Connectivity

Alliance Access 7.0

Getting Started
This getting started guide introduces Alliance Access and explains what customers must know to be able to use the
product. This document is for all Alliance Access users. SWIFT recommends that customers read this guide before the
other guides in the Alliance Access documentation set.

31 December 2010
Alliance Access 7.0

Table of Contents

.Preface .............................................................................................................................................................................3

1 Introduction to Alliance Access ............................................................................................................... 4

1.1 Introducing Alliance Access ..................................................................................................................... 4
1.2 Introducing the Alliance Access Applications ....................................................................................... 5
1.3 Base Services Applications ..................................................................................................................... 6
1.4 SWIFT and SWIFTNet Network Applications ..................................................................................... 11
1.5 Message Preparation Applications ....................................................................................................... 14
1.6 Application Interface ............................................................................................................................... 15
1.7 Which Applications Can You Use? ....................................................................................................... 16
1.8 Support for Service Bureau ................................................................................................................... 18
1.9 Introduction ............................................................................................................................................... 19

2 User Roles ........................................................................................................................................................ 22

2.1 Operator Profiles ..................................................................................................................................... 22
2.2 Operating System Administrator ........................................................................................................... 23
2.3 Security Officers ...................................................................................................................................... 24
2.4 Alliance Access Administrator ............................................................................................................... 33
2.5 Relationship Management Administrators .......................................................................................... 38
2.6 Supervisors .............................................................................................................................................. 40
2.7 Operators .................................................................................................................................................. 45
2.8 Relationship Management Operators .................................................................................................. 52
.Legal Notices ...............................................................................................................................................................54

2 Getting Started
 Preface

Preface
Purpose
This Getting Started Guide explains what you must know before using Alliance Access. SWIFT
recommends that you read this guide first before opening the other guides in the documentation
set. It is intended for all users.

Terminology
The following terminology is used in this guide:

• MT messages: FIN messages over SWIFTNet FIN

• MX messages: SWIFTStandards XML messages over InterAct

Where to find more information

For more information about the Alliance Access applications and functions, see the other
Alliance Access guides, described in "The Alliance Access Documentation Set" on page 19.
You do not have to read all the guides, only the sections relevant to the task that you want to
perform.
If you are signed on to Alliance Access, then you can display help about the window that you
are using by pressing the F1 key.
Your operator profile determines what you can and cannot do within Alliance Access. There
may be some problems which you cannot resolve on your own. You may have to ask for help
from another Alliance Access user that has more extensive application entitlements, such as a
System Administrator.
SWIFT provides training courses on many different aspects of Alliance Access use. You can
find information about the available courses on www.swift.com.

31 December 2010 3
Alliance Access 7.0

1 Introduction to Alliance Access

Introduction
This section provides a high-level overview of Alliance Access. It describes the hardware used
in a typical Alliance Access system, and then gives a brief description of the various Alliance
Access applications.
The applications which you can use depend on your operator profile, so you may only be able to
use some of the applications described here. You should still read the entire section, as it helps
you understand how Alliance Access works. For information about which applications the
different operator profiles allow you to use, see "Which Applications Can You Use?" on
page 16.

1.1 Introducing Alliance Access

Description
Alliance Access is a financial message switch, built to interface with multiple networks and open
to a variety of applications developed by SWIFT, third parties, or end users. It is designed for
use with the SWIFTNet FIN, SWIFTNet, national clearing networks, and internal private
networks.
Alliance Access is designed for financial institutions with medium to high message handling
requirements.
Alliance Access brings immediate benefits in terms of automation and easy integration:

• integration with your LAN, where each PC can easily be turned into an Alliance workstation

• integration with your back-office applications through IBM WebSphere MQ and

straightforward transition for several mainframe links, namely DOS RJE and the Common
Application Server CAS 1/2

• automation of file transfer without manual intervention

• support for the SWIFT Service Bureau

• integration with SWIFT's value-added services and applications.

1.1.1 A Typical Alliance Access Configuration

Overview
Alliance Access typically runs on a central server using the Windows or UNIX operating system,
with operators working at machines that communicate with the server.
Operators work at client workstations on which Alliance Workstation is installed.
Depending upon licensing, the main system provides connections to:

• SWIFTNet FIN (for sending and receiving MT messages)

• SWIFTNet (for sending and receiving MX and FileAct messages)

• the institution's internal message processing mainframe

• Messenger and RMA on Alliance Web Platform

4 Getting Started
 Introduction to Alliance Access

• a standalone Alliance Access server allowing manual message entry and repair activities
independently from the straight through processing of SWIFT traffic.

• one or more printers (for system reports and for printed copies of messages)
The system contains the following internal storage devices:

• one or more hard disks for the storage of all system software (the Alliance Access database,
the Message File and Event Journal archives, and so on).

• a flexible disk drive for the input and output of batch files.

• a DVD drive (for the installation of software and messages standards).

The Alliance Access database contains all operational data (including configuration data,
operator definitions, enciphered passwords, and so on), as well as the live Message File and
live Event Journal.

1.1.2 Alliance Access and its Interfaces

Overview
Alliance Access consists of a set of applications.
In its simplest form, Alliance Access has three interface applications:

• the SWIFT Interface application, which provides connections to the SWIFTNet FIN network.

• the Application Interface, which provides a local interface to other internal systems and
applications, and for local printing.

• the SWIFTNet Interface application, which provides connections to the SWIFTNet network.
The other applications provide various services to users and to the interface applications.

1.2 Introducing the Alliance Access Applications

Overview
In this section, the applications have been grouped so that it is easier for you to understand how
certain applications are related.
The applications are grouped into the following areas:

• base services applications - used to configure and control Alliance Access

• SWIFTNet network applications - used to connect to SWIFTNet (if licensed)

• SWIFT applications - used to provide the configuration and management of logical terminal
for connection to the SWIFTNet FIN application

• security applications - used to ensure the security of messages sent on the SWIFT network

• message preparation applications - used to prepare MT messages

• emission and reception profile management application - used to send and receive MX and
FileAct messages

• Application Interface applications - used to connect to printers, your organisation's own

networks and systems.

31 December 2010 5
Alliance Access 7.0

Messages may be prepared on Mainframe systems. These messages may be imported into
Alliance Access through the Application Interface.
The message preparation applications are used to create and process messages within Alliance
Access itself. MX messages may be prepared using Messenger on Alliance Web Platform.
The following sections describe these groups of applications in more detail.

1.3 Base Services Applications

Overview
A number of different applications form the basic core services of Alliance Access.
These applications provide:

• access control functions

• calendar functions

• scheduling functions

• correspondent information functions

• audit functions

• message query functions

• monitoring functions

• authorisation functions for the management of business relationships

• routing definition functions

• security definition functions

• system management functions

1.3.1 Access Control Application

Description
The Access Control application is your entry point to Alliance Access. It controls all access to
Alliance Access and, therefore, to all the applications and functions. When you sign on to
Alliance Access, icons for the applications that you can use appear within the Access Control
window:
When you sign on, you may see different applications to those shown in the examples. Your
operator profile defines which applications that you can use. You cannot sign on to Alliance
Access unless your operator profile allows you to use the Access Control application. Your
Security Officer or System Administrator uses the Security Definition application to define your
operator profile. For details, see "Security Definition Application" on page 11.

6 Getting Started
 Introduction to Alliance Access

1.3.2 Calendar Application

Description
This application is used to create or modify the calendars. Once a calendar has been set up,
you can use other Alliance Access applications to schedule processes to occur automatically at
specific times.
For example, Alliance Access stores details of the messages it sends and receives in a
Message File. Once a calendar is set up, you can use the Message File application to schedule
regular archiving of the Message File. This keeps the file from growing too large. For more
information about the Message File application, see "Message File Application" on page 8.

1.3.3 Correspondent Information File Application

Description
The Correspondent Information File (CIF) contains essential data about your correspondents, in
the form of correspondent, alias, country, network, and currency records.
SWIFT also makes available an update file that contains details of all entries that have been
added, modified, or deleted since the last BIC was issued. This file can be used to update the
CIF.
Each correspondent record includes details such as the correspondent's BIC-11, name and
address, and so on. Country records include details of the 2-character country code and the
name of the country. Currency records include details of the 3-character currency code, the
name of the currency, and the number of decimal places used in the currency. Alias records
contain alternative names that you have defined for a correspondent or a group of
correspondents.
The CIF also contains information about the preferred network interface used to connect
Alliance Access with each correspondent. The network interface can be SWIFTNet, SWIFT, the
Application Interface, or OTHER.
When an MT message is prepared using the Message Creation or Message Modification
application, Alliance Access references the sender/receiver BIC and automatically takes values
from the CIF and includes them as default values in the message. This helps to speed up
message creation and reduce errors.
You use the Correspondent Information File application to update the CIF, either by importing
information from the Full Bank File, or from the Bank Update File (distributed monthly by
SWIFT), or by making changes manually.
You can use the application to:

• update the CIF from a SWIFT Alliance Bank File

• create, modify or remove the correspondent, alias, country, or currency records.

31 December 2010 7
Alliance Access 7.0

1.3.4 Event Journal Application

Description
All successful and unsuccessful actions performed by operators, and by the Alliance Access
system, are identified and recorded as events in the Event Journal. This data provides a
detailed audit trail of all actions performed in Alliance Access.
Each record in the Event Journal includes details of:

• the date and time that the event occurred

• the identity of the operator (or system) that caused the event

• the class and severity of the event. Events relating to the same area in Alliance Access are
grouped in a class - for example, all communication-related events belong to the
communication event class. The severity indicates the importance of an event. For example,
it is a more severe event if a message fails authentication than if an operator signs on

• a text description of the event.

