Académique Documents
Professionnel Documents
Culture Documents
Getting Started
This getting started guide introduces Alliance Access and explains what customers must know to be able to use the
product. This document is for all Alliance Access users. SWIFT recommends that customers read this guide before the
other guides in the Alliance Access documentation set.
31 December 2010
Alliance Access 7.0
Table of Contents
.Preface .............................................................................................................................................................................3
2 Getting Started
Preface
Preface
Purpose
This Getting Started Guide explains what you must know before using Alliance Access. SWIFT
recommends that you read this guide first before opening the other guides in the documentation
set. It is intended for all users.
Terminology
The following terminology is used in this guide:
31 December 2010 3
Alliance Access 7.0
• integration with your LAN, where each PC can easily be turned into an Alliance workstation
4 Getting Started
Introduction to Alliance Access
• a standalone Alliance Access server allowing manual message entry and repair activities
independently from the straight through processing of SWIFT traffic.
• one or more printers (for system reports and for printed copies of messages)
The system contains the following internal storage devices:
• one or more hard disks for the storage of all system software (the Alliance Access database,
the Message File and Event Journal archives, and so on).
• a flexible disk drive for the input and output of batch files.
• the SWIFT Interface application, which provides connections to the SWIFTNet FIN network.
• the Application Interface, which provides a local interface to other internal systems and
applications, and for local printing.
• the SWIFTNet Interface application, which provides connections to the SWIFTNet network.
The other applications provide various services to users and to the interface applications.
• SWIFT applications - used to provide the configuration and management of logical terminal
for connection to the SWIFTNet FIN application
• security applications - used to ensure the security of messages sent on the SWIFT network
• emission and reception profile management application - used to send and receive MX and
FileAct messages
31 December 2010 5
Alliance Access 7.0
Messages may be prepared on Mainframe systems. These messages may be imported into
Alliance Access through the Application Interface.
The message preparation applications are used to create and process messages within Alliance
Access itself. MX messages may be prepared using Messenger on Alliance Web Platform.
The following sections describe these groups of applications in more detail.
• calendar functions
• scheduling functions
• audit functions
• monitoring functions
6 Getting Started
Introduction to Alliance Access
31 December 2010 7
Alliance Access 7.0
• the identity of the operator (or system) that caused the event
• the class and severity of the event. Events relating to the same area in Alliance Access are
grouped in a class - for example, all communication-related events belong to the
communication event class. The severity indicates the importance of an event. For example,
it is a more severe event if a message fails authentication than if an operator signs on
8 Getting Started
Introduction to Alliance Access
example, Alliance Access may create a copy instance for every original instance sent to the
SWIFT network, and send the copy instance to a printer.
A notification instance is a report on the result of the processing performed on an original
instance or copy instance, and is usually sent to the sender of the message. For example, a
notification instance may report that the message failed authentication.
Collectively, the original instance and any copy and notification instances make up the
message.
The Message File stores all message instances. It also keeps a history of Alliance Access
message processing, whether related to communication with an external network or with
internal applications (transmission interventions), or to processing by an operator (user
interventions). The network header and message text information are common to all instances
of a message. Operator and transmission interventions are particular to an instance, and are
appended to the instance.
All instances (originals, copies, and notifications) must be completed before the message itself
is considered to be completed.
Use the Message File application to:
• investigate message processing by searching the message instances stored in the Message
File. You can then display or print the search results.
• archive messages. You can back up these archived messages, which keeps the Message
File at a manageable size. If a calendar has been set up (for details, see "Calendar
Application" on page 7), then you can use the Message File application to schedule archiving
to occur automatically at specified times. Otherwise, you must archive manually.
31 December 2010 9
Alliance Access 7.0
• a processing function, which processes message instances from the queue and may create
new message instances, copies or notifications.
• a set of routing rules, which are used to determine the onward flow of each message
instance (for example, to another routing point, to the SWIFT network, or to an exit point such
as a link to a printer).
You use the application to:
• create, duplicate, modify, or remove routing schemas, routing rules, and keywords.
• activate a specific routing schema - this becomes the schema that Alliance Access uses to
route messages.
10 Getting Started
Introduction to Alliance Access
• configure various system-wide security parameters, such as the number of days after which a
user password has to be changed
• approve units and operators (operators are usually approved by the security officers).
Only the security officers can use the Security Definition application to modify the value of
security parameters. For details about the security officers, see "Security Officers" on
page 24.
• modify the values for a large range of system parameters, such as time and date formats,
frequency of disk space checks, and so on
• restart the system, either in housekeeping mode, when only a single user can be signed on
(for example, to define logical terminals), or in operational mode (the normal, multi-user
mode)
• define events that must be set as alarms, and set the distribution lists for these alarms.
31 December 2010 11
Alliance Access 7.0
1. You first use a logical terminal to log into APC (Application Control). APC is the SWIFT
application that controls communication sessions between a logical terminal and SWIFT,
and allows you to send APC messages.
2. After successfully logging on, you select FIN, the SWIFT application within which all SWIFT
user-to-user MT messages are sent and received.
When you log on to the SWIFTNet FIN application, you must have PKI secrets stored on
Hardware Security Modules (HSMs). The logical terminals will use these HSMs for
authentication and will use the Relationship Management Application for authorisation.
You use the SWIFT Interface application to:
• define the characteristics of the connections to the SWIFTNet FIN service, and to monitor
and control sessions
• define which delivery queues that you want SWIFT to store output messages in (known as
delivery subsets).
