Access Rights

Day 6: KPEI Technical Training

2007

Day 05 - Access Rights

3 - Presentation title - dd-Mmm-yyyy - Capco confidential

Objectives

Understand Access Rights and how it works Understand how development is planned Understand what needs to be modified Exercise: Implementing Access Rights for instructions


What are Access Rights?

An Access Right is the ability to perform a certain function within the system. This right allows the user access to functionality within the e-Clears System.


Structure

Instructions

Access Right

Group User


Structure

Many-to-many relationship An Access Right may have one or many Instructions.

e.g. Right to do a 6-eye creation of Security Transfer Contains 6-eye create, short inquiry, and detail inquiry instructions

An Instruction may be linked to one or many Access Rights.

e.g. the short inquiry instruction may be used by the create, check, and approve Access Rights

An Access Right may be assigned to one or many Groups.

e.g. the Right to view a balance position can be granted to all groups within a member.


Structure

A Group can have one or many Access Rights. e.g. Rights to do a 6-eye, 4-eye and 2-eye creation of Security

Transfer

A Group can have one or many Users.

A User can belong to one or many Groups.


How are Access Rights Used?

The Administrator of a Member type is able to create groups.

A Member Administrator is able to grant access rights to its groups.

Each group can have its own set of access rights. The users of each group thus have access to the system

depending on the rights assigned to each group.


Characteristics of Access Rights

Access Rights for a Member are pre-defined during development.

When the KPEI Administrator creates a Member, the pre-defined rights are granted to the Member.

It is up to the Member Administrator to create groups and users.


Access Rights Technical Architecture

KSEI

COBASS

KPEI

COBASS

KSEIWebserver

KPEIWebserver

Static Datareplication

KSEI local tables(Rights, groups,

users ...)

KPEI local tables(Rights, groups,

users ...)

KSEI WS

KPEI WS

Clearing member WS

Non clearing member WS

Registrar WSKPEI instructionsInquiriesReportsUser/group mngtView Static dataKPEI business rulesFees & invoicesCreate participantadministrator atKPEI

KSEI instructionsInquiriesReportsUser/group mngtStatic data mngtKSEI business rulesFees & invoicesCreate participant/reg.& KPEIadministrators at KSEI

ConfirmationsUser/group mngt Reports

User/group mngt

Stock exchange WSSecurity & Booktransfers (from depositaccounts)Inquiries


What You Need to Modify

Cobass-web Database Application Server Classes (java)


Development Plan

Instruction planningCore InstructionsSub-instructions

Instruction Authorization Matrix

Table numberColumn numberRow number

Cobass-web

Database

Application Server Classes


Development Plan

Instruction planning Core instructions needed Sub-instructions

Instruction Authorization Matrix Table numbers Columns Rows


Development Plan

Cobass-web StaticTable.ini menu.jsp configuration.xml

Database MESSAGE_CODES RIGHTS MESSAGE_TYPES MESSAGE_TYPE_RIGHTS

Application Server Classes Adding of default rights


Development Plan – Instruction Planning

Core Instructions Neededexample:DVP__INSTR (Delivery versus Payment)

Sub Instructions DVP__ENQSH DVP__ENQDT DVP__CREAT DVP__CRDCH DVP__CRDAP

DVP__CHECK DVP__APPRO DVP__REJCT DVP__CACRE …



Group the sub-instructions of a core instruction and assign them an Authorization Message Code.

This Authorization Message Code must be unique.

DVP__CREATDVP__CRDCHDVP__CHECK…

DVP__INSTR

Core Instruction

Sub-instructions02004300



What is the Authorization Message Code? The Authorization Message Code is used to create an access right link in

Cobass-web. It is also used to link the Member to the instruction.

Code excerpt from Wscmptab.ini[TABLES]T011=Clearing & settlement;02004300;0

T011: Table 11Clearing & Settlement: Title of link for rights02004300: Authorization Message0: For subscription. Not used.

(Always use 0)



Screen shot of access right link



Assign external IDs to the sub-instructions

DVP__CREATDVP__CRDCHDVP__CRDAP…

DVP__INSTR

Core Instruction

Sub-instructions02004300

040010530400105404001055



What are External IDs? External IDs are unique numbers used to identify a sub-instruction. These IDs are stored in the database and are used as part of Rights

control. External IDs are specified in menu.jsp and configuration.xml

What are Internal IDs? Internal IDs are also unique identifiers used to identify a sub-

instruction. They are generally used to denote the type of sub-instruction and

can be part of the data that is passed from Cobass-web to the back-end for processing.