You use the Event Journal application for audit and investigation purposes by searching the
events stored in the Event Journal based on a specific criterion. You can then display or print
the search results.
You also use the Event Journal application to archive events. You can back up these archived
events, which keeps the Event Journal at a manageable size. If a calendar has been set up (for
details, see "Calendar Application" on page 7), then you can use the Event Journal application
to schedule archiving to occur automatically at specified times. Otherwise, you must archive
manually.
Clearly, some events are more important than others. Alliance Access allows you to declare
certain events as alarms. Alarms can be displayed on-screen and distributed to a defined group
of operators and internal correspondents (through MT 999), for immediate action, or routed
outside Alliance Access (for example, to a file). The use of alarms ensures that supervisors or
other operators know very quickly if any unexpected user or system activity takes place. You
use the System Management application to define events that must be treated as alarms. From
this application, you can also specify the distribution list for alarms, that is, the list of operators
to whom alarms are sent.
The creation of an operator profile or an operator definition, or modification of an existing
definition, is also logged in the Event journal.
Alarms (or events configured as alarms) can also be sent to SNMP Manager applications (such
as HP OpenView or Tivoli products) so that they can be monitored by third-party software.

1.3.5 Message File Application

Description
This application provides a central query, maintenance, and archiving facility for all messages
processed by Alliance Access.
When a message is created within Alliance Access, received from a message partner, or
received from the SWIFT network, it is known as the original instance. There is only one original
instance.
During message processing, Alliance Access routes the original message instance from one
message queue to another. Any number of copy or notification instances may be created as a
result of routing rules, and processed entirely separately from the original instance. For

8 Getting Started
 Introduction to Alliance Access

example, Alliance Access may create a copy instance for every original instance sent to the
SWIFT network, and send the copy instance to a printer.
A notification instance is a report on the result of the processing performed on an original
instance or copy instance, and is usually sent to the sender of the message. For example, a
notification instance may report that the message failed authentication.
Collectively, the original instance and any copy and notification instances make up the
message.
The Message File stores all message instances. It also keeps a history of Alliance Access
message processing, whether related to communication with an external network or with
internal applications (transmission interventions), or to processing by an operator (user
interventions). The network header and message text information are common to all instances
of a message. Operator and transmission interventions are particular to an instance, and are
appended to the instance.
All instances (originals, copies, and notifications) must be completed before the message itself
is considered to be completed.
Use the Message File application to:

• create duplicates of a message during message processing.

• investigate message processing by searching the message instances stored in the Message
File. You can then display or print the search results.

• complete a message instance, or, if necessary, reactivate a completed message instance.

You can also move, reassign, or change the priority of a message instance. For example,
you may want to reactivate an instance because a system problem prevented it from being
processed normally.

• archive messages. You can back up these archived messages, which keeps the Message
File at a manageable size. If a calendar has been set up (for details, see "Calendar
Application" on page 7), then you can use the Message File application to schedule archiving
to occur automatically at specified times. Otherwise, you must archive manually.

• create search templates.

1.3.6 Monitoring Application

Description
You use the Monitoring application to monitor the Alliance Access system and ensure that it is
running smoothly. This application provides a continually updated status for various Alliance
Access 'objects', such as message queues, events, and processes.
How you use the Monitoring application depends on your role. As a Security Officer, you may
want to know which operator is using which Alliance Access application. As a user responsible
for sending and receiving messages, you may want to check how many messages are building
up in the various message queues.
Certain object states are considered as exceptional. For example, if the number of messages in
a message queue exceeds a user specified limit (threshold), then the message queue is in an
exceptional state. The Monitoring application can be set to notify you automatically whenever an
object goes into an exceptional state, so that you can resolve the problem as soon as possible.
If problems develop, then you can also use the Monitoring application to hold or release
message queues, or stop processes.

31 December 2010 9
Alliance Access 7.0

1.3.7 Relationship Management Application

Description
The SWIFTNet Public Key Infrastructure provides authentication for FIN messages using PKI-
based digital signatures. SWIFTNet Public Key Infrastructure does not provide a way to manage
the business relationships between the institutions that have pre-agreements for exchanging
messages.
The Relationship Management service and the Relationship Management functionality in
Alliance Access allows institutions to manage business relationships with their counterparties.
An authorisation process ensures that only authorised institutions can send messages to
another institution. With SWIFTNet Public Key Infrastructure, the FIN message can only be sent
if the receiver has authorised the sender to send a message.

Relationship Management authorisations

When one party in a business relationship consents to receive messages from a specific
correspondent, that consent is recorded in an Authorisation in the Relationship Management
Application (RMA). This application allows you to create and manage the authorisations that
restrict the sending of messages between parties in a business relationship. Therefore, a
correspondent can send you messages only when you have authorised the correspondent to do
so.
An authorisation is represented by different names in the Relationship Management Application
of each party. When you authorise a correspondent to send you messages, you create an
Authorisation to Receive, which is represented as an Authorisation to Send in your
correspondent's system.
An authorisation can have a new version in preparation, which can be reviewed, changed by
different operators until it becomes enabled and is made the active version.

1.3.8 Routing Application

Description
Although the flow of messages (routing) within Alliance Access is totally user configurable,
Alliance Access is shipped with a pre-defined routing schema which controls this flow.
The routing schema consists of a series of routing points. Each routing point consists of:

• a message queue, where message instances accumulate

• a processing function, which processes message instances from the queue and may create
new message instances, copies or notifications.

• a set of routing rules, which are used to determine the onward flow of each message
instance (for example, to another routing point, to the SWIFT network, or to an exit point such
as a link to a printer).
You use the application to:

• create, duplicate, modify, or remove routing schemas, routing rules, and keywords.

• activate a specific routing schema - this becomes the schema that Alliance Access uses to
route messages.

10 Getting Started
 Introduction to Alliance Access

1.3.9 Security Definition Application

Description
You use the Security Definition application to define which Alliance Access application functions
each user can access. You do this by assigning an operator profile to each user. Standard
operator profiles are provided with Alliance Access, but you can modify these or create new
profiles, if necessary.
You use the application to:

• create, modify, or remove operator definitions, profiles, and units

• generate full operator and operator profile details reports

• configure various system-wide security parameters, such as the number of days after which a
user password has to be changed

• approve units and operators (operators are usually approved by the security officers).
Only the security officers can use the Security Definition application to modify the value of
security parameters. For details about the security officers, see "Security Officers" on
page 24.

1.3.10 System Management Application

Description
This application is used to configure and control Alliance Access.
It allows you to:

• define terminals and printers (on UNIX servers only)

• modify the values for a large range of system parameters, such as time and date formats,
frequency of disk space checks, and so on

• shut down the system (for example, for file maintenance)

• restart the system, either in housekeeping mode, when only a single user can be signed on
(for example, to define logical terminals), or in operational mode (the normal, multi-user
mode)

• hold or release message queues

• back up or restore Alliance Access data or archives

• increase database resiliency by making use of the database recovery functionality

• stop or start a component

• define events that must be set as alarms, and set the distribution lists for these alarms.

1.4 SWIFT and SWIFTNet Network Applications

Overview
The SWIFT and SWIFTNet network applications provide the means to configure and manage
the connections to SWIFTNet and the sending and receiving of MT, MX, and FileAct messages.

31 December 2010 11
Alliance Access 7.0

The SWIFT and SWIFTNet network applications are:

• SWIFT Interface application

• SWIFT Support application

• SWIFTNet Interface application

• SWIFTNet Support application

1.4.1 SWIFT Interface Application

Description
This application enables you to log on through SWIFTNet to the SWIFT Financial Messaging
Service (FIN) to send and receive MT messages:

1. You first use a logical terminal to log into APC (Application Control). APC is the SWIFT
application that controls communication sessions between a logical terminal and SWIFT,
and allows you to send APC messages.

2. After successfully logging on, you select FIN, the SWIFT application within which all SWIFT
user-to-user MT messages are sent and received.
When you log on to the SWIFTNet FIN application, you must have PKI secrets stored on
Hardware Security Modules (HSMs). The logical terminals will use these HSMs for
authentication and will use the Relationship Management Application for authorisation.
You use the SWIFT Interface application to:

• define the characteristics of the connections to the SWIFTNet FIN service, and to monitor
and control sessions

• schedule logging on and out to occur automatically at specified times

• define which delivery queues that you want SWIFT to store output messages in (known as
delivery subsets).

1.4.2 SWIFT Support Application

Description
This application provides supporting functions to the SWIFT Interface application.
It allows you to:

• install Message Syntax Tables (MSTs) for MT messages

• install Message Standards for MX messages

• import and export message templates

• define logical terminals (LTs)

• assign LTs to MST entries

• install and activate Value-Added Service (VAS) parameter files

• provide extraction information for user-defined keywords

12 Getting Started
 Introduction to Alliance Access

An MST contains descriptions of all message types that can be sent and received for the SWIFT
FIN application. Each logical terminal that your institution can use is identified by a combination
of the BIC-8 for the destination, plus a single-character terminal code. You use the SWIFT
Support application to define these details for each logical terminal, and to assign an MST to the
logical terminal.
Alliance Access validates each message by checking its syntax against the MST assigned to
the logical terminal. Alliance Access informs you if there are any errors.
SWIFT issues a new MST annually, a few months before the MST actually goes live. This is
useful for training purposes. For example, certain LTs can be assigned to the current MST for
live use, while other LTs (of a Test and Training destination) may be assigned to the future MST
for test and training use.
Message standards provide the information necessary to create and view MX messages.
Value-added Services (VAS) are optional additional services which involve a central clearing
institution. You can only use these services by arrangement with the central institution, and after
you have installed a VAS parameter file using the SWIFT Support application. These files are
pre-defined according to the various VAS registered with SWIFT.
It is possible to install several Value-added Services with the same service name, provided their
service administrator destinations (CIDs) are different. An own destination cannot be subscribed
to more than one VAS with the same name.

1.4.3 SWIFTNet Interface Application

Description
The SWIFTNet Interface application provides the functionality required to send and receive MX
messages (SWIFTStandards XML messages) and FileAct messages between Alliance Access
and the selected SWIFTNet service. Message flow is controlled using emission profiles for
outgoing messages and reception profiles for incoming messages. Functions are provided to
allow you to define, enable, and activate emission and reception profiles for sending and
receiving MX and FileAct messages in real-time or store-and-forward mode. For each profile
defined, a SWIFTNet connection is assigned and a SWIFTNet service designated. Through the
SWIFTNet Interface application, profiles are enabled and activated ready for use. Schedules
can be set up for automatic activation and deactivation.You also use the SWIFTNet Interface
application to set up input channels for store-and-forward messaging, which provide first-in, first-
out delivery from sender to receiver, gap detection, and duplicate detection.