12 Getting Started
Introduction to Alliance Access
An MST contains descriptions of all message types that can be sent and received for the SWIFT
FIN application. Each logical terminal that your institution can use is identified by a combination
of the BIC-8 for the destination, plus a single-character terminal code. You use the SWIFT
Support application to define these details for each logical terminal, and to assign an MST to the
logical terminal.
Alliance Access validates each message by checking its syntax against the MST assigned to
the logical terminal. Alliance Access informs you if there are any errors.
SWIFT issues a new MST annually, a few months before the MST actually goes live. This is
useful for training purposes. For example, certain LTs can be assigned to the current MST for
live use, while other LTs (of a Test and Training destination) may be assigned to the future MST
for test and training use.
Message standards provide the information necessary to create and view MX messages.
Value-added Services (VAS) are optional additional services which involve a central clearing
institution. You can only use these services by arrangement with the central institution, and after
you have installed a VAS parameter file using the SWIFT Support application. These files are
pre-defined according to the various VAS registered with SWIFT.
It is possible to install several Value-added Services with the same service name, provided their
service administrator destinations (CIDs) are different. An own destination cannot be subscribed
to more than one VAS with the same name.
31 December 2010 13
Alliance Access 7.0
• the identity of the sender and the receiver of the message, and other details which are
different for an MT message
• select a specific message and display its details - any fields to be verified are highlighted, but
blank
14 Getting Started
Introduction to Alliance Access
• send the message to another queue so that message processing can continue. A verified
message is usually routed to the Authorisation queue.
Messages must often be authorised before they can be released to the SWIFT network. The
Message Approval application is also used to authorise messages. Authorisation simply
involves giving the message a final visual check to ensure that it is accurate.
The Message Approval allows you to:
• select a specific message and display its details, to check the validity of the fields
• send an authorised message to the network specified queue. The relevant network interface
then automatically processes these messages.
• select one of several message modification queues and display a list of the messages held in
it
• make changes to a message - the changes that you can make depend on the modification
queue that the message is in
31 December 2010 15
Alliance Access 7.0
• control and monitor communication sessions between Alliance Access and a message
partner.
(R7.0_RMA_Admin)
RMA Administrator
(no visible profile)
(R7.0_Supervisor)
(R7.0_RMA_Oper)
(R7.0_MsgEntry)
(R7.0_Superkey)
(R7.0_Operator)
Security Officer
RMA Operator
Supervisor
Access Control Y Y Y Y - - -
Application Interface Y - Y Y - - -
Calendar Y - Y - - - -
Correspondent Y - Y Y Y - -
Information File
Event Journal Y Y Y - - - -
Message Approval Y - Y - Y Y -
Message Creation Y - - - Y - -
Message File Y Y Y - - - -
Message Modification Y - - - Y - -
16 Getting Started
31 December 2010
Routing
Monitoring
Relationship
Management
SWIFT Support
SWIFT Interface
Security Definition
SWIFTNet Support
SWIFTNet Interface
System Management
System Administrator
(R7.0_Superkey)
Y
Y
Y
Y
Y
Y
Y
Y
Y
Security Officer
(no visible profile)
-
-
-
-
Y
Y
Y
Y
Y
Supervisor
(R7.0_Supervisor)
-
-
Y
Y
Y
Y
Y
Y
Y
-
-
-
-
-
Y
Y
Y
Y
RMA Administrator
(R7.0_RMA_Admin)
-
-
-
-
-
-
-
-
RMA Operator
(R7.0_RMA_Oper)
-
-
-
-
-
-
-
-
17
Introduction to Alliance Access
Alliance Access 7.0
Service Bureau
SWIFT User A
VPN SWIFTNet
box
SWIFT User B
SWIFTNet Connectivity
Interface Solution
WAN or other
point to point
connection
SWIFT User C
D0540004
Implementing Service Bureau
For a Service Bureau to provide secure connection facilities to one or more SWIFT users, traffic
data from the different users must be strictly segregated. Traffic data segregation is performed
within Alliance Access using delegated operator profiles. These profiles govern access (for
individual Alliance Access operators) to entities controlling message delivery. Such entities
include message partners, exit points, routing, and so on. In this way, each of the individual
SWIFT users are granted access only to their particular traffic data.
The main Alliance Access application used to implement support for Service Bureau is the
Security Definition application (SDA).
18 Getting Started
Introduction to Alliance Access
1.9 Introduction
1.9.1 The Alliance Access Documentation Set
Overview
The documentation set for Alliance Access consists of the following guides:
• Security Guide
• configuring the operating system before the Alliance Access software is installed
• using System Administration application functions (for example, start and stop Alliance
Access).
This guide is of interest to those responsible for installing and configuring Alliance Access.
Security Guide
This guide provides a high-level description of the security-related features of Alliance Access. It
describes:
• the different controls available to prevent unauthorised use of Alliance Access, of Alliance
Access applications, and of specific application functions
• the Alliance Access features designed to prevent users from changing the installed software
or data files
• how to protect Alliance Access against software failure, hardware failure, or power loss
31 December 2010 19
Alliance Access 7.0
• general housekeeping tasks, such as installing Message Syntax Tables and Message
Standards
• set up emission and reception profiles for MX and FileAct messages, and input channels
• configure other components, such as devices (on UNIX only) and connections
• manage message partner and exit point profiles used in the exchange of messages
• resolve queries by monitoring the use of the system, examining events, or displaying details
of a message's history
20 Getting Started
Introduction to Alliance Access
• The User Handbook - Standards documentation gives precise details of SWIFT message
structures, and the use of specific fields and code words. It also describes the relation
between specific message types and the financial transactions they represent.
