Model Bank

(TSF-External Authorization Demo)

R21 Build

Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, for any purpose,
without the express written permission of TEMENOS HEADQUARTERS SA.
COPYRIGHT 2020 TEMENOS HEADQUARTERS SA. All rights reserved.
 Set up Document

Revision History
Version Date Author Revision History

V0.1 24 Mar 2021 Nachammai S Baselined changes for R21 AMR

2 Model Bank – TSF External Authorization Demo Guide

 Set up Document

Table of Contents

Revision History ...................................................................................................................... 2

Introduction .............................................................................................................................. 4
1.1 Pre-requisites: .................................................................................................................... 4
XACML - RunTime Demo:- ...................................................................................................... 5
2.1 SPF Change .................................................................................................................... 5
2.2 Use Case 1:- .................................................................................................................... 5
2.3 Use Case 2:- .................................................................................................................... 5
2.4 Use Case 3:- .................................................................................................................... 6
2.5 Use Case 4:- .................................................................................................................... 7
2.6 Use Case 5:- .................................................................................................................... 8
2.7 Use Case 6:- .................................................................................................................. 10
2.8 Use Case 7:- .................................................................................................................. 11
XACML - DesignTime Demo:- ............................................................................................... 12
Creation of Policy file using PAP UI:- .................................................................................. 12
3.1 Introduction ...................................................................................................................... 12
3.2 UI Setup and Configuration: - ......................................................................................... 12
3.2.1 Config Steps: - ............................................................................................................. 12
3.2.2 Troubleshoot: -............................................................................................................. 13
3.2.3 PAP UI Browser:- ......................................................................................................... 13
3.3 Sample Rule creation:- .................................................................................................... 14
3.3.1 Use Case 1:- ................................................................................................................ 14
Policy File creation: -..........................................................................................................14
3.3.2 Demo using created policy file:- ................................................................................... 16
SPF Change: - ...................................................................................................................16
USER record Change: - .....................................................................................................16
Demo: - ..............................................................................................................................17

3 Model Bank – TSF External Authorization Demo Guide

 Set up Document

Introduction

XACML stands for eXtensible Access Control Markup Language.

XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative
fine-grained, attribute-based access control policy language, an architecture, and a processing model
describing how to evaluate access requests according to the rules defined in policies.

Using XACML, restrictions can be applied at User level, whereby they will be given access only to
applications required.

Mapping of Transact SMS functionality with XACML Policy File definition:-

XACML T24 SMS Authentication

EB.USER.ROLES/USER.SMS.GROUP Record
1 Policy Set
Application, Version, Enquiry Name
1.1 Policy
Field level conditions inside the application/version
1.1.1 Rule
Field level condition attached to the application that will be
1.1.2 Obligation
utilised while executing the enquiry

1.1 Pre-requisites:

S No Pre-requisite Remarks

1 Model Bank UTP Installer should be installed

2. Java 1.8 or above

4 Model Bank – TSF External Authorization Demo Guide

 Set up Document

XACML - RunTime Demo:-

2.1 SPF Change
1. Start jBOSS completely.
2. Login to Transact Browser using INPUTT / 123456.
3. Navigate to Admin Menu System AdministrationSecurity Management
SystemSystem Users ManagementExternal AuthorisationAccess control.
4. Check the External Security Framework box to enable it

Note:- Restart jBOSS post SPF changes

2.2 Use Case 1:-

1. Login as CSAGENT.
2. Create a PAYMENT.ORDER
3. Enter the PAYMENT.AMOUNT greater than 10000
4. Validate & commit the record.

2.3 Use Case 2:-

1. Login to CSAGENT.
2. Navigate to Customer Onboarding (Ind.)
3. Pass the first Screen (Verification of customer documents)
4. On the second screen, validate the following:-
a. Nationality  Enter SY (Syria) Commit and Validate  Error message thrown

5 Model Bank – TSF External Authorization Demo Guide

 Set up Document

b. Residence  Enter SY (Syria) Commit and Validate  Error message thrown.

