Professional Documents
Culture Documents
TSF-External Authorization Demo
TSF-External Authorization Demo
No part of this document may be reproduced or transmitted in any form or by any means, for any purpose,
without the express written permission of TEMENOS HEADQUARTERS SA.
COPYRIGHT 2020 TEMENOS HEADQUARTERS SA. All rights reserved.
Set up Document
Revision History
Version Date Author Revision History
Table of Contents
Introduction
XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative
fine-grained, attribute-based access control policy language, an architecture, and a processing model
describing how to evaluate access requests according to the rules defined in policies.
Using XACML, restrictions can be applied at User level, whereby they will be given access only to
applications required.
1.1 Pre-requisites:
S No Pre-requisite Remarks
1. Login as CSAGENT.
2. Create a PAYMENT.ORDER
3. Enter the PAYMENT.AMOUNT greater than 10000
4. Validate & commit the record.
1. Login to CSAGENT.
2. Navigate to Customer Onboarding (Ind.)
3. Pass the first Screen (Verification of customer documents)
4. On the second screen, validate the following:-
a. Nationality Enter SY (Syria) Commit and Validate Error message thrown
If either of the conditions isn’t satisfied, the record does not get validated.
1. Login as CSAGENT.
2. From the command line launch ENQ CUSTOMER.SCV
3. Click on FIND.
4. Search returns only CUSTOMERS that have Nationality and Residence other than SY.
Note: If SPF External Security Framework is enabled already, then no need to create a record in
EB.USER.ROLES as it will throw the error message that external authorization is enabled. Directly add the Role
in the User record and proceed.
Note: As we are creating Role based access remove the user level access already given for PWMRM User and
then commit & authorise the record.
4. Login as RMUSER
5. RMUSER will list only his department accounts.
Note: Verify and give the Account Id whose Account Officer is 74.
6. As an alternate-check, search for any Account whose account officer is other than 74.
1. Login to INPUTT.
2. Create the below records in EB.API
3. Login to CSAGENT.
1. Navigate to Customer Onboarding (Ind.)
2. Pass the first Screen (Verification of customer documents)
3. On the second screen, enter valid details.
System will throw the error message if any transaction is done in the weekend, since weekend
Saturday (6) and Sunday (7) mentioned in policy file.
5. As an alternate check, find any other Account record whose currency is not equal to USD.
Start Application server and ensure the war files are deployed.
3.2.2 Troubleshoot: -
If any error related to 404 found while fetching the download API’s ensure the followings step.
Open the papui war -> env.js in editable mode and check the value
window.__env.config = {
apiUrl: {
seal: true,
value: 'http://localhost:9089/irf-provider-container/api/v1.0.0'
}
};
Note: If the application server is running in any port other than 9089, then update the correct
url in env.js file and then re-deploy the war file.
Open the papui war -> index.html and check the value
<base href=”/papui/”>
Note: Only the json policy files under the papRuntime/roles folder will get displayed in the Roles panel.
Click on “DOWNLOAD”
The generated policy file gets downloaded to
“Temenos\RXX\Infra\AppServer\JBoss\Default\papRuntime\xacml”
Copy the same to “Temenos\RXX\Env\Slot01\Products\XACML\lib\xacml”
Update the pdp-config.xml and the root-policy.xml files under
“Temenos\RXX\Env\Slot01\Products\XACML\lib\xacml” as follows
Note: - To add the created policy file as part of the PAPUI interface, move the created .json file from
“Temenos\RXX\Infra\AppServer\JBoss\Default\papRuntime\json” to
“Temenos\RXX\Infra\AppServer\JBoss\Default\papRuntime\roles”. Refresh the PAPUI to spot the file in the
right tab.
SPF Change: -
Start jBOSS completely.
Login to Transact Browser using INPUTT / 123456.
Navigate to Admin Menu System AdministrationSecurity Management
SystemSystem Users ManagementExternal AuthorisationAccess control.
Check the External Security Framework box to enable it and then commit the record.
Demo: -
Login to UXP Browser as BRANCHMANAGER/123456.
Try creating a customer using CUSTOMER I F3.
Enter the Nationality as “AF” (and / or) Sector as “1000”.
Validate.
Transact throws proper error message: -