31 December 2010 21
Alliance Access 7.0
2 User Roles
Introduction
In a typical institution, all users of Alliance Access have specific job roles and responsibilities.
Alliance Access provides operator profiles to help an institution assign roles and tasks to users
and control who can perform specific actions in Alliance Access. Specifically, an Operator
Profile defines a set of applications and functions that an operator can use. When the profile is
assigned to an operator, then that operator has permissions to use the applications and
functions that are specified in the profile.
The Alliance Access Security Officers assign an operator profile to Alliance Access users.
Depending on the size of your institution, one user may be assigned several roles, or the same
role may be assigned to several users. Therefore, the Security Officers can assign several
operator profiles in Alliance Access to one user.
The operator profile assigned to you depends on your job role. Your profile determines the
menus, menu options, windows, and available choices which appear on the screen when you
sign on to Alliance Access.
• The applications that an operator is allowed to use. When an operator signs on to Alliance
Access, only the icons for applications that the operator can use appear. For example, if you
are responsible for monitoring Alliance Access to ensure that it is running smoothly, your
profile allows you to use the monitoring application. When you sign on to Alliance Access,
you see the icon for the monitoring application, together with the icons for any other
applications which your profile allows you to use. An operator that is not allowed to use the
monitoring application has a different profile, and does not see the monitoring application
icon after signing on.
• The entitlements to use functions within a particular application. For example, if you are
responsible for archiving the Message File, your profile includes entitlements both to open
the Message File application and to archive the Message File. An operator with a different
profile may only have the entitlement to open the Message File application, but not have the
entitlement to perform archiving.
• The permissions associated with an entitlement. Security Officers can use permissions to
give greater control over sensitive functions. For example, your profile may allow you to use
the Message File application. Within that application, you may have the Archive entitlement,
so that you can archive the Message File. Within the entitlement, you may have permission
to store a schedule, so that the Message File can be archived automatically at a specified
time.
22 Getting Started
User Roles
Note If an operator's profile includes only the entitlement to open an application, then the
operator can still use various general facilities within the application. For example,
an operator with the entitlement to open the Message File application can use the
application to search for and display details of messages stored in the Message
File.
• create and manage Windows user groups, user accounts, and user passwords
• use System Administration application functions (for example, to start and stop the Alliance
Access servers)
Note Alliance Access does not include a default operator profile for a UNIX system
administrator because the administrator does not have to be an Alliance Access
user.
31 December 2010 23
Alliance Access 7.0
Required reading
The operating system administrator must read the appropriate version of the Installation and
Administration Guide (UNIX or Windows) for detailed information about how to configure the
operating system and install the Alliance Access software.
For more information about the security aspects of running Alliance Access in the UNIX
environment, see the Security Guide.
The UNIX System Administrator must also read the Alliance Customer Application and
Integration Guide for detailed information about integrating local applications with Alliance
Access.
Note If you are using Alliance Access in a Service Bureau, then the left security officer
and right security officer may set up sub-security or local security officers to
administrate the individual operators for each participating institution. For more
information, see the Security Guide, "Support for Service Bureau".
Examples
One Security Officer can create an operator definition, but both security officers must approve
changes for the change to be implemented.
24 Getting Started
User Roles
One of the officers can change the value of the security parameter that controls the number of
times that a user can enter an incorrect password before Alliance Access refuses to allow the
user to sign on. However, both Security Officers must "approve" the change for the change to
be implemented.
• enter the two parts of the Alliance Access Initialisation Password and the Alliance Access
Master Password when Alliance Access is first installed
• display or reset user passwords, and modify password parameters, such as the minimum
number of characters allowed in an operator's password
• perform system management functions, such as backing up archives, stopping and starting
Alliance Access
• use various Alliance Access applications to monitor the system for any security-related
problems
• define how many attempts a user can have to enter a correct password before being disabled
• define the maximum number of days during which an operator must either sign in or be
enabled. If neither occur, then the user is disabled.
31 December 2010 25
Alliance Access 7.0
Description
Each copy of Alliance Access has a unique Initialisation Password. It is calculated using a
proprietary algorithm together with a hard-coded encryption key, which is known only to SWIFT.
To obtain passwords, use Secure Channel. For more information, see http://www.swift.com/
support/secure_channel.page?.
Before the intended Alliance Access installation date, Part 1 of the password is sent to the left
security officer of the purchasing organisation, and Part 2 to the right security officer.
During the software installation, the Security Officers must enter their parts of the password.
Alliance Access recalculates the Initialisation Password during installation, and if the
recalculated password does not match the values entered by the Security Officers, the
installation is aborted.
Description
SWIFT also sends the two parts of the Alliance Access Master Password to each of the Security
Officers before Alliance Access installation.
During the installation, Alliance Access recalculates the Master Password. When the installation
is complete, Alliance Access recognises only the left security officer and the right security
officer. When each Security Officer signs on for the first time, they must use their part of the
Master Password as their operator password.
26 Getting Started
User Roles
After Left security officer signs on using Part 1 of the Master Password as the operator
Installation password, and then changes the left security officer operator password.
Right security officer signs on using Part 2 of the Master Password as the operator
password, and then changes the right security officer operator password.
D0540019
Note Each Security Officer must first change their part of the Master Password before
either attempts to use any other Alliance Access facilities.