1.4.4 SWIFTNet Support Application

Description
This application is used to manage the SWIFTNet environment. The SWIFTNet Support
application provides functions for defining SWIFTNet connections.
These functions are as follows:

• add a SWIFTNet connection: to create a SWIFTNet connection.

• modify a SWIFTNet connection: to change the settings of a SWIFTNet connection.

• mark a SWIFTNet connection as Reliable: to change the status of a SWIFTNet connection

from Not Reliable to Reliable.

• remove a SWIFTNet connection: to delete a SWIFTNet connection.

31 December 2010 13
Alliance Access 7.0

1.5 Message Preparation Applications

Introduction
For MT messages, there are three message preparation applications: Message Creation,
Message Approval, and Message Modification. Use these applications to create, verify,
authorise, and modify MT messages within Alliance Access.
To create, modify and approve MX messages, you must use Messenger on Alliance Web
Platform.
If required, you can use the message preparation applications to verify, authorise, or modify
messages that arrive in Alliance Access through the Application Interface (for example, from a
Mainframe).

1.5.1 Message Creation Application

Description
This application provides all the functions necessary to create MT messages.
You can either create a completely new message, or open an existing template and base the
message on it.
The application allows you to:

• open a template and base a new message on it

• create an MT message by entering all its details in full

• create a template, or modify or remove an existing template.

When you create a message, you specify:

• the identity of the sender and the receiver of the message, and other details which are
different for an MT message

• the text of the message

• the network application to be used to send the message

• the data necessary to authenticate the message.

After creating a message, you send it to another message queue so that processing can
continue.

1.5.2 Message Approval Application

Description
Any MT message containing important data (such as an amount or a value date) must be
verified.
The Message Approval application allows you to:

• display a list of the messages held in the Verification queue

• select a specific message and display its details - any fields to be verified are highlighted, but
blank

• re-enter the data for each verifiable field

14 Getting Started
 Introduction to Alliance Access

• send the message to another queue so that message processing can continue. A verified
message is usually routed to the Authorisation queue.
Messages must often be authorised before they can be released to the SWIFT network. The
Message Approval application is also used to authorise messages. Authorisation simply
involves giving the message a final visual check to ensure that it is accurate.
The Message Approval allows you to:

• display a list of the messages held in the Authorisation message queue

• select a specific message and display its details, to check the validity of the fields

• send an authorised message to the network specified queue. The relevant network interface
then automatically processes these messages.

1.5.3 Message Modification Application

Description
Messages that fail validation during message creation, or that fail verification or authorisation,
can be sent to a Text Modification message queue for later editing. Alliance Access itself sends
any messages that are NAKed by SWIFT to this queue. Incoming and outgoing messages
which Alliance Access cannot process automatically are sent to other message modification
queues.
You use the Message Modification application to edit the messages in these queues.
It allows you to:

• select one of several message modification queues and display a list of the messages held in
it

• select a specific message and review its contents

• make changes to a message - the changes that you can make depend on the modification
queue that the message is in

• send a modified message to the appropriate queue so that processing continues.

1.6 Application Interface

Description
The Application Interface controls the transfer of messages and files between Alliance Access
and back-office applications, printers, or any other system that communicates with Alliance
Access. Suitable messages for transferring include SWIFT FIN, MX, FileAct, and system
messages. Suitable files include payload files, or files that contain several messages (such as
for Bulk Payments).
Within the Application Interface, a message partner represents the external application or
product that communicates with Alliance Access. A message partner profile specifies how each
message partner communicates with Alliance Access, and allows you to control and monitor the
communication sessions.
Alliance Access transfers a message to a message partner through an exit point, which holds
the message in a queue before transferring it to the message partner. Each exit point is
associated with a particular message partner.

31 December 2010 15
Alliance Access 7.0

The Application Interface allows you to:

• create, modify, or remove exit points and message partner profiles

• assign an exit point to a message partner

• control and monitor communication sessions between Alliance Access and a message
partner.

1.7 Which Applications Can You Use?

Overview
The applications that you can use depend on your Alliance Access operator profile. Your
Security Officers assign a profile to you based on your role and responsibilities.
In some organisations, the Security Officers may assign more than one profile to individuals.
This is permitted as long as the profiles share no common or conflicting restrictions. For
example, if you are an operator responsible both for connecting to SWIFT and back-office
networks and for preparing messages, you would be assigned both the R7.0_Operator and the
R7.0_MsgEntry profiles.
Assuming that your Security Officers use the pre-defined profiles supplied with Alliance Access,
the applications that you can use are shown in the following table. The pre-defined profile used
is shown in brackets.

Operator responsible for network access

Operator responsible for message entry

System Administrator

(R7.0_RMA_Admin)
RMA Administrator
(no visible profile)

(R7.0_Supervisor)

(R7.0_RMA_Oper)
(R7.0_MsgEntry)
(R7.0_Superkey)

(R7.0_Operator)
Security Officer

RMA Operator
Supervisor

Access Control Y Y Y Y - - -

Application Interface Y - Y Y - - -

Calendar Y - Y - - - -

Correspondent Y - Y Y Y - -
Information File

Event Journal Y Y Y - - - -

Message Approval Y - Y - Y Y -

Message Creation Y - - - Y - -

Message File Y Y Y - - - -

Message Modification Y - - - Y - -

16 Getting Started
31 December 2010
Routing
Monitoring

Relationship
Management

SWIFT Support
SWIFT Interface
Security Definition

SWIFTNet Support
SWIFTNet Interface

System Management
System Administrator
(R7.0_Superkey)

Y
Y
Y
Y
Y
Y
Y
Y
Y
Security Officer
(no visible profile)

-
-
-
-

Y
Y
Y
Y
Y

Supervisor
(R7.0_Supervisor)

-
-

Y
Y
Y
Y
Y
Y
Y

Operator responsible for network access

(R7.0_Operator)

-
-
-
-
-

Y
Y
Y
Y

Operator responsible for message entry

(R7.0_MsgEntry)
-
-
-
-
-
-
-
-
-

RMA Administrator
(R7.0_RMA_Admin)
-
-
-
-
-
-
-
-

RMA Operator
(R7.0_RMA_Oper)
-
-
-
-
-
-
-
-

17
Introduction to Alliance Access
Alliance Access 7.0

1.8 Support for Service Bureau

Overview
Generally, most SWIFT users connect to SWIFT directly. Connecting through a Service Bureau
is a solution for SWIFT users that want to connect indirectly to SWIFT.

Service Bureau

SWIFT User A

VPN SWIFTNet
box

SWIFT User B

SWIFTNet Connectivity
Interface Solution
WAN or other
point to point
connection

SWIFT User C

D0540004
Implementing Service Bureau
For a Service Bureau to provide secure connection facilities to one or more SWIFT users, traffic
data from the different users must be strictly segregated. Traffic data segregation is performed
within Alliance Access using delegated operator profiles. These profiles govern access (for
individual Alliance Access operators) to entities controlling message delivery. Such entities
include message partners, exit points, routing, and so on. In this way, each of the individual
SWIFT users are granted access only to their particular traffic data.
The main Alliance Access application used to implement support for Service Bureau is the
Security Definition application (SDA).

Local Security Officers

Using SDA, a security officer (left security officer or right security officer) creates local security
officer profiles - typically for each of the SWIFT user institutions using the Service Bureau.
These local security officers have access to a subset of Operator Profiles, Units, and
Destinations. This subset defines the scope of the local security officer. Local security officers
can add and modify operators according to their scope. In this way, segregation of the message
traffic for each SWIFT user is maintained.
For more information about setting up Alliance Access for use with a Service Bureau, see the
Security Guide.

18 Getting Started
 Introduction to Alliance Access

1.9 Introduction
1.9.1 The Alliance Access Documentation Set
Overview
The documentation set for Alliance Access consists of the following guides:

• Getting Started Guide

• Installation and Administration Guide

• Security Guide

• System Management Guide

• Daily Operations Guide

• Relationship Management Application User Guide

• Migrating from MQSA to MQ Host Adapter

• Web Services Developer Guide

Installation and Administration Guide

This guide gives detailed information about:

• configuring the operating system before the Alliance Access software is installed

• installing Alliance Access

• performing the initial Alliance Access configuration

• using System Administration application functions (for example, start and stop Alliance
Access).
This guide is of interest to those responsible for installing and configuring Alliance Access.

Security Guide
This guide provides a high-level description of the security-related features of Alliance Access. It
describes:

• the different controls available to prevent unauthorised use of Alliance Access, of Alliance
Access applications, and of specific application functions

• the message processing controls

• the Alliance Access features designed to prevent users from changing the installed software
or data files

• how to protect Alliance Access against software failure, hardware failure, or power loss

• security features of the operating system.

This guide is useful for those responsible for security as it gives an overview of the Alliance
Access security features. Other Alliance Access users may want to read the guide for
background information.

31 December 2010 19
Alliance Access 7.0

System Management Guide

This guide explains how to configure and manage Alliance Access. It gives detailed information
about the following tasks:

• stop and restart Alliance Access

• general housekeeping tasks, such as installing Message Syntax Tables and Message
Standards

• define Logical Terminals, operators, and operator profiles

• set up emission and reception profiles for MX and FileAct messages, and input channels

• configure the SWIFTNet environment

• schedule processes, such as backups and archiving

• configure system parameters

• configure queues and routing schemas

• configure other components, such as devices (on UNIX only) and connections

• manage message partner and exit point profiles used in the exchange of messages

Daily Operations Guide

This guide describes how to use Alliance Access to perform day-to-day operations. It gives
detailed information about the following tasks:

• prepare and process MT messages

• send and receive MX and FileAct messages

• resolve queries by monitoring the use of the system, examining events, or displaying details
of a message's history

• control the exchange of messages through the Application Interface

• end-of-day tasks such as archiving, backups, and reconciling message traffic

Supervisory staff can find most of their day-to-day tasks described in this guide.

Relationship Management Application User Guide

This guide provides detailed information about the Relationship Management application and
instructions for using its functionality.