Excerpt from configuration.xml

<Message externalID="04001053" internalID="DVP__CREAT" structure="WSDvpRvpDetailedIncoming" collaborator="WorkstationCollaborator" incomingMapper="WSDvpRvpDetailedIncomingMapperStrategy" errorMapper="WSErrorMapperStrategy"/>



Access Rights to instructions are arranged with the use of Rows and Columns.

These Rows and Columns specify what functionalities a core instruction has. For example, in ‘Delivery vs payment’, the user has access to ‘Create’, ‘Check’, ‘Approve’, ‘Direct Check’, and ‘Direct Approve’ functions.



ActionInstruction type

CreateColumn 1

CheckColumn 2

ApproveColumn 3

Direct checkColumn 4

Direct approvalColumn 5

DVPRow 1

04001051040010520400105304001059

040010510400105204001056040010580400106204001064

040010510400105204001057040010580400106304001064

0400105104001052040010540400105604001058040010600400106204001064

0400105104001052040010550400105704001058040010610400106304001064

How the Rows and Columns are mapped



Each sub-instruction has the following attributes: Row number Column number Table number

The row and column numbers specify the types of sub-instructions that are applicable to a particular function.



For example if we grant ‘Create’ privileges to a user for ‘Delivery vs payment’:



ActionInstruction type

CreateColumn 1

DVPRow 1

04001051 (DVP__ENQSH)04001052 (DVP__ENQDT)04001053 (DVP__CREAT)04001059 (DVP__CACRE)

The sub-instructions that are associated with ‘Delivery vs payment’ ‘Create’ are as follows:



Table Numbers Each Table Number corresponds to an Authorization

Message Code. The Table Number groups similar core instructions (and

their respective sub-instructions) together.

For example, the Clearing & Settlement function contains both delivery and receiving (DVP and RVP) instructions. They are both grouped under Table Number 11.

Note: If a new function is created, the Table Number allocated must be unique.


Cobass-web

StaticTable.ini[TABLES]T011=Clearing & settlement;02004300;0

menu.jsp Need to modify both menu.xtm files that are found in:

/webapps/kpei/general/webapps/kpei/Clearing

The external IDs specified in these two files must match.


Cobass-web

menu.jsp in /webapps/kpei/generalThis file defines the left-hand navigational bar.


Cobass-web

What to add in menu.xtm (general)[IF "£RIGHTSET,#MEMORY&04001µ" = "1" OR

"£RIGHTSET,#MEMORY&04002µ" = "1" OR "£RIGHTSET,#MEMORY&04003µ" = "1" OR "£RIGHTSET,#MEMORY&04004µ" = "1"] <tr> <td><img src="@@IMG[dot.gif]"></td> <td><a href="@@TRX[INSTCLEA]" ID="l{%t}" target="body" onClick="DoClick('l{%t}')">Clearing & Settlement</a></td> </tr>

[INC t][ENDIF]


Cobass-web

menu.jsp in /webapps/kpei/ClearingThis file defines the right-hand menu items in the ‘main’ screen.


Cobass-web

What to add in menu.xtm (general)

[IF "£RIGHTSET,#MEMORY&04001051µ" = "1" OR "£RIGHTSET,#MEMORY&04002051µ" = "1" OR "£RIGHTSET,#MEMORY&04003051µ" = "1" OR "£RIGHTSET,#MEMORY&04004051µ" = "1"]<table border="{#MENUBORDERWIDTH}" align="center" width="60%" bgcolor="#{#MENUTABLECOLOR}" bgcolor="#{#MENUTABLECOLOR}"> <tr>

<td width="100%"> <table border="0" width="100%" cellspacing="2">

<tr> <td bgcolor="#{#MENUCELLCOLOR}">

<img src="@@IMG[mball7.gif]"><a href="javascript:RememberWhichToShow('@@TRX[INSTCLEA;BT_SEARCH=X&FCT=INQ&FIRST=1]')" ID="l{%t}" target="body" class="Title" onClick="DoClick('l{%t}')"><font><u>Clearing & settlement instructions inquiry</u></font></a>

[INC t] </td></tr>


Cobass-web

configuration.xml

<Message externalID="04001053" internalID="DVP__CREAT" structure="WSDvpRvpDetailedIncoming" collaborator="WorkstationCollaborator" incomingMapper="WSDvpRvpDetailedIncomingMapperStrategy" errorMapper="WSErrorMapperStrategy"/>


Database

Access Rights are defined by their definitions in four tables within the database. The tables are as follows:

MESSAGE_CODES MESSAGE_TYPES MESSAGE_TYPES_RIGHTS RIGHTS


Database

MESSAGE_CODESThe MESSAGE_CODES table stores all codes for messages within the system.

