2. Session-wise Plan
Session I & II
SMS
• User creation
• Access to user profiles
Session III & IV
SMS
• Authorization rights
• Sign-on & password reset
• Sign-on deactivation & password reactivation
3. Objective
At the end of this session, participants will
Appreciate security management system of T24
Know how to set up security at various levels including user, application, field and function
levels
5. Security Management System (SMS)
Security – Prime concern of Banks, irrespective of their size and network
Bank requires safeguard of:
Secrecy of Customers and their Accounts,
Exposure levels,
Access to data,
Authorization of financial commitments, etc.
6. SMS
Detects & Stops usage of the system
• Aids in avoiding fraudulent transactions
Records unauthorized usage of the system
• All activities of the users are recorded and a log can be maintained
9. Why User?
Bank user/Banker
For implementing various banking operations through T24
Banker -> Allowed to perform only specified or enabled operations
Enhances the security of banking
10. User Creation
Enter USER, I <User-name>
Enter the mandatory fields
Commit the record
15. User Profile Access
Based on the business profile of user,
• Access is given to the relevant applications
• To perform the permitted operations/functions
Helps in maintaining the confidentiality of the information available in the system
16. User Profile Access
Access restricted to each individual or group of users through -> USER Application
Any changes to user profile is reflected only when
• User logs off the system
• Logs in again using the same user name
17. Access Restriction
Company level restriction is set using “Company Restr” field
Application level restriction is set using “Application” field
• ALL.PG -> Allows access to all application
• <Application-name> -> Allow specific application to the user
Version level restriction is set using “Version” field
• <Version-name> -> Version of application set in “Application” field
23. Access Restriction
Time Out Minutes
Refers to the maximum time after which T24 will log off automatically
The maximum value allowed in this field is 999 i.e. equal to 10 minutes
24. Access Restriction
Attempts
Specifies the number of unsuccessful Attempts to sign on allowed using the Sign on
name of the User record, before the Password is Disabled
User records Disabled in this way are shown in the Password exception list
The maximum value allowed in this field is 9
25. Unsuccessful User Attempt
Field ‘ATTEMPTS.SINCE’ -> Stores no. of unsuccessful Attempts to Sign on
Error Appears as shown, when ATTEMPTS.SINCE is greater than ATTEMPTS
26. User Access
Application ‘PASSWORD.RESET’ -> Reset the password
Above Application restricted to Bank Administrator
27. User linking with Protocol file
SIGN.ON.OFF.LOG
Specifies whether or not a record should be written to the Protocol file, recording every
time this User Signs On/off
Note: Unsuccessful attempts to SIGN.ON are always logged, regardless of the value in this
field
SECURITY.MGMT.L
Specifies whether or not a record should be written to the Protocol file, every time this
User accesses any of the Security Management Applications
28. User linking with Protocol file
APPLICATION.LOG
Specifies whether or not records should be written to the Protocol file, recording every
Application accessed by this User
FUNCTION.ID.LOG
Specifies whether or not full details of every
• Application,
• Function and
• record ID accessed by this User should be recorded in the Protocol file
29. USER.SMS.GROUP
Grouping of Users having same user rights
Allows definition of restriction at Application & Function level
Creation of Logical groups that can be attached to User profile
Avoid repetition of related application in different User profiles
31. Grouping – Application Level
User profiles can be group using ID of USER.SMS.GROUP
Field ‘Application’ -> Attach group name prefixed with ‘@’ symbol
32. Grouping – Application Level
Error appears as shown, preventing user from using the Application attached in
USER.SMS.GROUP
33. Grouping – Field Level
Field level grouping of user profiles can be done using ID of USER.SMS.GROUP
Use fields:
Field No
Data Comparison
Data from
Data to
34. Grouping – Field Level
Define Conditions, based on which the corresponding application is accessed by the
respective user profile
Fields -> Interlinked fields
36. Grouping – Field Level
Example,
Any FT record created by this User can only have ‘AC’ as the Transaction Type
37. Grouping – Field Level
Error appears as the User is not allowed to input Transaction type other than ‘AC’ in the FT
version
38. Grouping – Attribute Level
Attach different attributes to different Users, based on the job specification
User will be provided access to Menu provided using the field ‘Attribute’
40. Attributes
COMMAND.LINE -> User is allowed to use command line
EXPLORER -> Allows the user to use the Application explorers
ENQUIRY.INDEX -> Allows access to the enquiry index, where the user is given access
only to enquiries
41. Attributes
REALTIMEENQUIRY -> Allows the use of real time enquiries for this user
LOCK.PREFERENCES -> Prevents the user from gaining access to various Desktop
settings including file locations and some system administrative functions
42. Attributes
SUPER.USER -> Allows user access
• To all of the features
• For all future functionality with the exception of REALTIMEENQUIRY
LOCK.DEACTIVATION -> To Disable "Deactivation profile" menu item on desktop menu
Bar
43. Attributes
LOCK.DESIGNERS -> To disable all Designer's menu items on Desktop menu bar.