Migrating From MQSA to MQ Host Adapter Guide

This guide provides existing MQSA customers with instructions for migrating from MQSA to the
Alliance Access MQ Host Adapter.

Web Services Developer Guide

This guide provides application developers with the required information to invoke the Web
Services offered by Alliance Access.

20 Getting Started
 Introduction to Alliance Access

1.9.2 Related Publications

Other SWIFT documentation

• The User Handbook - Standards documentation gives precise details of SWIFT message
structures, and the use of specific fields and code words. It also describes the relation
between specific message types and the financial transactions they represent.

31 December 2010 21
Alliance Access 7.0

2 User Roles
Introduction
In a typical institution, all users of Alliance Access have specific job roles and responsibilities.
Alliance Access provides operator profiles to help an institution assign roles and tasks to users
and control who can perform specific actions in Alliance Access. Specifically, an Operator
Profile defines a set of applications and functions that an operator can use. When the profile is
assigned to an operator, then that operator has permissions to use the applications and
functions that are specified in the profile.
The Alliance Access Security Officers assign an operator profile to Alliance Access users.
Depending on the size of your institution, one user may be assigned several roles, or the same
role may be assigned to several users. Therefore, the Security Officers can assign several
operator profiles in Alliance Access to one user.

2.1 Operator Profiles

Purpose
Alliance Access consists of a number of applications, each represented by an icon.
The Alliance Access Security Officers in your institution are responsible for deciding which
applications you can use. The Security Officers do this by creating an operator definition for
each Alliance Access user. As part of this definition, the Security Officers assign an Alliance
Access profile to you.

The operator profile assigned to you depends on your job role. Your profile determines the
menus, menu options, windows, and available choices which appear on the screen when you
sign on to Alliance Access.

Operator profile definition

An operator profile defines:

• The applications that an operator is allowed to use. When an operator signs on to Alliance
Access, only the icons for applications that the operator can use appear. For example, if you
are responsible for monitoring Alliance Access to ensure that it is running smoothly, your
profile allows you to use the monitoring application. When you sign on to Alliance Access,
you see the icon for the monitoring application, together with the icons for any other
applications which your profile allows you to use. An operator that is not allowed to use the
monitoring application has a different profile, and does not see the monitoring application
icon after signing on.

• The entitlements to use functions within a particular application. For example, if you are
responsible for archiving the Message File, your profile includes entitlements both to open
the Message File application and to archive the Message File. An operator with a different
profile may only have the entitlement to open the Message File application, but not have the
entitlement to perform archiving.

• The permissions associated with an entitlement. Security Officers can use permissions to
give greater control over sensitive functions. For example, your profile may allow you to use
the Message File application. Within that application, you may have the Archive entitlement,
so that you can archive the Message File. Within the entitlement, you may have permission
to store a schedule, so that the Message File can be archived automatically at a specified
time.

22 Getting Started
 User Roles

Assignment of operator profiles

Any number of operators can be given the same profile, so that the duties which involve
Alliance Access can be shared within your institution. If an operator has a combination of
responsibilities, then more than one profile can be assigned to the operator, provided there is no
conflict between the entitlements and the permissions in one profile and those in another.
Alliance Access is delivered with various default profiles (pre-defined profiles) that Security
Officers can assign to new operators. If none of these profiles provide the required Alliance
Access entitlements, then your Security Officers can define new operator profiles. They can
create a completely new profile, or use an existing profile as a template.
The following sections describe each user role. It is assumed that the Security Officers have
assigned one or more of the pre-defined profiles to each user, to enable the user to perform the
role. If your Security Officers have defined their own operator profiles and assigned them to
users, then remember that your own role and profile may be different to those described here. If
you are not sure which profile is assigned to you, then ask your Security Officers.

Note If an operator's profile includes only the entitlement to open an application, then the
operator can still use various general facilities within the application. For example,
an operator with the entitlement to open the Message File application can use the
application to search for and display details of messages stored in the Message
File.

2.2 Operating System Administrator

Role
The operating system administrator for Windows (or UNIX) has the following responsibilities, as
appropriate:

• install and configure hardware and software

• create and manage Windows user groups, user accounts, and user passwords

• install Alliance Access

• perform the initial Alliance Access configuration

• use System Administration application functions (for example, to start and stop the Alliance
Access servers)

• monitor system activity, disk space, and account usage

• implement security controls within UNIX

• manage and configure UNIX-level file permissions

The operating system administrator is not necessarily an Alliance Access user. However, the
security of Alliance Access depends on the underlying security of the installation of the
operating system, for which the system administrator is responsible.

Note Alliance Access does not include a default operator profile for a UNIX system
administrator because the administrator does not have to be an Alliance Access
user.

31 December 2010 23
Alliance Access 7.0

Required reading
The operating system administrator must read the appropriate version of the Installation and
Administration Guide (UNIX or Windows) for detailed information about how to configure the
operating system and install the Alliance Access software.
For more information about the security aspects of running Alliance Access in the UNIX
environment, see the Security Guide.
The UNIX System Administrator must also read the Alliance Customer Application and
Integration Guide for detailed information about integrating local applications with Alliance
Access.

2.3 Security Officers

Overview
This section describes:

• the role of the Alliance Access Security Officers

• the Alliance Access applications used by the Security Officers

• the tasks carried out by the Security Officers

2.3.1 Role of Security Officers

Description
Security Officers play a key role in configuring and managing the security functions within
Alliance Access. To ensure that dual control is maintained over critical functions, two Security
Officers are defined in Alliance Access, each with an identical role. These are called the Left
security officer and the Right security officer.
Although some actions can be carried out by just one Security Officer, both security officers
must control sensitive security-related functions. Security Officers are not entitled to perform
operational duties, such as sending and receiving messages. This is to keep operational and
security duties completely separate.
The Security Officers (left security officer and right security officer) have ultimate responsibility
for deciding which applications and functions an operator is allowed to use.
Most Security Officer entitlements can be assigned to other operators. For example, the
entitlement to add new operators, or to left-approve or right-approve a new operator definition.
However, the entitlements to modify security parameters and to reset the other Security
Officer's password are unique to Security Officers and cannot be assigned to other operators.
No user or security officer can view or change the Security Officer's profile, entitlements, and
permissions in Alliance Access.

Note If you are using Alliance Access in a Service Bureau, then the left security officer
and right security officer may set up sub-security or local security officers to
administrate the individual operators for each participating institution. For more
information, see the Security Guide, "Support for Service Bureau".

Examples
One Security Officer can create an operator definition, but both security officers must approve
changes for the change to be implemented.

24 Getting Started
 User Roles

One of the officers can change the value of the security parameter that controls the number of
times that a user can enter an incorrect password before Alliance Access refuses to allow the
user to sign on. However, both Security Officers must "approve" the change for the change to
be implemented.

2.3.2 Applications Used

Introduction
The following shows an example of the Access Control for a Security Officer:

2.3.3 Security Officer Tasks

Overview
The two Security Officers have the following responsibilities:

• enter the two parts of the Alliance Access Initialisation Password and the Alliance Access
Master Password when Alliance Access is first installed

• create, modify, and remove operator definitions and profiles

• approve new or modified operator definitions and profiles

• display or reset user passwords, and modify password parameters, such as the minimum
number of characters allowed in an operator's password

• modify other security-related parameters

• perform system management functions, such as backing up archives, stopping and starting
Alliance Access

• use various Alliance Access applications to monitor the system for any security-related
problems

• assign SWIFTNet Support application permissions to other operators as needed

• define how many attempts a user can have to enter a correct password before being disabled

• define the maximum number of days during which an operator must either sign in or be
enabled. If neither occur, then the user is disabled.

31 December 2010 25
Alliance Access 7.0

2.3.4 Alliance Access Installation

Introduction
There are certain procedures that must only be carried out when the Alliance Access software is
installed. These procedures always involve the Security Officers.

2.3.4.1 Entering the Alliance Access Initialisation Password

Description
Each copy of Alliance Access has a unique Initialisation Password. It is calculated using a
proprietary algorithm together with a hard-coded encryption key, which is known only to SWIFT.
To obtain passwords, use Secure Channel. For more information, see http://www.swift.com/
support/secure_channel.page?.
Before the intended Alliance Access installation date, Part 1 of the password is sent to the left
security officer of the purchasing organisation, and Part 2 to the right security officer.
During the software installation, the Security Officers must enter their parts of the password.
Alliance Access recalculates the Initialisation Password during installation, and if the
recalculated password does not match the values entered by the Security Officers, the
installation is aborted.

2.3.4.2 Entering the Alliance Access Master Password

Description
SWIFT also sends the two parts of the Alliance Access Master Password to each of the Security
Officers before Alliance Access installation.
During the installation, Alliance Access recalculates the Master Password. When the installation
is complete, Alliance Access recognises only the left security officer and the right security
officer. When each Security Officer signs on for the first time, they must use their part of the
Master Password as their operator password.

26 Getting Started
 User Roles

Before This generates an Initialisation Password and Master Password,

Installation and sends one part of each password to the left security officer and right security officer.

Left security officer and right security officer

store the passwords securely until they are required.

During Left security officer enters Part 1 of the Initialisation Password.

Installation Right security officer enters Part 2 of the Initialisation Password.

After Left security officer signs on using Part 1 of the Master Password as the operator
Installation password, and then changes the left security officer operator password.

Right security officer signs on using Part 2 of the Master Password as the operator
password, and then changes the right security officer operator password.

D0540019
Note Each Security Officer must first change their part of the Master Password before
either attempts to use any other Alliance Access facilities.

2.3.5 Maintaining Operator Definitions and Profiles

Introduction
Following Alliance Access installation, the left security officer and the right security officer are
the only two operators on the system. The Security Officers must first use the Security Definition
application to specify the password mode used on the system. For details of the different
password modes, see "Controlling Passwords" on page 31. The two Security Officers must
then use the Security Definition application to create operator definitions for the other operators
before anyone else can use the system.
An operator definition includes details such as an operator's name, unit, status, and the profiles
assigned to the operator. If your server is running on UNIX, then the operator definition also
includes the printers and terminals assigned to the operator. The procedure for creating an
operator definition is summarised in the figure in "Profiles" on page 28, and some background
information is given.