31 December 2010 27
Alliance Access 7.0
2.3.5.1 Units
Description
The use of units makes it easy to divide message processing tasks between different groups of
operators. Operators can be members of units. Incoming and outgoing messages can be
assigned to units. When an operator uses an application such as the Message File application
to search for messages, Alliance Access only displays details for messages which are assigned
to the same unit as the operator.
Within the Security Definition application, the Security Officers (left security officer and right
security officer) can use the Operator Restrict Functions security parameter to specify whether
an operator can perform operator-related actions on operators belonging to any unit, or only on
operators that belong to a subset of the same units as the operator performing the action. The
default is No, which means that an operator with the correct entitlements can open, print, add,
modify, approve, or remove operators belonging to any unit. If the parameter is set to Yes, then
an operator can only use these functions on operators that belong to a subset of the same units
as the operator performing the action. The setting of this parameter does not affect the left
security officer and right security officer, which always have unrestricted access to operator
functions.
2.3.5.2 Status
Description
All new operator definitions must be separately approved by both Security Officers, or by
operators with the Approve Operator entitlement and appropriate permissions to left-approve or
right-approve an operator. Until this has been done, the operator has a status "awaiting
approval" and cannot sign on to Alliance Access. After an operator definition is approved, that
operator's approval status is shown as "approved".
2.3.5.3 Profiles
Description
As part of the operator definition, the Security Officers (left security officer and right security
officer) also assign one or more Alliance Access profiles to the operator (see "Operator Profiles"
on page 22).
The profile determines the menus, menu options, windows, and available choices which appear
on the screen when the operator is signed on to Alliance Access:
• When an operator signs on to Alliance Access, Alliance Access only displays icons for
applications the operator is entitled to use.
• In the menus for an allowed application, Alliance Access only displays functions that the
operator is entitled to use.
To help the Security Officers define new operators, a number of default profiles are supplied
with Alliance Access. Each profile corresponds to a specific user role.
If none of the default profiles provides the required Alliance Access applications, entitlements,
or permissions, then the Security Officers can either modify an existing profile or create a
completely new profile, and then assign it to an operator.
Note that the left security officer and right security officer profiles cannot be viewed using
Alliance Access, and cannot be changed.
28 Getting Started
User Roles
Note The Alliance Access Administrator can also create or update operator profiles,
assign profiles to operators, and define new operators. The default R7.0_Superkey
profile does not allow the Alliance Access Administrator to approve new or modified
operator profiles and operator definitions, to display the left or right part of a user's
system password, or to reset a user's password.
The following diagram outlines the procedure for creating an operator definition. In the absence
of one or both Security Officers (left security officer and right security officer), other operators
that have been assigned the appropriate entitlements and permissions can perform this
procedure.
31 December 2010 29
Alliance Access 7.0
Left Security Left Security Officer signs on and opens the Security
Definition Application.
Officer
Both Security
D0540106
30 Getting Started
User Roles
Note After installation, the left security officer and right security officer must change their
own passwords (see "Alliance Access Installation" on page 26) before following the
above procedure to create operator definitions. Alliance Access generates an
operator's system password using the operator definition and the security officers'
passwords. If either the left security officer or right security officer change their
passwords while the other security officer is creating operator definitions, then any
existing operator system passwords become no longer valid. The left security
officer and right security officer have to re-display system passwords for any
operator definitions that have already been created, to see the new system
passwords generated using the changed security officer password.
• User. Each user must first sign on using the 4-character system-generated password, but
can subsequently sign on with a user password.
• One-time password. The user must sign on using the password generated by the system.
• LDAP. The user name and password are validated against an LDAP directory.
After Alliance Access is installed, the Security Officers use the Security Definition application to
specify the password mode used on the system. They do this by selecting one of the password
modes as the value of the Password: Mode security parameter. The password mode can be
changed at any time subsequently, but the servers must always be restarted before the change
takes effect.
31 December 2010 31
Alliance Access 7.0
Note If user passwords are used, then the left security officer and right security officer
must ensure that users follow the guidelines for selecting passwords given in the
Security Guide, "Use of Passwords".
If an operator forgets their password, then a Security Officer (or an operator with the Approve
Operator entitlement) can use the Security Definition application to reset the password.
Following this, both Security Officers again pass the relevant halves of the password to the
operator to enable him to sign on.
The Security Officers (left security officer and right security officer) can also modify a number of
parameters relating to signing on and the use of passwords. For example, they can specify the
minimum number of characters that an operator can use in a password. Both the left security
officer and the right security officer must approve any modifications to these security
parameters. The entitlement to modify the parameters is unique to Security Officers and cannot
be assigned to other operators.
Note If the Reset Peer Officer Pwd security parameter is set to Yes, then each Security
Officer can reset the other Security Officer's password to the value of the Master
Password at the time of the most recent Alliance Access licensing. This is useful if
a Security Officer forgets their password. By default, the parameter is set to No,
which means that the Security Officers cannot reset each other's password.
Note Some parameter changes only become effective after the system is restarted.
Additionally, certain system changes can only be made if Alliance Access is in
housekeeping mode (when only a single user can sign on). The system has to be
stopped and restarted to switch between the normal operational mode (when all
users can sign on) and housekeeping mode.
