4.5 Adding Security Attributes

This section explains about security attributes, the process of uploading security attributes, and mapping security attribute to users in the ECM application.

Prerequisites

Update the FCC_SECURITY_ATTRIBUTES table before triggering the batch. This table contains information about Jurisdiction, Business Domain, and their attribute priority.

Table 4-5 FCC_SECURITY_ATTRIBUTES

Column Name Description Primary Key Column Type Nullable
V_ATTRIBUTE_TYPE Type of the attribute. It should be Jurisdiction or Business Domain. Y VARCHAR2(50) No
V_ATTRIBUTE_VALUE Value of the attribute. For example, the Jurisdiction name can be INDIA, AMEA, and so on. Business Domain can be a Single- character code that represents a business domain (for example, a, b, or c). VARCHAR2(50) No
V_ATTRIBUTE_PRIORITY The priority of the attribute. For example, value 1 for the Jurisdiction type will have high Jurisdiction priority. NUMBER No

Here, the V_ATTRIBUTE_VALUE should be the same as mentioned in the V_JURISDICTION_CD and V_BUSINESS_DOMAIN_CD columns of the FCC_EVENTS table. For example, if we have events generated with V_JURISDICTION_CD as ‘’AMEA’’ and V_BUSINESS_DOMAIN_CD as “a” then the same should be updated in the respective column of FCC_SECURITY_ATTRIBUTES table.

Security Attributes and Its Types

Security Attributes help an organization classify their users based on their geography, jurisdiction, and business domain, to restrict access to the data that they can view.

You must map the roles with access privileges, and since these roles are associated with user groups, the users associated with the user groups can perform activities throughout the functional areas in the ECM application.

The following are the security attributes:
  • Jurisdiction
  • Business Domain
  • Case Type
  • Organization

Jurisdiction

OFS ECM application uses jurisdictions to limit user access to data in the database. Records from the Oracle client that the Administrator loads must be identified with jurisdiction and users of the system must be associated with one or more jurisdictions. In the Case Management system, users can view only data or cases associated with jurisdictions to which they have access. You can use jurisdiction to divide data into the database. For example:

  • Geographical:Division of data based on geographical boundaries, such as countries, states, and so on.
  • Organizational:Division of data based on different legal entities that compose the client’s business.
  • Other:Combination of geographic and organizational definitions. Also, it is client-driven and can be customized.

In most scenarios, a jurisdiction also implies a threshold that enables the use of this data attribute to define separate threshold sets based on jurisdictions. The list of jurisdictions in the system resides in the KDD_JRSDCN table.

Business Domain

Business domains are used for data access controls similar to jurisdiction but have a different objective. The business domain can be used to identify records of different business types such as Private Client versus Retail customer or to provide more granular restrictions to data such as employee data. The list of business domains in the system resides in the KDD_BUS_DMN table. The system tags each data record provided through to one or more business domains. It also associates users with one or more business domains in a similar fashion. If a user has access to any of the business domains that are on a business record, the user can view that record.

The business domain field for users and data records is a multi-value field. For example, you define two business domains:

  • Private Client
  • Retail Banking

A record for an account that is considered both has BUS_DMN_SET=ab. If a user can view the business domain a or b, the user can view the record. You can use this concept to protect special classes of data, such as data about executives of the firm. For example, you can define a business domain as e: Executives. You can assign this business domain to the employee, account, and customer records that belong to executives. Thus, only specific users of the system have access to these records. If the executive’s account is identified in the Private Client business domain, any user who can view Private Client data can view the executive’s record. Hence, it is important not to apply many domains to one record.

The system also stores business domains in the KDD_CENTRICITY table to control access to Research against different types of entities. Derived External Entities and Addresses inherit the business domain set that is configured in KDD_CENTRICITY for those focus types.

Case Type

You must establish access permissions associated with the available Case Types. The Case Type is used for data access controls similar to business domains but has a different objective. The Case Type can be used to identify records of different case types or to provide more granular restrictions to data such as case data.

The following tables are involved in the display of the Case Type in the Case Management UI and are specific to the Enterprise Case Management implementation.