31 December 2010 27
Alliance Access 7.0

2.3.5.1 Units

Description
The use of units makes it easy to divide message processing tasks between different groups of
operators. Operators can be members of units. Incoming and outgoing messages can be
assigned to units. When an operator uses an application such as the Message File application
to search for messages, Alliance Access only displays details for messages which are assigned
to the same unit as the operator.
Within the Security Definition application, the Security Officers (left security officer and right
security officer) can use the Operator Restrict Functions security parameter to specify whether
an operator can perform operator-related actions on operators belonging to any unit, or only on
operators that belong to a subset of the same units as the operator performing the action. The
default is No, which means that an operator with the correct entitlements can open, print, add,
modify, approve, or remove operators belonging to any unit. If the parameter is set to Yes, then
an operator can only use these functions on operators that belong to a subset of the same units
as the operator performing the action. The setting of this parameter does not affect the left
security officer and right security officer, which always have unrestricted access to operator
functions.

2.3.5.2 Status

Description
All new operator definitions must be separately approved by both Security Officers, or by
operators with the Approve Operator entitlement and appropriate permissions to left-approve or
right-approve an operator. Until this has been done, the operator has a status "awaiting
approval" and cannot sign on to Alliance Access. After an operator definition is approved, that
operator's approval status is shown as "approved".

2.3.5.3 Profiles

Description
As part of the operator definition, the Security Officers (left security officer and right security
officer) also assign one or more Alliance Access profiles to the operator (see "Operator Profiles"
on page 22).
The profile determines the menus, menu options, windows, and available choices which appear
on the screen when the operator is signed on to Alliance Access:

• When an operator signs on to Alliance Access, Alliance Access only displays icons for
applications the operator is entitled to use.

• In the menus for an allowed application, Alliance Access only displays functions that the
operator is entitled to use.
To help the Security Officers define new operators, a number of default profiles are supplied
with Alliance Access. Each profile corresponds to a specific user role.
If none of the default profiles provides the required Alliance Access applications, entitlements,
or permissions, then the Security Officers can either modify an existing profile or create a
completely new profile, and then assign it to an operator.
Note that the left security officer and right security officer profiles cannot be viewed using
Alliance Access, and cannot be changed.

28 Getting Started
 User Roles

Note The Alliance Access Administrator can also create or update operator profiles,
assign profiles to operators, and define new operators. The default R7.0_Superkey
profile does not allow the Alliance Access Administrator to approve new or modified
operator profiles and operator definitions, to display the left or right part of a user's
system password, or to reset a user's password.

The following diagram outlines the procedure for creating an operator definition. In the absence
of one or both Security Officers (left security officer and right security officer), other operators
that have been assigned the appropriate entitlements and permissions can perform this
procedure.

31 December 2010 29
Alliance Access 7.0

Left Security Left Security Officer signs on and opens the Security
Definition Application.
Officer

Left Security Officer enters the new operator's full name

and sign-on name.

Left Security Officer assigns unit(s) to the operator.

Left Security Officer approves the operator.

Left Security Officer displays the 'left' part of the

operator's system password.

Left Security Officer signs off.

Right Security Right Security Officer signs on and opens

the Security Definition Application.
Officer

Right Security Officer approves the operator.

Now that both security officers have approved the operator,
the operator is automatically enabled.

Right Security Officer displays the 'right' part

of the operator's system password.

Right Security Officer signs off.

Both Security
D0540106

Left Security Officer gives 'left' part of password to operator;

Right Security Officer gives 'right' part of password to operator.
Officers

30 Getting Started
 User Roles

Note After installation, the left security officer and right security officer must change their
own passwords (see "Alliance Access Installation" on page 26) before following the
above procedure to create operator definitions. Alliance Access generates an
operator's system password using the operator definition and the security officers'
passwords. If either the left security officer or right security officer change their
passwords while the other security officer is creating operator definitions, then any
existing operator system passwords become no longer valid. The left security
officer and right security officer have to re-display system passwords for any
operator definitions that have already been created, to see the new system
passwords generated using the changed security officer password.

2.3.6 Approving Operators

Description
By default, only the left security officer and right security officer approve new or modified
operator definitions. However, other operators can be given the entitlement to left-approve or
right-approve (not both) other operator definitions. This feature is useful in situations where the
left security officer or right security officer is unavailable and it is urgent for an operator to be
approved. An operator with the Approve Operator entitlement, and permission to left-approve or
right-approve, can display and print the left or right half respectively of an operator's system
password, and can also reset that operator's user password.
An operator with a new or modified operator definition has a status "awaiting approval" and
cannot sign on to Alliance Access. Once approved by one Security Officer, or by an operator
with the Approve Operator entitlement and appropriate permission to left-approve or right-
approve, the operator definition is shown as "awaiting approval" by the other Security Officer.
Once an operator definition has been approved by both Security Officers, or by operators with
the Approve Operator entitlement and appropriate permissions, the operator's approval status
becomes "approved".

2.3.7 Controlling Passwords

Description
After modifying and approving an operator definition, each Security Officer (or entitled operator)
can display half of the system-generated password for the new or modified operator definition.
The two halves of the password are passed to the Alliance Access operator concerned. When
signing on, the operator must combine both halves of the password (two characters from left
security officer and two characters from right security officer) to give the complete new system-
generated password.
Alliance Access can use the following password modes:

• User. Each user must first sign on using the 4-character system-generated password, but
can subsequently sign on with a user password.

• One-time password. The user must sign on using the password generated by the system.

• LDAP. The user name and password are validated against an LDAP directory.
After Alliance Access is installed, the Security Officers use the Security Definition application to
specify the password mode used on the system. They do this by selecting one of the password
modes as the value of the Password: Mode security parameter. The password mode can be
changed at any time subsequently, but the servers must always be restarted before the change
takes effect.

31 December 2010 31
Alliance Access 7.0

Note If user passwords are used, then the left security officer and right security officer
must ensure that users follow the guidelines for selecting passwords given in the
Security Guide, "Use of Passwords".

If an operator forgets their password, then a Security Officer (or an operator with the Approve
Operator entitlement) can use the Security Definition application to reset the password.
Following this, both Security Officers again pass the relevant halves of the password to the
operator to enable him to sign on.
The Security Officers (left security officer and right security officer) can also modify a number of
parameters relating to signing on and the use of passwords. For example, they can specify the
minimum number of characters that an operator can use in a password. Both the left security
officer and the right security officer must approve any modifications to these security
parameters. The entitlement to modify the parameters is unique to Security Officers and cannot
be assigned to other operators.

Note If the Reset Peer Officer Pwd security parameter is set to Yes, then each Security
Officer can reset the other Security Officer's password to the value of the Master
Password at the time of the most recent Alliance Access licensing. This is useful if
a Security Officer forgets their password. By default, the parameter is set to No,
which means that the Security Officers cannot reset each other's password.

2.3.8 Other Duties

Overview
The Security Officers (left security officer and right security officer) have a number of other
responsibilities that are not unique. For example, the Alliance Access Administrator has the
same or more extensive entitlements.
The Security Officers (left security officer and right security officer) can use the System
Management application to configure various system parameters that affect Alliance Access.
For example, they can specify the format Alliance Access uses when displaying the date and
time, and the time interval after which the system checks for the availability of free disk space.

Note Some parameter changes only become effective after the system is restarted.
Additionally, certain system changes can only be made if Alliance Access is in
housekeeping mode (when only a single user can sign on). The system has to be
stopped and restarted to switch between the normal operational mode (when all
users can sign on) and housekeeping mode.

The left security officer and right security officer can also use the System Management
application for the following purposes:

• create, modify, and remove devices (on UNIX only)

• change the distribution list for alarms (the list of operators to whom alarms are sent)

• back up data or the archived Message File or Event Journal (although the left security officer
and right security officer can only make manual backups, as they do not have permission to
schedule backups)

• stop or restart Alliance Access.

The Security Officers (left security officer and right security officer) can use the Routing
application to approve any changes made to the Alliance Access message routing schemas, as
can the Alliance Access Administrator and Supervisors.

32 Getting Started
 User Roles

On a daily basis, the left security officer and right security officer can use the Monitoring
application to monitor the system for security-related events. They have full entitlement to all the
Monitoring application functions and can hold or release message queues if necessary.
The Security Officers' entitlements to the Message File and Event Journal applications are
limited to opening the applications. This still allows the left security officer or right security officer
to use the general facilities within the applications. For example, they can use the Event Journal
application to search for and display details of events recorded in the Event Journal.
The entitlements given to Security Officers are fixed within Alliance Access and cannot be
changed. Alliance Access allows all security-related entitlements to be assigned to other
operators, except for the entitlements to modify security parameters and to reset the other
Security Officer's password.

Note The Approve Operator entitlement and its associated permission allows an
operator to left-approve or right-approve an operator, to display and print the
system generated password for an operator, and to reset user passwords. As
these are all sensitive security-related functions, the security implications must be
considered before this entitlement is assigned to an operator.

2.4 Alliance Access Administrator

Overview
This section describes:

• the role of the Alliance Access Administrator

• the Alliance Access applications used by the Administrator, assuming that the default
Alliance Access profile is used

• the tasks carried out by the Alliance AccessAdministrator

2.4.1 Role of Alliance Access Administrator

Description
The Alliance Access Administrator is responsible for configuring and managing Alliance Access
and its database. The Alliance Access Administrator is also responsible for day-to-day Alliance
Access system management.
For many organisations, the same person can perform both role of Windows (or UNIX) System
Administrator and Alliance Access Administrator. Both the Alliance Access Administrator and
the Windows (or UNIX) System Administrator are involved in installing Alliance Access and
performing administrative tasks, such as backing up and restoring Alliance Access data.

Note The Alliance Access System Administration application is not available on an

Alliance Workstation. It runs only on an Alliance Access server.

Default operator profile

The default profile R7.0_SuperKey is associated with the Alliance Access Administrator, which
gives the administrator access to all licensed Alliance Access applications.
The Alliance Access Administrator can use the same application functions as Supervisors, and
is additionally able to create, verify, authorise, or modify messages.