The left security officer and right security officer can also use the System Management
application for the following purposes:
• change the distribution list for alarms (the list of operators to whom alarms are sent)
• back up data or the archived Message File or Event Journal (although the left security officer
and right security officer can only make manual backups, as they do not have permission to
schedule backups)
32 Getting Started
User Roles
On a daily basis, the left security officer and right security officer can use the Monitoring
application to monitor the system for security-related events. They have full entitlement to all the
Monitoring application functions and can hold or release message queues if necessary.
The Security Officers' entitlements to the Message File and Event Journal applications are
limited to opening the applications. This still allows the left security officer or right security officer
to use the general facilities within the applications. For example, they can use the Event Journal
application to search for and display details of events recorded in the Event Journal.
The entitlements given to Security Officers are fixed within Alliance Access and cannot be
changed. Alliance Access allows all security-related entitlements to be assigned to other
operators, except for the entitlements to modify security parameters and to reset the other
Security Officer's password.
Note The Approve Operator entitlement and its associated permission allows an
operator to left-approve or right-approve an operator, to display and print the
system generated password for an operator, and to reset user passwords. As
these are all sensitive security-related functions, the security implications must be
considered before this entitlement is assigned to an operator.
• the Alliance Access applications used by the Administrator, assuming that the default
Alliance Access profile is used
31 December 2010 33
Alliance Access 7.0
Note If your Security Officers have modified the default R7.0_Superkey profile, or
defined their own Alliance Access Administrator profile and assigned it to you, then
the tasks and functions available to you may be different to those described in the
documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.
Recommended reading
The Alliance Access Administrator must read the Installation and Administration Guide for
detailed information about the installation of Alliance Access software. This guide also describes
how to use the System Administration application to perform administrative tasks.
• creating, modifying, and removing operator definitions, profiles, and units (for details, see
"Maintaining Operator Definitions and Profiles" on page 27)
• performing certain system management functions (for details, see "Other Duties" on
page 32).
34 Getting Started
User Roles
• managing message partner and exit point profiles to be used when exchanging messages
with other systems (for details, see "Managing Message Exchange Sessions" on page 42)
• managing the calendar(s) (for details, see "Managing the Calendar and Scheduling
Archiving" on page 42)
• verifying and authorising messages created or modified by other operators (for details, see
"Verifying and Authorising Messages" on page 43)
• managing and approving routing schemas, rules, and keywords (for details, see "Managing
Routing" on page 43)
• creating, modifying, and removing operator definitions, profiles, and units (for details, see
"Maintaining Operator Definitions, Profiles, and Units" on page 44)
• managing the SWIFT network connection (for details, see "Managing the SWIFT Network
Connection" on page 44)
• managing emission and reception profiles to exchange messages through SWIFTNet (for
details, see "Managing the SWIFTNet Network Connection" on page 37)
• managing Logical Terminals (LTs), Application Service Profiles, Message Standards, and
Value-Added Service (VAS) parameter files (for details, see "Managing LTs, MSTs, Message
Standards, and Parameter Files" on page 44)
• performing system management functions (for details, see "Other Duties" on page 45)
• using various Alliance Access applications to investigate problems and get further information
about them (for details, see "Other Duties" on page 45).
The Alliance Access Administrator has sole responsibility for certain communications session
tasks and for some message preparation activities.
The Alliance Access Administrator has sole responsibility for the following activities:
Description
The Alliance Access Administrator can use the SWIFT Interface application to enable or disable
automatic reconnection to the SWIFT network when a logical terminal session is interrupted.
31 December 2010 35
Alliance Access 7.0
Description
Supervisors' access is limited to using the Message Approval application to verify messages
created or modified by other operators, or authorise messages verified by someone else.
However, the Alliance Access Administrator has full access to all the message preparation
functions.
The Alliance Access Administrator can use the Message Creation application to:
• bypass message verification and authorisation for messages of any type (this means the
System Administrator can dispose a newly created message directly to the outbound SWIFT
message queue)
• route newly created messages to the next default message queue (the Authorisation queue
for all system messages and any MT 999 messages, and the Verification queue for all other
SWIFT user messages).
The Alliance Access Administrator can use the Message Approval application to:
• authorise a group of messages without displaying the contents of the messages first
• route newly created messages to the next default message queue (the Authorisation queue
for all verified SWIFT user messages, and the appropriate outbound network queue for all
authorised messages, system messages, and MT 999 messages).
The Alliance Access Administrator can use the Message Modification application to:
• modify messages in any of the modification queues, including the Emission Security
Modification queue (where Alliance Access routes outgoing messages which fail
authentication) and the Reception Security Modification Queue (where Alliance Access
routes incoming messages which fail authentication)
• bypass authentication for a group of messages in the Reception Security Modification Queue
• bypass message verification and authorisation for modified messages of any type
• route modified messages to the next default message queue (the Authorisation queue for all
system messages and any MT 999 messages, and the Verification queue for all other SWIFT
user messages).
36 Getting Started
User Roles
Description
The Alliance Access Administrator can use the Calendar application to create or modify
calendar(s).
Once a calendar has been set up, the Alliance Access Administrator can schedule processes to
occur automatically at specific times. The Alliance Access Administrator can use:
• the Event Journal application to schedule the archive of the Event Journal
• the Message File application to schedule the archive of the Message File
• the SWIFT Interface application to schedule automatic actions to take place, such as
selecting the FIN service
• the System Management application to schedule automatic backups of data (but not events
or messages), or automatic stopping or starting of Alliance Access.
• the SWIFTNet Interface application to schedule the activation or deactivation of emission and
reception profiles.
