:

Ensure all the tables are properly indexed per data growth experience. We assume this is a standard DBA activity as on when data keeps growing.
Periodic Workspace Schema Cleanup

Note:

This section will be performed only during end of the tuning cycle.

The system creates some intermediate temporary tables as part of the ASC workflow, which should be dropped periodically during cleanup activity. The following sample oracle statement will generate a drop table statement including all temp tables.

The generated drop table statement should be manually verified before using it as a drop table statement.

To generate drop table statement, execute the following:
select 'DROP TABLE '||TABLE_NAME||';' from user_tables where table_name like
'%ASC_TEMP_%';

Example for the drop table statement:

DROP TABLE ASC_TEMP_1735;