31 December 2010 33
Alliance Access 7.0

Note If your Security Officers have modified the default R7.0_Superkey profile, or
defined their own Alliance Access Administrator profile and assigned it to you, then
the tasks and functions available to you may be different to those described in the
documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.

Recommended reading
The Alliance Access Administrator must read the Installation and Administration Guide for
detailed information about the installation of Alliance Access software. This guide also describes
how to use the System Administration application to perform administrative tasks.

2.4.2 Applications Used

Description
If an operator is assigned the default R7.0_SuperKey operator profile, then that operator can
open and use all licensed Alliance Access applications, which are available through the Access
Control window.
The following shows an example of the Access Control for an Alliance Access Administrator
with the default R7.0_SuperKey profile:

2.4.3 Alliance Access Administrator Tasks

Description
Assuming that an operator has been assigned the R7.0_SuperKey profile, an Alliance Access
Administrator shares responsibility with the Security Officers for:

• creating, modifying, and removing operator definitions, profiles, and units (for details, see
"Maintaining Operator Definitions and Profiles" on page 27)

• performing certain system management functions (for details, see "Other Duties" on
page 32).

34 Getting Started
 User Roles

The Alliance Access Administrator shares responsibility with Supervisors for:

• managing message partner and exit point profiles to be used when exchanging messages
with other systems (for details, see "Managing Message Exchange Sessions" on page 42)

• managing the calendar(s) (for details, see "Managing the Calendar and Scheduling
Archiving" on page 42)

• managing the correspondent, country, and currency records in the Correspondent

Information File (CIF) (for details, see "Managing the Correspondent Information File" on
page 42)

• verifying and authorising messages created or modified by other operators (for details, see
"Verifying and Authorising Messages" on page 43)

• managing and approving routing schemas, rules, and keywords (for details, see "Managing
Routing" on page 43)

• creating, modifying, and removing operator definitions, profiles, and units (for details, see
"Maintaining Operator Definitions, Profiles, and Units" on page 44)

• managing the SWIFT network connection (for details, see "Managing the SWIFT Network
Connection" on page 44)

• managing emission and reception profiles to exchange messages through SWIFTNet (for
details, see "Managing the SWIFTNet Network Connection" on page 37)

• managing Logical Terminals (LTs), Application Service Profiles, Message Standards, and
Value-Added Service (VAS) parameter files (for details, see "Managing LTs, MSTs, Message
Standards, and Parameter Files" on page 44)

• performing system management functions (for details, see "Other Duties" on page 45)

• using various Alliance Access applications to investigate problems and get further information
about them (for details, see "Other Duties" on page 45).
The Alliance Access Administrator has sole responsibility for certain communications session
tasks and for some message preparation activities.
The Alliance Access Administrator has sole responsibility for the following activities:

• managing the calendar

• managing the SWIFT network connection

• defining Logical Terminals (LTs) and installing Application Service Profiles

• performing system management functions (such as archiving).

2.4.3.1 Controlling Sessions

Description
The Alliance Access Administrator can use the SWIFT Interface application to enable or disable
automatic reconnection to the SWIFT network when a logical terminal session is interrupted.

31 December 2010 35
Alliance Access 7.0

2.4.3.2 Preparing MT Messages

Description
Supervisors' access is limited to using the Message Approval application to verify messages
created or modified by other operators, or authorise messages verified by someone else.
However, the Alliance Access Administrator has full access to all the message preparation
functions.
The Alliance Access Administrator can use the Message Creation application to:

• create SWIFT user and system messages of any type

• create, modify, and remove message templates

• broadcast a single MT 999 message to multiple correspondents

• bypass message verification and authorisation for messages of any type (this means the
System Administrator can dispose a newly created message directly to the outbound SWIFT
message queue)

• use the FINCopy service to copy a message to a central clearing institution

• route newly created messages to the next default message queue (the Authorisation queue
for all system messages and any MT 999 messages, and the Verification queue for all other
SWIFT user messages).
The Alliance Access Administrator can use the Message Approval application to:

• verify and authorise messages created or modified by anyone

• bypass message authorisation for verified messages of any type

• authorise a group of messages without displaying the contents of the messages first

• route newly created messages to the next default message queue (the Authorisation queue
for all verified SWIFT user messages, and the appropriate outbound network queue for all
authorised messages, system messages, and MT 999 messages).
The Alliance Access Administrator can use the Message Modification application to:

• modify messages in any of the modification queues, including the Emission Security
Modification queue (where Alliance Access routes outgoing messages which fail
authentication) and the Reception Security Modification Queue (where Alliance Access
routes incoming messages which fail authentication)

• complete (discard) messages in the Text Modification queue

• re-authenticate a group of messages in the Emission Security Modification Queue

• bypass authentication for a group of messages in the Reception Security Modification Queue

• bypass message verification and authorisation for modified messages of any type

• route modified messages to the next default message queue (the Authorisation queue for all
system messages and any MT 999 messages, and the Verification queue for all other SWIFT
user messages).

36 Getting Started
 User Roles

2.4.3.3 Managing the Calendar and Scheduling

Description
The Alliance Access Administrator can use the Calendar application to create or modify
calendar(s).
Once a calendar has been set up, the Alliance Access Administrator can schedule processes to
occur automatically at specific times. The Alliance Access Administrator can use:

• the Event Journal application to schedule the archive of the Event Journal

• the Message File application to schedule the archive of the Message File

• the SWIFT Interface application to schedule automatic actions to take place, such as
selecting the FIN service

• the System Management application to schedule automatic backups of data (but not events
or messages), or automatic stopping or starting of Alliance Access.

• the SWIFTNet Interface application to schedule the activation or deactivation of emission and
reception profiles.

• the Relationship Management application to schedule the export of authorisations.

2.4.3.4 Managing the SWIFT Network Connection

Description
The Alliance Access Administrator can use the SWIFT Interface application to:

• create, modify, or remove details of the lines used to connect to FIN

• schedule automatic actions to take place, such as selecting the FIN service or logging off
from the SWIFT network.

2.4.3.5 Managing the SWIFTNet Network Connection

Description
The SWIFTNet Interface application enables the Alliance Access Administrator to:

• define, enable, and activate emission and reception profiles used for sending and receiving
MX and FileAct messages over SWIFTNet

• set up schedules for automatic activation and deactivation of these profiles.

2.4.3.6 Managing LTs, MSTs and Message Standards

Overview
The Alliance Access Administrator can use the SWIFT Support application to:

• install Application Service Profiles

• install Message Standards

• define Logical Terminals (LTs) and assign them to Application Service Profiles.
For more information, see "SWIFT Support Application" on page 12.

31 December 2010 37
Alliance Access 7.0

2.4.3.7 Other Duties

Description
The Alliance Access Administrator has a number of other responsibilities which are like those of
the Security Officers, but the Alliance Access Administrator has more extensive entitlements.
The Alliance Access Administrator can use the System Management application to:

• configure various system parameters (for example, a parameter can be used to specify a
script that is called whenever an alarm occurs)

• define events that must be treated as alarms, and specify the distribution list for alarms (the
list of operators to whom alarms are sent)

• stop and restart Alliance Access, either manually or automatically (by using scheduling)

• create, modify, and remove devices (on UNIX only)

• back up or restore software, data, and archives (backups can take place manually or can be
scheduled to occur automatically).
The Alliance Access Administrator can use the Message File application to:

• supervise message processing

• archive the Message File, either manually or automatically (by using scheduling)

• complete (discard) a message instance, move it to another routing point, re-assign it to

another unit, or change its priority .
The Alliance Access Administrator can use the Event Journal application to:

• investigate events

• archive the Event Journal, either manually or automatically (by using scheduling)

• supervise message processing.

The Alliance Access Administrator can use the Monitoring application to:

• monitor the system

• hold or release message queues if a problem develops

• check the status of incoming and outgoing file transfers

• stop an application process (for example, to terminate the GUI processes if they remain
running after an Alliance workstation is switched off or disconnected).

2.5 Relationship Management Administrators

Overview
This section describes:

• role of the Alliance Access Relationship Management Application Administrator

• the Alliance Access applications used by the Relationship Management Application

Administrator, assuming that the default operator profile is used

• the tasks carried out by the Relationship Management Application Administrator

38 Getting Started
 User Roles

Role
The role of the Relationship Management Application Administrator is to manage the
authorisations and query messages in the Relationship Management data store. Although a
Relationship Management Application Administrator cannot create or modify authorisations, a
Relationship Management Application Administrator can verify and authorise outgoing
messages prepared by others.

Default operator profile

Alliance Access includes a default operator profile, R7.0_RMA_Admin, to provide access to the
functionality required by a Relationship Management Application Administrator.

Note If your Security Officers have modified the default R7.0_RMA_Admin profile, or
defined their own profile and assigned it to you, then the tasks and functions
available to you may be different to those described in the documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.

2.5.1 Applications Used

Description
The profile R7.0_RMA_Admin profile provides access to specific functions in the Relationship
Management Application. For more information about these functions, see "Standard Default
Profiles" in the System Management Guide.

2.5.2 Relationship Management Application Administrator

Tasks
Tasks
In the default operator definition, the Relationship Management Application Administrator has
the sole responsibility to perform the following tasks:

• accepting or rejecting an authorisation

• revoking an authorisation

• deleting a draft of an authorisation

• approving an authorisation which Relationship Management Application Operator created

• removing expired authorisations or queries and answers from the data store

• importing the authorisations from a distribution file, or exporting authorisations to a

distribution file

• defining or approving a list of BICs for which Relationship Management Application Operators
can create granular authorisations

• defining or modifying the selected that is the Signing BIC for a Test and Training
authorisation

31 December 2010 39
Alliance Access 7.0

2.6 Supervisors
Overview
This section describes:

• role of the Alliance Access Supervisors

• the Alliance Access applications used by Supervisors, assuming that the default Alliance
Access profile is used

• the tasks carried out by Supervisors.

2.6.1 Role of Supervisors

Overview
Alliance Access Supervisors have a wide range of responsibilities. They make any necessary
configuration changes to Alliance Access. They also verify and authorise outgoing messages
prepared by others but they cannot create or modify messages.
Supervisors also perform sensitive operational duties, such as archiving data. A supervisor has
access to most Alliance Access applications and can use most of the normal operational
functions.
Alliance Access includes a pre-defined operator profile which provides this functionality, called
R7.0_Supervisor.