Only Non-Syrian residents and / or Nationalities can be onboarded.
Note:- Both the conditions must be satisfied for the record to be committed.

If either of the conditions isn’t satisfied, the record does not get validated.

2.4 Use Case 3:-

1. Login as CSAGENT.
2. From the command line launch ENQ CUSTOMER.SCV
3. Click on FIND.
4. Search returns only CUSTOMERS that have Nationality and Residence other than SY.

5. As an alternate-check, search for any customer whose Nationality or Residence is SY:-

6 Model Bank – TSF External Authorization Demo Guide

 Set up Document

2.5 Use Case 4:-

1. Login as COMPUSER.
2. From the command line launch ACCOUNT application and enter the respective account number to audit.

3. Click on ‘Perform Action’ button.

4. Click on ‘Review’ button for perform audit and the audit details will updated.

5. As an alternate-check, edit any of the account using COMPUSER.

7 Model Bank – TSF External Authorization Demo Guide

 Set up Document

2.6 Use Case 5:-

1. Login to INPUTT. Create the below role in Transact and map to RMUSER.

Note: If SPF External Security Framework is enabled already, then no need to create a record in
EB.USER.ROLES as it will throw the error message that external authorization is enabled. Directly add the Role
in the User record and proceed.

Note: As we are creating Role based access remove the user level access already given for PWMRM User and
then commit & authorise the record.

8 Model Bank – TSF External Authorization Demo Guide

 Set up Document

2. Create new EB.API record with ID ‘AdvisorRole’ as below.

3. Create EB.EXT.SMS.EXTENSION with below values.

4. Login as RMUSER
5. RMUSER will list only his department accounts.

Note: Verify and give the Account Id whose Account Officer is 74.

9 Model Bank – TSF External Authorization Demo Guide

 Set up Document

6. As an alternate-check, search for any Account whose account officer is other than 74.

2.7 Use Case 6:-

1. Login to INPUTT.
2. Create the below records in EB.API

3. Also create EB.EXT.SMS.EXTENSION with below values.

3. Login to CSAGENT.
1. Navigate to Customer Onboarding (Ind.)
2. Pass the first Screen (Verification of customer documents)
3. On the second screen, enter valid details.

10 Model Bank – TSF External Authorization Demo Guide

 Set up Document

4. Validate & commit the record.

System will throw the error message if any transaction is done in the weekend, since weekend
Saturday (6) and Sunday (7) mentioned in policy file.

2.8 Use Case 7:-

1. Login as CSAGENT.
2. From the command line launch ENQ %ACCOUNT.
3. Click on FIND.
4. Search returns only ACCOUNTS that have Currency as USD.

11 Model Bank – TSF External Authorization Demo Guide

 Set up Document

5. As an alternate check, find any other Account record whose currency is not equal to USD.

XACML - DesignTime Demo:-

Creation of Policy file using PAP UI:-
3.1 Introduction
This demo helps a Transact user to create a policy file using PAP UI and how to integrate it with
Transact.
1. PAP-UI stands for Policy Administration Point User Interface.
2. PAP UI allows the security policy administrator to create the XACML policies with interactive
GUI and gives the ability to create and download the XACML policy files.
3. Security Policy administrator can create the policies without any technical knowledge on
XML, JSON etc.,

3.2 UI Setup and Configuration: -

3.2.1 Config Steps: -
 Ensure the below WAR files are present in the deployments folder.
 papui.war
 irf-provider-container.war

 Start Application server and ensure the war files are deployed.

 Creation of PAPRUNTIME folder:-

 Navigate to chrome and enter the given URL to download the artifacts
http://localhost:9089/irf-provider-container/api/v1.0.0/meta/apis/response/download
 The PAPRUNTIME folder gets created at
“Temenos\RXX\Infra\AppServer\JBoss\Default\papRuntime”, by default. (The entire
process takes 5-10 mins depending on the data inside the DB)

 After completion of the download, status success will be displayed.

