Assigning SAG configuration and operation roles to users

The customization of the SAG configuration and operation services creates several roles that are used to authorize users to issue commands to these services. Assign these roles to users for DNFSYSOU.

The SAG configuration service has the following roles:
SagAdmin
A person with this role can configure:
  • SAG global parameters
  • MQ Connections
  • SAG endpoints
  • Lists of certificates used by an SAG
  • Lists of services used by an SAG
  • Message partners of an SAG
However, the configuration changes become effective only when the corresponding SAG was approved and deployed by someone with the SagCfgAdmin role.
SagCfgPKIAdmin
A person with this role can configure the SWIFTNet user and security information. However, the configuration changes become effective only when the corresponding SAG was approved and deployed by someone with the SagCfgAdmin role.
SagCfgAdmin
A person with this role can approve and deploy an SAG.

You must assign to a user or users the role or roles SagAdmin and SagCfgAdmin to run the SAG configuration and operation services. For example, you might assign the role SagAdmin to the user SA1 and SagCfgAdmin to the user SA2. You could also assign both roles to one user.

For example, to assign the roles SagAdmin, SagCfgAdmin, and SagCfgPKIAdmin to the user JSMITH, enter: 
dnicli -i INST1 -ou DNFSYSOU -s DNI_SECADM
add -user JSMITH -ro SagAdmin       -ou DNFSYSOU
add -user JSMITH -ro SagCfgAdmin    -ou DNFSYSOU
add -user JSMITH -ro SagCfgPKIAdmin -ou DNFSYSOU
com -user JSMITH
app -user JSMITH
If dual authorization is enabled, another user with the appropriate access rights must issue the app (approve) command. Otherwise, you can issue the app command.
Note: Users who have the roles SagAdmin or SagCfgAdmin must also have the system configuration administrator (DniSA) role for SYSOU.

To see which users in instance INST1 have the system configuration administrator (DniSA) role for SYSOU:

  1. Open the CLI with the following parameters: 
    dnicli -i INST1 -ou SYSOU -s DNI_SECADM
  2. List all users, their role assignments, and whether each assignment is active (this requires the DniUA role for SYSOU), and identify which users have the DniSA role: 
    INST1.SYSOU.DNI_SECADM>list -user % -lo NBY
  3. List all role groups and the roles they contain, and identify which role groups contain the role DniSA: 
    INST1.SYSOU.DNI_SECADM>list -rg % -lo NC
  4. List all users and the role groups assigned to them, and identify which users have a role group assigned that contains the role DniSA: 
    INST1.SYSOU.DNI_SECADM>list -user % -lo NC

To see which users in instance INST1 have the SagAdmin role for DNFSYSOU:

  1. Open the CLI with the following parameters: 
    dnicli -i INST1 -ou DNFSYSOU -s DNI_SECADM
  2. List all users, their role assignments, and whether each assignment is active, and identify which users have the SagAdmin role: 
    INST1.DNFSYSOU.DNI_SECADM>list -user % -lo NBY
  3. List all role groups and the roles they contain, and identify which role groups contain the role SagAdmin: 
    INST1.DNFSYSOU.DNI_SECADM>list -rg % -lo NC
  4. List all users and the role groups assigned to them, and identify which users have a role group assigned that contains the role SagAdmin: 
    INST1.DNFSYSOU.DNI_SECADM>list -user % -lo NC