Default operator profile

The default profile R7.0_Supervisor is associated with the Alliance Access Supervisor.
If an operator is assigned the R7.0_Supervisor profile, then this gives the operator access to all
standard Alliance Access applications, the Message Creation application and the Message
Modification application.

Note If your Security Officers have modified the default R7.0_Supervisor profile, or
defined their own Supervisor profile and assigned it to you, then the tasks and
functions available to you may be different to those described in the
documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.

40 Getting Started
 User Roles

2.6.2 Applications Used

Description
The following shows an example of the Access Control for an Alliance Access Supervisor with
the default R7.0_Supervisor profile:

2.6.3 Supervisor Tasks

Overview
Assuming that an operator has been assigned the R7.0_Supervisor profile, a Supervisor has
the following responsibilities:

• manage message partner and exit point profiles used when exchanging messages with other
systems

• manage the calendar(s) and scheduling

• manage the correspondent, country, and currency records in the Correspondent Information
File (CIF)

• verify and authorise messages

• manage and approve routing schemas, rules, and keywords

• create, modify, and remove operator definitions, profiles, and units

• manage the SWIFT network connection

• manage emission and reception profiles to exchange messages and files through SWIFTNet

• manage Logical Terminals (LTs), Application Service Profiles, Message Standards, and
Value-Added Service (VAS) parameter files

• perform system management functions, such as backing up archives

• use various Alliance Access applications to investigate problems

31 December 2010 41
Alliance Access 7.0

2.6.3.1 Managing Message Exchange Sessions

Description
Alliance Access can exchange messages with other external systems, known as message
partners, through exit points. Each exit point is associated with a specific message partner.
A Supervisor uses the Application Interface application to create, modify, or remove message
partner profiles and exit point profiles. In a message partner profile, the Supervisor specifies
details such as:

• the direction in which messages are exchanged with the message partner

• the connection method used to transfer the messages.

In an exit point profile, the Supervisor specifies details such as:

• the message partner to which the exit point is assigned

• the other exit points to which any copies of messages are routed.
Supervisors also have access to the same functions as operators, that is, they can start, stop,
run, or abort a message exchange session with a selected message partner.

2.6.3.2 Managing the Calendar and Scheduling Archiving

Description
A Supervisor can use the Calendar application to create or modify calendar(s) for this year or
next year only.
Once a calendar has been set up, the Supervisor can use other Alliance Access applications to
schedule processes to occur automatically at specific times. The Supervisor can use:

• the Event Journal application to schedule the archive of the Event Journal

• the Message File application to schedule the archive of the Message File

• the SWIFT Interface application to schedule automatic actions to take place, such as
selecting the FIN service

• the System Management application to schedule automatic backups of Event Journal or

Message File archives, or automatic backups of saved data (except events and messages),
or automatic stopping or starting of Alliance Access.

2.6.3.3 Managing the Correspondent Information File

Description
A Supervisor can use the Correspondent Information File application to update the
Correspondent Information File (CIF). The CIF contains correspondent, country, and currency
records. Alliance Access uses values from the CIF during message preparation. A Supervisor
can use the application to:

• create, modify, or remove correspondent, country, and currency records automatically by

updating the CIF from a SWIFT Alliance Bank File

• create, modify, or remove correspondent, country, and currency records manually

• create, modify, or remove correspondent aliases.

42 Getting Started
 User Roles

2.6.3.4 Installing the SWIFT Alliance Bank File

Description
A Supervisor can use the Correspondent Information File application to install the SWIFT
Alliance Bank File that SWIFT distributes periodically. This file contains the BICs (business
identifier codes) of all the institutions that currently use the SWIFT network, either directly or
through another party. Alliance Access uses information from the Bank File during message
preparation and message exchange, to display BICs in expanded format.
SWIFT also makes available an update file that contains details of all entries that have been
added, modified, or deleted since the last BIC was issued. The Supervisor can use this file to
update the Correspondent Information File.

2.6.3.5 Verifying and Authorising Messages

Description
A Supervisor can use the Message Approval application to display messages from either the
Verification queue or the Authorisation queue.
Normally, operators verify messages, but the Supervisor can do so if necessary. Message
verification involves re-entering data (such as an amount or a value date) in the verifiable fields
(for details, see "Verifying MT Messages" on page 51).
To authorise a message, the Supervisor simply gives the message a final visual check and then
disposes the message to the outbound network queue specified within the message (for
example, to the SWIFT network).
If errors are discovered during message authorisation, then the Supervisor moves the message
to the Text Modification queue for later editing. A message may need to be modified because it
contains a data entry error such as an incorrect account number, or a correspondent address
that is not valid.
Supervisors cannot verify or authorise messages that they have created, modified, or already
verified. However, the Alliance Access Administrator or another Supervisor can verify and
authorise such messages.

2.6.3.6 Managing Routing

Description
A Supervisor can use the Routing application to maintain the Alliance Access routing schemas.
A routing schema defines how messages flow through the Alliance Access system. Many
different schemas can be created, although only one schema can ever be active at a time.
A schema consists of a series of routing points. At each routing point, there is a message
queue. A series of rules at the routing point define how different types of messages from the
queue are routed. If a message satisfies a routing rule, then it is sent to the point specified in
that rule.
Each routing rule is made up of a sequence of keywords. There are a series of standard
keywords which can be combined in many different ways to give different routing rules.
The Supervisor has entitlements to use any Routing application function. The Supervisor can
activate or deactivate a routing schema and create, modify, or remove routing schemas, rules,
or keywords.

31 December 2010 43
Alliance Access 7.0

2.6.3.7 Maintaining Operator Definitions, Profiles, and Units

Description
A Supervisor, like the Security Officers, can use the Security Definition application to create
operator definitions which can be assigned to new operators (see "Maintaining Operator
Definitions and Profiles" on page 27 for details).
However, unlike Security Officers, Supervisors cannot approve operators, reset passwords, or
change password parameters.
Also, Supervisors are entitled to create, modify, remove, and approve definitions of units.

2.6.3.8 Managing the SWIFT Network Connection

Description
A Supervisor can use the SWIFT Interface application to:

• create, modify, or remove details of the connection to the SWIFT network

• schedule automatic actions to take place, such as selecting the FIN service or logging off
from the SWIFT network

• define delivery subsets (the delivery queues which SWIFT stores output messages in).

2.6.3.9 Managing the SWIFTNet Network Connection

Description
The SWIFTNet Interface application enables the Alliance Access Administrator to:

• define, enable, and activate emission and reception profiles used to send and receive MX
and FileAct messages over SWIFTNet

• set up schedules for automatic activation and deactivation of these profiles.

2.6.3.10 Managing LTs, MSTs, Message Standards, and Parameter Files

Description
A Supervisor can use the SWIFT Support application to:

• install Application Service Profiles

• define Logical Terminals (LTs) and assign them to MST entries

• install Message Standards

• install Value-Added Service (VAS) parameter files.

However, a Supervisor cannot activate or deactivate a VAS file. Only the Alliance Access
Administrator can do this.
For more information about Application Service Profiles, LTs, Message Standards, and VAS,
see "SWIFT Support Application" on page 12.

44 Getting Started
 User Roles

2.6.3.11 Other Duties

Description
A Supervisor has a number of other responsibilities which are like those of the Security Officers,
but the Supervisor has more extensive entitlements, as outlined further. The Supervisor can use
the System Management application to:

• configure various system parameters

• stop and restart Alliance Access. If a calendar has been set up, then the Supervisor can also
schedule Alliance Access to stop and restart automatically at specific times.

• create, modify, and remove devices (on UNIX only) and event distribution lists

• back up and restore data and archives. If a calendar has been set up, then the Supervisor
can also schedule the backup of Alliance Access data (excluding archive files) to occur
automatically at specific times.
The Supervisor can use the Message File application and the Event Journal application to help
in supervising the activities of operators, and can also:

• if a calendar has been set up, schedule Message File or Event Journal archiving to occur
automatically at specific times

• complete (discard) a message instance, move it to another routing point , re-assign it to

another unit, or change its priority.

• use the Monitoring application to monitor the system, and hold or release message queues if
a problem develops.

2.7 Operators
Overview
This section describes:

• the role of Alliance Access operators

• the Alliance Access applications used by operators, assuming that the default Alliance
Access profiles are used

• the tasks carried out by operators.

2.7.1 Role of Operators

Description
The role of the operator in Alliance Access is centred on the processing of messages. An
operator does not have access to security-related functions. It is assumed that supervisors or
other privileged operators have correctly set up all configuration, message routing and
administrative parameters.
Some institutions already have back-office applications that also process SWIFT messages.
These institutions create most of their messages on the back-office applications and exchange
messages or files with their counterparties them over the SWIFT network by sending and
receiving the data through Alliance Access.

31 December 2010 45
Alliance Access 7.0

Therefore, Alliance Access provides two specific types of operator:

• operators that must be able to sign on to control the flow of messages passing between the
SWIFT network, Alliance Access and back-office systems. These operators do not require
access to the day-to-day message preparation functions.

• operators concerned with the actual creation, verification, and modification of messages
within Alliance Access.
In practice, the same operators may be responsible for all message processing, regardless of
the message's origin.

Default operator profiles

The following two default profiles are associated with the Alliance Access operator:

• R7.0_Operator: allows a user to sign on to the SWIFT network and process messages
passing between Alliance Access and other systems.

• R7.0_MsgEntry: allows a user to create and process messages within Alliance Access, but
does not allow them to connect to SWIFT network or control the message flow.

• This profile does not include the entitlement to use the Access Control application, and so
does not allow a user to sign on to Alliance Access. The profile is not designed to be used on
its own, but can be assigned to an operator if another profile is also assigned, which does
include the entitlement to use the Access Control application.

Note If your Security Officers have modified the default R7.0_Operator and
R7.0_MsgEntry profiles, or defined their own operator profile and assigned it to
you, then the tasks and functions available to you may be different to those
described in the documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.