Description
The Alliance Access Administrator can use the SWIFT Interface application to:
• schedule automatic actions to take place, such as selecting the FIN service or logging off
from the SWIFT network.
Description
The SWIFTNet Interface application enables the Alliance Access Administrator to:
• define, enable, and activate emission and reception profiles used for sending and receiving
MX and FileAct messages over SWIFTNet
Overview
The Alliance Access Administrator can use the SWIFT Support application to:
• define Logical Terminals (LTs) and assign them to Application Service Profiles.
For more information, see "SWIFT Support Application" on page 12.
31 December 2010 37
Alliance Access 7.0
Description
The Alliance Access Administrator has a number of other responsibilities which are like those of
the Security Officers, but the Alliance Access Administrator has more extensive entitlements.
The Alliance Access Administrator can use the System Management application to:
• configure various system parameters (for example, a parameter can be used to specify a
script that is called whenever an alarm occurs)
• define events that must be treated as alarms, and specify the distribution list for alarms (the
list of operators to whom alarms are sent)
• stop and restart Alliance Access, either manually or automatically (by using scheduling)
• back up or restore software, data, and archives (backups can take place manually or can be
scheduled to occur automatically).
The Alliance Access Administrator can use the Message File application to:
• archive the Message File, either manually or automatically (by using scheduling)
• investigate events
• archive the Event Journal, either manually or automatically (by using scheduling)
• stop an application process (for example, to terminate the GUI processes if they remain
running after an Alliance workstation is switched off or disconnected).
38 Getting Started
User Roles
Role
The role of the Relationship Management Application Administrator is to manage the
authorisations and query messages in the Relationship Management data store. Although a
Relationship Management Application Administrator cannot create or modify authorisations, a
Relationship Management Application Administrator can verify and authorise outgoing
messages prepared by others.
Note If your Security Officers have modified the default R7.0_RMA_Admin profile, or
defined their own profile and assigned it to you, then the tasks and functions
available to you may be different to those described in the documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.
• revoking an authorisation
• removing expired authorisations or queries and answers from the data store
• defining or approving a list of BICs for which Relationship Management Application Operators
can create granular authorisations
• defining or modifying the selected that is the Signing BIC for a Test and Training
authorisation
31 December 2010 39
Alliance Access 7.0
2.6 Supervisors
Overview
This section describes:
• the Alliance Access applications used by Supervisors, assuming that the default Alliance
Access profile is used
Note If your Security Officers have modified the default R7.0_Supervisor profile, or
defined their own Supervisor profile and assigned it to you, then the tasks and
functions available to you may be different to those described in the
documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.
40 Getting Started
User Roles
• manage message partner and exit point profiles used when exchanging messages with other
systems
• manage the correspondent, country, and currency records in the Correspondent Information
File (CIF)
• manage emission and reception profiles to exchange messages and files through SWIFTNet
• manage Logical Terminals (LTs), Application Service Profiles, Message Standards, and
Value-Added Service (VAS) parameter files
31 December 2010 41
Alliance Access 7.0
Description
Alliance Access can exchange messages with other external systems, known as message
partners, through exit points. Each exit point is associated with a specific message partner.
A Supervisor uses the Application Interface application to create, modify, or remove message
partner profiles and exit point profiles. In a message partner profile, the Supervisor specifies
details such as:
• the direction in which messages are exchanged with the message partner
• the other exit points to which any copies of messages are routed.
Supervisors also have access to the same functions as operators, that is, they can start, stop,
run, or abort a message exchange session with a selected message partner.
Description
A Supervisor can use the Calendar application to create or modify calendar(s) for this year or
next year only.
Once a calendar has been set up, the Supervisor can use other Alliance Access applications to
schedule processes to occur automatically at specific times. The Supervisor can use:
• the Event Journal application to schedule the archive of the Event Journal
• the Message File application to schedule the archive of the Message File
• the SWIFT Interface application to schedule automatic actions to take place, such as
selecting the FIN service
Description
A Supervisor can use the Correspondent Information File application to update the
Correspondent Information File (CIF). The CIF contains correspondent, country, and currency
records. Alliance Access uses values from the CIF during message preparation. A Supervisor
can use the application to:
42 Getting Started
User Roles
Description
A Supervisor can use the Correspondent Information File application to install the SWIFT
Alliance Bank File that SWIFT distributes periodically. This file contains the BICs (business
identifier codes) of all the institutions that currently use the SWIFT network, either directly or
through another party. Alliance Access uses information from the Bank File during message
preparation and message exchange, to display BICs in expanded format.
SWIFT also makes available an update file that contains details of all entries that have been
added, modified, or deleted since the last BIC was issued. The Supervisor can use this file to
update the Correspondent Information File.
Description
A Supervisor can use the Message Approval application to display messages from either the
Verification queue or the Authorisation queue.
Normally, operators verify messages, but the Supervisor can do so if necessary. Message
verification involves re-entering data (such as an amount or a value date) in the verifiable fields
(for details, see "Verifying MT Messages" on page 51).
To authorise a message, the Supervisor simply gives the message a final visual check and then
disposes the message to the outbound network queue specified within the message (for
example, to the SWIFT network).
If errors are discovered during message authorisation, then the Supervisor moves the message
to the Text Modification queue for later editing. A message may need to be modified because it
contains a data entry error such as an incorrect account number, or a correspondent address
that is not valid.
Supervisors cannot verify or authorise messages that they have created, modified, or already
verified. However, the Alliance Access Administrator or another Supervisor can verify and
authorise such messages.