MESSAGE_TYPESThe MESSAGE_TYPES table describes the type of message.

MESSAGE_TYPES_RIGHTSThe MESSAGE_TYPES_RIGHTS table links the messages to the RIGHTS table.

RIGHTSThe RIGHTS table specifies the row, column and table numbers for the messages (instructions).


Database

MESSAGE_CODESCODE_LANGCODE_MCID_MC_CAPCOLST_UPD_TSMT_ID_MT_CAPCO

MESSAGE_TYPESCLASS_VAL_NMID_MT_CAPCOLST_UPD_TSMT_DSCFLG_MSG_IN

MESSAGE_TYPES_RIGHTSID_MTR_CAPCOLST_UPD_TSMT_ID_MT_CAPCORIGHT_ID_RIGHT_CAPCO

RIGHTSCELL_DSCCOL_NBRID_RIGHT_CAPCOLST_UPD_TSROW_NBRTAB_NBR


Database

ExampleDVP ‘Create’ – This belongs to Table 11, Row 1, Column 1.


Database

MESSAGE_CODESinsert into message_codes values('WRKSTATION', '04001053', ‘MSGCD_____TOOL20000222000000000_04001053', TO_CHAR(sysdate,'YYYYMMDDHH24MMSS') || '000', ‘SECMT_____TOOL20000222000000000_04001053');

MESSAGE_TYPESinsert into message_types (ID_MT_CAPCO, LST_UPD_TS, MT_DSC, FLG_MSG_IN) values (‘SECMT_____TOOL20000222000000000_04001053', TO_CHAR(sysdate,'YYYYMMDDHH24MMSS') || '000','INSTRINQ',1);


Database

MESSAGE_TYPES_RIGHTSinsert into message_types_rights values(‘SECMR_____TOOL20000222000000000____00007',TO_CHAR(sysdate,'YYYYMMDDHH24MMSS')||'000', 'SECMT_____TOOL20000222000000000_04001053', 'SECRG_____TOOL20000222000000000011001001');

RIGHTSinsert into rights values(‘DVPCREATE', 1, 'SECRG_____TOOL20000222000000000011001001',TO_CHAR(sysdate,'YYYYMMDDHH24MMSS')||'000',1,11);

Column number

Row number Table number


How do we Assign Rights to the Member Type?

Need to assign the member default rights to access the new function.


Application Server Classes

Adding Default Rights to a User Modify

capco.cbss.security.instruction.AdminCreateProcessStrategy

This class specifies the default rights that are given to a member upon creation of member. Note: The numbers that you see are table numbers.

/* These are the rights for a Investor Member Type */ private static final int RIGHTS_INVESTOR = 112;

if (type == KSEIMemberType.getInvestorTypeValue()) { addTableRights ( groupID, RIGHTS_INVESTOR); }

Table number


Adding Rights to the Member

You still need to assign the Member rights to this new function. Only additions to the database are required. Each Member type has a unique table number.

Member type or role / Functions

Clearing Member

Non-Clearing Member

Table number 107 106

Description Table number Authorization message

Clearing and settlement 11 02004300 X X

Deposit management 12 02004301 X X

Confirmations 13 02004302

Cash transfer 14 02004303 X X

Funds management 25 02004314


Adding Rights to the Member

The member table number has to be linked to the functions it can access.

e.g. Linking OTC instructions to Table 11 (Clearing Member rights)

MESSAGE_CODES MESSAGE_TYPES

RIGHTS MESSAGE_TYPES_RIGHTS

member table number 11

11

Trade Take-up/Give-up Authorization Message

right_id_right_capco*

mt_id_mt_capco


Exercise

Access Rights

Documents

Transcript of Access Rights