  • KDD_CASE_TYPE_SUBTYPE:Each record in the Case Type table represents a case type. Case Class is the topmost definition through which a case is created. Case Type provides a detailed classification of a case. When generated, a case should be mandatory assigned to one of the case types for further investigation.
  • KDD_CASE_TYPE_SUBTYPE_TL: Corresponding TL table for KDD_CASE_TYPE_SUBTYPE.

Organization

Organizations are used for data access controls. Organizations are user groups to which a user belongs. The list of Organizations in the system resides in the KDD_ORG table.

Loading Security Attributes

For more information on loading Case type, see the Managing Case Designersection.

Loading Security Attributes through Excel

The Excel Upload process inserts the data into the appropriate dimension tables based on the pre-configured Excel Upload definitions installed during the application installation.

Note:

Data that already exists must not be loaded again, as this results in failure of the upload. When uploading additional records, only the incremental records should be maintained in the Excel template with the correct unique identifier key.

  • All template Excel files for Excel Upload are available in ftp share/STAGE/ExcelUpload/AMC- MLookupFiles
  • All date values should be provided in MM/DD/YYYY format in the Excel worksheet.
  • Whenever a record is deleted from the Excel worksheet, the complete row should be deleted (no blank active record should exist in the Excel worksheet).
  • After selecting the Excel template, preview it before uploading it.

Security attributes are loaded through Excel using the following templates:

Table 4-6 Security Attributes and Excel Templates

Security Attribute Excel Template
Jurisdiction KDD_JRSDCN.xls
Business Domain KDD_BUS_DMN.xls
Organization KDD_ORG.xls

Uploading Excel

To load the security attributes using excel, follow these steps:
  1. Log in as the Case Management Administrator. The ECM application home page is displayed.
  2. Click Case Management. The Case Management page is displayed.
  3. Mouse over the Administration menu and click Excel Upload. The Excel Upload dialog box is displayed.
  4. Click Excel Upload.
  5. Browse your system and select the Excel file.
  6. Select Sheet from Sheet drop-down list.
  7. Go to the Excel-Entity Mappings section. Click the Arrow icon to select one or more Mapping IDs from the dialog box. Excel is updated.

Loading Security Attributes through SQL Scripts

Loading Jurisdictions

To load jurisdictions in the database, follow these steps:

Add the appropriate record to the KDD_JRSDCN and KDD_JRSDCN_TL database table as mentioned in the following tables respectively.

Table 4-7 KDD_JRSDCN Table Attributes

Column Name Description
JRSDCN_CD Code (one to four characters) that represents a jurisdiction such as N for North, or S for South.
JRSDCN_NM Name of the jurisdiction such as North or South.
JRSDCN_DSP- LY_NM Display the name of the jurisdiction such as North or South.
JRSDCN_DESC_TX Description of the jurisdiction such as Northern US or Southern US.

Note:

The data in the KDD_JRSDCN database table is loaded through the Atomic schema.

Table 4-8 KDD_JRSDCN_TL table details

Column Name Description
V_LOCALE_CD Locale code of the Data. Example: en_US
JRSDCN_CD Code (one to four characters) that represents a jurisdiction such as N for North, or S for South.
JRSDCN_NM Name of the jurisdiction such as North or South.
JRSDCN_DSPLY_NM Display the name of the jurisdiction such as North or South.
JRSDCN_DESC_TX Description of the jurisdiction such as Northern US or Southern US.
V_CREATED_BY Not Applicable
D_CREATED_DT Not Applicable
V_SOURCE_LOCALE The data from the TL table will be auto replicated for all the support languages where there is no data.
Add records to the table using an SQL script similar to the following sample script:
INSERT INTO KDD_JRSDCN (JRSDCN_CD, JRSDCN_NM, JRSDCN_DSPLY_NM,JRSDCN_- DESC_TX)
VALUES ('E', 'East', 'East', 'Eastern')

Note:

The KDD_JRSDCN table is empty after system initialization and must be populated before the system starts operation.

Loading Business Domains

To load a business domain, follow these steps:
  1. Add the appropriate user record to the KDD_BUS_DMN database table as mentioned in the following table.