Description
A Supervisor can use the Routing application to maintain the Alliance Access routing schemas.
A routing schema defines how messages flow through the Alliance Access system. Many
different schemas can be created, although only one schema can ever be active at a time.
A schema consists of a series of routing points. At each routing point, there is a message
queue. A series of rules at the routing point define how different types of messages from the
queue are routed. If a message satisfies a routing rule, then it is sent to the point specified in
that rule.
Each routing rule is made up of a sequence of keywords. There are a series of standard
keywords which can be combined in many different ways to give different routing rules.
The Supervisor has entitlements to use any Routing application function. The Supervisor can
activate or deactivate a routing schema and create, modify, or remove routing schemas, rules,
or keywords.
31 December 2010 43
Alliance Access 7.0
Description
A Supervisor, like the Security Officers, can use the Security Definition application to create
operator definitions which can be assigned to new operators (see "Maintaining Operator
Definitions and Profiles" on page 27 for details).
However, unlike Security Officers, Supervisors cannot approve operators, reset passwords, or
change password parameters.
Also, Supervisors are entitled to create, modify, remove, and approve definitions of units.
Description
A Supervisor can use the SWIFT Interface application to:
• schedule automatic actions to take place, such as selecting the FIN service or logging off
from the SWIFT network
• define delivery subsets (the delivery queues which SWIFT stores output messages in).
Description
The SWIFTNet Interface application enables the Alliance Access Administrator to:
• define, enable, and activate emission and reception profiles used to send and receive MX
and FileAct messages over SWIFTNet
Description
A Supervisor can use the SWIFT Support application to:
44 Getting Started
User Roles
Description
A Supervisor has a number of other responsibilities which are like those of the Security Officers,
but the Supervisor has more extensive entitlements, as outlined further. The Supervisor can use
the System Management application to:
• stop and restart Alliance Access. If a calendar has been set up, then the Supervisor can also
schedule Alliance Access to stop and restart automatically at specific times.
• create, modify, and remove devices (on UNIX only) and event distribution lists
• back up and restore data and archives. If a calendar has been set up, then the Supervisor
can also schedule the backup of Alliance Access data (excluding archive files) to occur
automatically at specific times.
The Supervisor can use the Message File application and the Event Journal application to help
in supervising the activities of operators, and can also:
• if a calendar has been set up, schedule Message File or Event Journal archiving to occur
automatically at specific times
• use the Monitoring application to monitor the system, and hold or release message queues if
a problem develops.
2.7 Operators
Overview
This section describes:
• the Alliance Access applications used by operators, assuming that the default Alliance
Access profiles are used
31 December 2010 45
Alliance Access 7.0
• operators that must be able to sign on to control the flow of messages passing between the
SWIFT network, Alliance Access and back-office systems. These operators do not require
access to the day-to-day message preparation functions.
• operators concerned with the actual creation, verification, and modification of messages
within Alliance Access.
In practice, the same operators may be responsible for all message processing, regardless of
the message's origin.
• R7.0_Operator: allows a user to sign on to the SWIFT network and process messages
passing between Alliance Access and other systems.
• R7.0_MsgEntry: allows a user to create and process messages within Alliance Access, but
does not allow them to connect to SWIFT network or control the message flow.
• This profile does not include the entitlement to use the Access Control application, and so
does not allow a user to sign on to Alliance Access. The profile is not designed to be used on
its own, but can be assigned to an operator if another profile is also assigned, which does
include the entitlement to use the Access Control application.
Note If your Security Officers have modified the default R7.0_Operator and
R7.0_MsgEntry profiles, or defined their own operator profile and assigned it to
you, then the tasks and functions available to you may be different to those
described in the documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.
46 Getting Started
User Roles
• create messages, that is, actually enter the text of the message
• modify messages.
Description
To send and receive messages on the SWIFT network, an operator first uses the SWIFT
Interface application to log on to APC (Application Control) from a Logical Terminal. APC
controls communications between the logical terminal and the SWIFT network.
After logging on to APC, the operator selects FIN (the Financial Messaging Service). The FIN
service is used to send and receive messages on the SWIFT network.
31 December 2010 47
Alliance Access 7.0
Once a communication session is established between a logical terminal and the SWIFT
network, the operator can use the SWIFT Interface application to monitor details such as the
status of the session, and how many messages are waiting to be sent.
To disconnect from the SWIFT network, the operator quits from FIN and then logs off from APC.
Description
Operators use the Application Interface application to monitor and control the exchange of
messages with other systems. Messages are sent to exit points within Alliance Access. Each
exit point is associated with an external message partner, such as a back-office system.
Each message partner has a profile that defines the connection method used for
communication with that message partner. Operators do not create or maintain these details,
but they can:
• select a message partner and start a message exchange session with that partner - the
messages can be input to Alliance Access or output from it
• stop a message exchange session - the session stops after the message or message file has
been transferred
Description
To exchange messages through SWIFTNet, you must define, enable and activate emission and
reception profiles for the SWIFTNet interface. This is performed using the SWIFTNet Interface
application. This application is only available if licensed at your organisation.
Description
Operators use the Correspondent Information File application to modify correspondent records
or alias details in the Correspondent Information File (CIF). Operators cannot add or remove
records. They can modify correspondent or alias details, but not country or currency records.
Correspondent records include information such as a correspondent's BIC-11, name and
address, and so on. During message preparation, Alliance Access takes details from the
appropriate correspondent record and includes them in the message.