LOCK.MISC.ITEMS -> Prevents the user from gaining access to
• user toolbar
• list of enquiries and
• list of reports in desktop
45. Authorization
T24 generates two types of messages:
Override message
• Messages that can be overridden by the User
Error message
• Messages should be corrected before the transaction is committed
• Otherwise, the transaction would be aborted or could not be committed
49. Override
Warning messages pertaining to a transaction
Prompted to the user before committing a transaction
User -> Accept/Reject transaction with the warnings
Accepting Override message will complete the transaction
50. Tables Involved
Three applications are linked with Override
OVERRIDE.CLASS.DETAIL -> Define classification & condition
OVERRIDE.CLASS -> Define Override message & ID of Override Class detail
OVERRIDE -> Define Override message & Application name
51. OVERRIDE.CLASS.DETAILS
Override message returns variable data elements
Specify different Override Classes depending on the variable data element
ID of OVERRIDE.CLASS.DETAILS -> attached to the Field ‘Override Detail’ of
OVERRIDE.CLASS
52. OVERRIDE.CLASS.DETAILS
Define conditions for Override contract Authorization
Data Def
Define order of the variable data element
Classification
Define Classifications for Override Class
Specifies the classification type for the override message
Allow the user to define different levels of approval within each application, according to
the nature of the override
53. OVERRIDE.CLASS.DETAILS
Data Def No.
Define Field No.
Field No. called based on application defined in Override Application
Comparison
Define field level conditions
It is an operator linking the Data Def in field 1 to the values for comparison in fields 5 & 6
(Data From & Data To)
55. OVERRIDE.CLASS
ID -> Application name e.g. FUNDS.TRANSFER
Override text
• Allows the user to define specific classifications for the override messages of the ID application
• Should be the same as defined in Override application
Define Record Id from OVERRIDE.CLASS.DETAILS in field ‘Override Detail’
57. OVERRIDE
Override Message can be :
• a simple text e.g. NO LINE ALLOCATED
• a variable text e.g. Unauthorized overdraft of USD 10000 on account 14613
• Where, the Currency, Amount and Account number are variable values
Define valid data type e.g. CCY for Application defined in field ‘Application’
64. Override - Approval
ID of the final authorizer -> Appended to the Override Message pre-fixed with a *
Authorize the record using the User attached with the Override ‘MNGR’
66. Types Of Sign Off
User Initiated
Inactive Session
Hardware Failure
67. Password Reset
Arises when User has forgotten the password
Security Administrator can use PASSWORD.RESET to clear the old password
68. Sign-On De-activation/ Password Reactivation
User profile can be deactivated and reactivated
Use -> Tools Menu -> My Profile -> Deactivate Profile
Enter Deactivation Date & Reactivation Date
70. Summary
Set up of security management system in T24
Security at various levels including user, application, field and function levels – USER
application
Process level approval – OVERRIDE application
‘Company Restr’ field specifies the Company to which the User must be Signed On in order to use the Applications, Versions and Functions specified in the related Fields Application, version, Function, Field No, Data comparison, Data From and Data To.
Company.Restr field is used, together with the above associated Fields, to specify for each Company to whose records this User has access, precisely which records in which Applications can be accessed using which Versions and Functions.
The group of above Fields can be repeated up to 999 times
Time Out Minutes refers to the maximum time after which T24 will log off automatically.
The maximum value allowed in this field is 999 i.e. equal to 10 minutes.
Define application name, version name & function allowed for a particular user group in the fields ‘Application’ , ‘ Version’ and ‘Function’
It is also possible to allocate Temporary functions in User SMS Group for a particular period – using field ‘Temp Function’
When signing onto T24 through a user set to REALTIMEENQUIRY, Desktop will create another session for use by the real time enquiries. This uses an additional database license, but not an additional T24 license. Online updation of the enquiries is done automatically, hence enquiry is called real time enquiry. (i.e. when using REALTIMEENQUIRY additional database is created for the user, where the additional database is updated automatically from the main database online.)
Data Def No.:
The number in this field identifies which multi-value from field 1, DATA DEF, the decision fields 4 to 6 refer to. For example, the number '1' indicates that it is the data item defined by field 1.1, the number '2' indicates that it is the content of field 1.2 and so on.
Each individual element of the override message which is to be used as a decision criterion need only be defined once in field 1 (Data Def). The same element can then be referenced as many times as required within the body of the decision table by a simple number.
1st & refers to CCY (1st data type)
2nd & refers to AMT (2nd data type)
3rd & refers to ACC (3rd data type)