    Table 4-9 KDD_BUS_DMN Table Attributes

    Column Name Description
    BUS_DMN_CD Single-character code that represents a business domain such as a, b, or c.
    BUS_DMN_- DESC_TX Description of the business domain such as Institutional Broker-Dealer or Retail Banking.
    BUS_DMN_DSP- LY_NM Display the name of the business domain, such as INST or RET.

    Note:

    The KDD_BUS_DMN table already contains predefined business domains for the Oracle client.
  2. Add the appropriate user record to the KDD_BUS_DMN_TL database table as mentioned in the following table.

    Table 4-10 KDD_BUS_DMN_TL Table Attributes

    Column Name Description
    V_LOCALE_CD Locale code of the Data. Example: en_US
    BUS_DMN_CD Single-character code that represents a business domain such as a, b, or c.
    BUS_DMN_DESC_TX Description of the business domain such as Institutional Broker-Dealer or Retail Banking.
    BUS_DMN_DSPLY_NM Display the name of the business domain, such as INST or RET.
    V_CREATED_BY NA
    D_CREATED_DT NA
    V_SOURCE_LOCALE The data from the TL table will be auto replicated for all the support languages where there is no data
  3. Add more records to the table using a SQL script similar to the following sample script:
    INSERT INTO KDD_BUS_DMN (BUS_DMN_CD, BUS_DMN_DESC_TX, BUS_DMN_DSPLY_NM,
MANTAS_DMN_FL) VALUES (‘a’, ‘Compliance Employees’, ‘COMP’, ‘N’);
INSERT INTO KDD_BUS_DMN (BUS_DMN_CD, BUS_DMN_DESC_TX,BUS_DMN_DSPLY_NM, MANTAS_DMN_FL) VALUES (‘b’, ‘Executives’‘EXEC’, ‘N’);
COMMIT;
  4. Update the KDD_CENTRICITY table to reflect access to all focuses within the business domain with the following command:
    update KDD_CENTRICITY set bus_dmn_st ='a' where KDD_CENTRICITY. CNTRY_TYPE_CD = 'SC'

Loading Organizations

To load an organization in the database, follow these steps:
  1. Add the appropriate user record to the KDD_ORG database table as mentioned in the following table:

    Table 4-11 KDD_ORG Table Attributes

    Column Name Description
    ORG_CD Unique identifier for this organization.
    ORG_NM Short name for this organization that is used for display purposes.
    ORG_DESC_TX Description of this organization.
    PRNT_ORG_CD

    The parent organization of which this organization is considered to be a child.

    NOTE: This should reference an ORG_CD in the KDD_ORG table.

    MODFY_DT Last modified date and time for this organization record.
    MODFY_ID

    User ID of the user who last modified this organization data.

    NOTE: This should reference a user in the Investigation Owner table

    (KDD_REVIEW_OWNER.OWNER_SEQ_ID). You can also set the value to own- er_seq_id to1, which is the SYSTEM value if another suitable ID is not available.
    COMMENT_TX Additional remarks are added by the user.
  2. Add the appropriate user record to the KDD_ORG_TL database table as mentioned in following table.

    Table 4-12 KDD_ORG_TL Attributes

    Column Name Description
    V_LOCALE_CD Locale code of the Data. Example: en_US
    ORG_CD Unique identifier for this organization.
    ORG_NM Short name for this organization that is used for display purposes.
    ORG_DESC_TX Description of this organization.
    V_CREATED_BY NA
    D_CREATED_DT NA
    V_SOURCE_LOCALE The data from the TL table will be auto replicated for all the support languages where there is no data.
  3. Add more records to the table using a SQL script similar to the following sample script.
    INSERT INTO KDD_ORG(ORG_CD,ORG_NM,ORG_DESC_TX,PRNT_ORG_CD,MODFY_DT,MOD- FY_ID,COMMENT_TX) VALUES ('ORG1','COMPLIANCE ORG','DEPARTMENT FOR INVES- TIGATION','ORG1 PARENT ORG','01-JUN-2014',1234,'ADDING KDD_ORG ENTRIES')