An alias is an alternative name by which one or more correspondents is known. During
message preparation, a message can be addressed to an alias. If a single MT 999 message is
addressed to an alias for a group of correspondents, then Alliance Access sends a copy of the
message to every correspondent automatically.
48 Getting Started
User Roles
Invalid SWIFT
Message
Messages
Creation
Queue
Verification
MT999, Failure
Message Text
FIN System, Verification Modification
Application Control Queue Queue
System Messages Modified SWIFT
Messages
Modified Authorisation
Message
Messages Failure
Authorisation
Queue
Authorised Messages
Outbound
Network
Queue
D0540015
31 December 2010 49
Alliance Access 7.0
Description
During message preparation, Alliance Access validates the text of any newly created or
modified SWIFT message to ensure that:
• the message is syntactically correct according to the validation checks performed by the
relevant application.
Invalid SWIFT messages are those which contain identifiable errors such as:
Description
Operators use the Message Creation application to create MT messages within Alliance
Access. An operator can either create a completely new message, or base a new message on
an existing template. A template is a partially completed message. Using a template speeds up
message creation.
An operator always defines the following details for each new message:
• The identity of the sender and the receiver - that is, which financial institution is sending the
message, and which institution receives the message. Together with the message type,
message priority, and so on, these details make up the message header.
• The text of the message. An experienced operator that is familiar with the structure and
syntax of SWIFT messages, can enter the text in fast mode, where Alliance Access provides
no help. A less experienced operator can use prompted mode, where Alliance Access gives
on-screen assistance for each field or subfield in the message.
• The network application used to send the message. A message can be sent to the SWIFT
network or to the Application Interface.
The operator can also view the security data needed to authenticate the message, and report
any authentication problems to the Alliance Access Administrator.
After creating a message, the operator can dispose the message to the next message queue for
further processing. When an operator disposes a message, Alliance Access displays a list of
message queues and the operator select one from the list. If the Security Officers have changed
the default profiles slightly, then the operator may instead be able to route the message, when
Alliance Access sends the message automatically to the next default message queue. As the
figure in "Preparing Messages" on page 49 shows, newly created SWIFT financial messages
are normally sent to the Verification message queue. Other types of message are normally sent
to the Authorisation message queue.
If the message is not valid or requires further editing, then the operator can instead move it to
the Text Modification queue and deal with it later.
50 Getting Started
User Roles
Description
To ensure the accuracy of each SWIFT financial message before it is sent, a second operator
usually verifies the message. The operator uses the Message Approval application to display a
message from the Verification queue. The important verifiable fields (such as an amount or a
value date) are shown without any data in them. The second operator must enter this data
again.
The data entered by the second operator is automatically compared with the data entered by
the first operator. If there are any discrepancies, then the disputed field changes to the error
colour and an event is recorded in the Event Journal. The operator can then try again to verify
that particular field.
A message may fail verification because one of the two operators enters the data incorrectly. If
this happens, then the message can be sent back to the Text Modification queue for editing.
Once the original message has been corrected, it must again be submitted for verification.
Operators cannot verify their own messages, that is, messages which they created originally or
modified.
After verifying a message, the operator normally disposes it to the Authorisation queue so that a
supervisor can make a final check on the message before it is sent. Alliance Access only allows
a verifiable message to be sent to the Authorisation queue if all fields in the message have been
successfully verified.
Description
If the default profiles are used, then operators cannot authorise messages. Authorisation can
only be carried out by Supervisors or the Alliance Access Administrator. See "Supervisors" on
page 40 for details.
Description
Operators can send messages that fail validation or verification to a Text Modification message
queue for later editing. Alliance Access also routes incoming and outgoing messages which it
cannot process automatically to other message modification queues.
There are five modification queues in Alliance Access. Operators with the default
R7.0_MsgEntry profile can use the Message Modification application to edit the messages in
the following queues:
• Emission Security Modification Queue (for outbound messages - for example, to SWIFT)
• Reception Security Modification Queue (for inbound messages - for example, from SWIFT)
Operators cannot usually solve authentication problems. The Alliance Access Administrator
must handle these problems.
31 December 2010 51
Alliance Access 7.0
The three message queues, which operators can access are each described briefly in this
section.
Role
The role of the Relationship Management Operator is to create or modify an authorisation that
allows a correspondent to send messages to your institution. A Relationship Management
Application Operator does not have the permissions, by default, to perform other tasks related
to authorisation management (that is accept, reject, revoke, and so on).
Note If your Security Officers have modified the default R7.0_RMA_Oper profiles, or
defined their own profile and assigned it to you, then the tasks and functions
available to you may be different to those described in the documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.
52 Getting Started
User Roles
• modify an authorisation
• print an authorisation
31 December 2010 53
Alliance Access 7.0
Legal Notices
Copyright
SWIFT © 2010. All rights reserved.
You may copy this publication within your organisation. Any such copy must include these legal notices.
Confidentiality
This publication may contain SWIFT or third-party confidential information. Do not disclose this publication
outside your organisation without the prior written consent of SWIFT.
Disclaimer
SWIFT supplies this publication for information purposes only. The information in this publication may
change from time to time. You must always refer to the latest available version on www.swift.com.
Translations
The English version of SWIFT documentation is the only official version.
Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: SWIFT,
the SWIFT logo, 3SKey, Innotribe, Sibos, SWIFTNet, SWIFTReady, and Accord. Other product, service, or
company names in this publication are trade names, trademarks, or registered trademarks of their respective
owners.
54 Getting Started