12 Model Bank – TSF External Authorization Demo Guide

 Set up Document

 Once the download gets over, Ensure the below :-

 The papRuntime folder consist of the attributes, resources, roles, xacml.

 The purpose of each folder is as follows :

 Resources – The existing Transact resources will be present.
 Attributes – Transact corresponding fields for the defined Transact resources.
 Roles – Default json policy files will be present.
 Xacml – The xacml file, which is converted from the downloaded json file will be
present here.
 Json – This folder will get created under papRuntime folder, when we download
the policy files from papui.

3.2.2 Troubleshoot: -
If any error related to 404 found while fetching the download API’s ensure the followings step.
 Open the papui war -> env.js in editable mode and check the value

window.__env.config = {
apiUrl: {
seal: true,
value: 'http://localhost:9089/irf-provider-container/api/v1.0.0'
}
};
Note: If the application server is running in any port other than 9089, then update the correct
url in env.js file and then re-deploy the war file.

 Open the papui war -> index.html and check the value
<base href=”/papui/”>

3.2.3 PAP UI Browser:-

Open the browser and enter the URL http://localhost:9089/papui/

13 Model Bank – TSF External Authorization Demo Guide

 Set up Document

 The new policy creation UI page will be displayed.

 Go to the Product drop down in the policy editor and choose the Product and
Resources(from drop down) respectively.
 In the left panel, the list of Default Roles which is fetched from papRuntime/roles folder
will be present. You can drag and drop it into the Policy editor also.
 Create the Policy file and click the download button.
 The Policy has been downloaded to papRuntime/json folder for JSON file,
papRuntime/xacml folder for XACML file.

Note: Only the json policy files under the papRuntime/roles folder will get displayed in the Roles panel.

3.3 Sample Rule creation:-

3.3.1 Use Case 1:-
CUSTOMER creation via BRANCHMANAGER will not allow Nationality as “AF” and/or
SECTOR as “1000”

Policy File creation: -

 Launch PAPUI.
 Click on +NEW from the right top TAB.
 Enter the details as follows: -

14 Model Bank – TSF External Authorization Demo Guide

 Set up Document

 Click on “DOWNLOAD”
 The generated policy file gets downloaded to
“Temenos\RXX\Infra\AppServer\JBoss\Default\papRuntime\xacml”
 Copy the same to “Temenos\RXX\Env\Slot01\Products\XACML\lib\xacml”
 Update the pdp-config.xml and the root-policy.xml files under
“Temenos\RXX\Env\Slot01\Products\XACML\lib\xacml” as follows

Note: - To add the created policy file as part of the PAPUI interface, move the created .json file from
“Temenos\RXX\Infra\AppServer\JBoss\Default\papRuntime\json” to
“Temenos\RXX\Infra\AppServer\JBoss\Default\papRuntime\roles”. Refresh the PAPUI to spot the file in the
right tab.

15 Model Bank – TSF External Authorization Demo Guide

 Set up Document

3.3.2 Demo using created policy file:-

Note: - The USER record for the below scenarios have been configured to read the properties from the
Policy File.

SPF Change: -
 Start jBOSS completely.
 Login to Transact Browser using INPUTT / 123456.
 Navigate to Admin Menu System AdministrationSecurity Management
SystemSystem Users ManagementExternal AuthorisationAccess control.
 Check the External Security Framework box to enable it and then commit the record.

USER record Change: -

 Map the policy created to the BRANCHMANAGER User record as follows.

16 Model Bank – TSF External Authorization Demo Guide

 Set up Document

Demo: -
 Login to UXP Browser as BRANCHMANAGER/123456.
 Try creating a customer using CUSTOMER I F3.
 Enter the Nationality as “AF” (and / or) Sector as “1000”.
 Validate.
Transact throws proper error message: -

17 Model Bank – TSF External Authorization Demo Guide