2.7.2 Applications Used

R7.0_Operator
If an operator is assigned the default profile called R7.0_Operator, then this gives the operator
access to all the applications necessary to connect to the SWIFT network and control the
message flow between Alliance Access and other systems.
The following shows an example of the Access Control for an Alliance Access operator with
the default R7.0_Operator profile:

46 Getting Started
 User Roles

R7.0_MsgEntry and R7.0_Operator

The following shows an example of the Access Control for an Alliance Access operator with
the default R7.0_Operator and R7.0_MsgEntry profiles:

2.7.3 Operator Tasks

R7.0_Operator
Assuming that an operator has been assigned the R7.0_Operator profile only, the operator has
the following responsibilities:

• log on to and out of the SWIFT network

• monitor and control message exchange sessions with other systems

• modify alias or correspondent details in the Correspondent Information File (CIF).

R7.0_MsgEntry and R7.0_Operator

If the operator has been assigned both the R7.0_Operator and the R7.0_MsgEntry profiles, then
the operator also has the following responsibilities:

• create messages, that is, actually enter the text of the message

• verify that sensitive data in messages is correct

• modify messages.

2.7.4 Connecting to SWIFT and Exchanging Messages

Description
Operators are responsible for managing the flow of messages between external systems,
Alliance Access and the SWIFT network.

2.7.4.1 Logging In to and Out of the SWIFT Network

Description
To send and receive messages on the SWIFT network, an operator first uses the SWIFT
Interface application to log on to APC (Application Control) from a Logical Terminal. APC
controls communications between the logical terminal and the SWIFT network.
After logging on to APC, the operator selects FIN (the Financial Messaging Service). The FIN
service is used to send and receive messages on the SWIFT network.

31 December 2010 47
Alliance Access 7.0

Once a communication session is established between a logical terminal and the SWIFT
network, the operator can use the SWIFT Interface application to monitor details such as the
status of the session, and how many messages are waiting to be sent.
To disconnect from the SWIFT network, the operator quits from FIN and then logs off from APC.

2.7.4.2 Monitoring and Controlling Message Exchange Sessions

Description
Operators use the Application Interface application to monitor and control the exchange of
messages with other systems. Messages are sent to exit points within Alliance Access. Each
exit point is associated with an external message partner, such as a back-office system.
Each message partner has a profile that defines the connection method used for
communication with that message partner. Operators do not create or maintain these details,
but they can:

• select a message partner and start a message exchange session with that partner - the
messages can be input to Alliance Access or output from it

• monitor the progress of a message exchange session

• stop a message exchange session - the session stops after the message or message file has
been transferred

• abort a message exchange session - the session stops immediately.

2.7.4.3 Connecting to the SWIFTNet Network

Description
To exchange messages through SWIFTNet, you must define, enable and activate emission and
reception profiles for the SWIFTNet interface. This is performed using the SWIFTNet Interface
application. This application is only available if licensed at your organisation.

2.7.4.4 Modifying the Correspondent Information File (CIF)

Description
Operators use the Correspondent Information File application to modify correspondent records
or alias details in the Correspondent Information File (CIF). Operators cannot add or remove
records. They can modify correspondent or alias details, but not country or currency records.
Correspondent records include information such as a correspondent's BIC-11, name and
address, and so on. During message preparation, Alliance Access takes details from the
appropriate correspondent record and includes them in the message.
An alias is an alternative name by which one or more correspondents is known. During
message preparation, a message can be addressed to an alias. If a single MT 999 message is
addressed to an alias for a group of correspondents, then Alliance Access sends a copy of the
message to every correspondent automatically.

48 Getting Started
 User Roles

2.7.5 Preparing Messages

Introduction
Assuming that operators are assigned both the R7.0_Operator and the R7.0_MsgEntry profiles,
they are responsible for the creation, verification and modification of MT messages within
Alliance Access. Messages can be sent to the SWIFT network or through the Application
Interface to an external system.
Messages are held in message queues within Alliance Access. Each message queue has a set
of routing rules which determine the flow of messages from one queue to the next.
Assuming that the default routing rules apply, the following figure shows a simplified version of
the normal message flow for SWIFT messages. The flow of not valid and modified messages to
and from the Text Modification queue is also shown. In these cases an operator must move the
messages - Alliance Access does not route messages to the Text Modification queue as part of
the normal message flow.

Normal message flow for SWIFT messages

Invalid SWIFT
Message
Messages
Creation
Queue

Valid SWIFT Messages

Verification
MT999, Failure
Message Text
FIN System, Verification Modification
Application Control Queue Queue
System Messages Modified SWIFT
Messages

Verified SWIFT Messages

Modified Authorisation
Message
Messages Failure
Authorisation
Queue

Authorised Messages

Outbound
Network
Queue
D0540015

31 December 2010 49
Alliance Access 7.0

2.7.5.1 Valid and Invalid Messages

Description
During message preparation, Alliance Access validates the text of any newly created or
modified SWIFT message to ensure that:

• all mandatory text fields have been completed

• the message is syntactically correct according to the validation checks performed by the
relevant application.
Invalid SWIFT messages are those which contain identifiable errors such as:

• missing or empty mandatory fields or subfields

• syntax errors within a field or a subfield

• a not valid number of occurrences of a sequence or loop.

Alliance Access does not allow an operator to send a not valid message to the "next" message
queue as shown in the figure in "Preparing Messages" on page 49, but the operator can move
the message to the Text Modification queue for later processing.

2.7.5.2 Creating Messages

Description
Operators use the Message Creation application to create MT messages within Alliance
Access. An operator can either create a completely new message, or base a new message on
an existing template. A template is a partially completed message. Using a template speeds up
message creation.
An operator always defines the following details for each new message:

• The identity of the sender and the receiver - that is, which financial institution is sending the
message, and which institution receives the message. Together with the message type,
message priority, and so on, these details make up the message header.

• The text of the message. An experienced operator that is familiar with the structure and
syntax of SWIFT messages, can enter the text in fast mode, where Alliance Access provides
no help. A less experienced operator can use prompted mode, where Alliance Access gives
on-screen assistance for each field or subfield in the message.

• The network application used to send the message. A message can be sent to the SWIFT
network or to the Application Interface.
The operator can also view the security data needed to authenticate the message, and report
any authentication problems to the Alliance Access Administrator.
After creating a message, the operator can dispose the message to the next message queue for
further processing. When an operator disposes a message, Alliance Access displays a list of
message queues and the operator select one from the list. If the Security Officers have changed
the default profiles slightly, then the operator may instead be able to route the message, when
Alliance Access sends the message automatically to the next default message queue. As the
figure in "Preparing Messages" on page 49 shows, newly created SWIFT financial messages
are normally sent to the Verification message queue. Other types of message are normally sent
to the Authorisation message queue.
If the message is not valid or requires further editing, then the operator can instead move it to
the Text Modification queue and deal with it later.

50 Getting Started
 User Roles

2.7.5.3 Verifying MT Messages

Description
To ensure the accuracy of each SWIFT financial message before it is sent, a second operator
usually verifies the message. The operator uses the Message Approval application to display a
message from the Verification queue. The important verifiable fields (such as an amount or a
value date) are shown without any data in them. The second operator must enter this data
again.
The data entered by the second operator is automatically compared with the data entered by
the first operator. If there are any discrepancies, then the disputed field changes to the error
colour and an event is recorded in the Event Journal. The operator can then try again to verify
that particular field.
A message may fail verification because one of the two operators enters the data incorrectly. If
this happens, then the message can be sent back to the Text Modification queue for editing.
Once the original message has been corrected, it must again be submitted for verification.
Operators cannot verify their own messages, that is, messages which they created originally or
modified.
After verifying a message, the operator normally disposes it to the Authorisation queue so that a
supervisor can make a final check on the message before it is sent. Alliance Access only allows
a verifiable message to be sent to the Authorisation queue if all fields in the message have been
successfully verified.

2.7.5.4 Authorising Messages

Description
If the default profiles are used, then operators cannot authorise messages. Authorisation can
only be carried out by Supervisors or the Alliance Access Administrator. See "Supervisors" on
page 40 for details.

2.7.5.5 Modifying Messages

Description
Operators can send messages that fail validation or verification to a Text Modification message
queue for later editing. Alliance Access also routes incoming and outgoing messages which it
cannot process automatically to other message modification queues.
There are five modification queues in Alliance Access. Operators with the default
R7.0_MsgEntry profile can use the Message Modification application to edit the messages in
the following queues:

• Text Modification Queue

• Transmission Modification Queue

• Modification After Reception Queue.

Alliance Access routes messages which it cannot authenticate to the following queues:

• Emission Security Modification Queue (for outbound messages - for example, to SWIFT)

• Reception Security Modification Queue (for inbound messages - for example, from SWIFT)
Operators cannot usually solve authentication problems. The Alliance Access Administrator
must handle these problems.

31 December 2010 51
Alliance Access 7.0

The three message queues, which operators can access are each described briefly in this
section.

Text Modification Queue

By default, Alliance Access routes any outbound SWIFT messages which are rejected (that is,
NAKed) by the SWIFT network to the Text Modification queue. Operators can also move or
dispose a message to the Text Modification queue because the message is incomplete or
contains errors.
An operator can use the Message Modification application to make any changes to a message
in the Text Modification queue. Modified messages still must be verified and authorised, as
shown in "Preparing Messages" on page 49. If necessary, an operator can complete (discard) a
message.

Transmission Modification Queue

For MT messages, an operator can only use the Message Modification application to change
details for the network application used to send the message. The operator cannot change the
text of the message.
The operator can view the security data needed to authenticate the message, and report any
authentication problems to the Alliance Access Administrator.

2.8 Relationship Management Operators

Overview
This section describes:

• the role of an Alliance Access Relationship Management Operator

• the Alliance Access applications used by Relationship Management Operators, assuming

that the default Alliance Access profiles are used

• the tasks carried out by Relationship Management Operators.

Role
The role of the Relationship Management Operator is to create or modify an authorisation that
allows a correspondent to send messages to your institution. A Relationship Management
Application Operator does not have the permissions, by default, to perform other tasks related
to authorisation management (that is accept, reject, revoke, and so on).

Default operator profile

The default profile, R7.0_RMA_Oper is associated with the Relationship Management
Operator.

Note If your Security Officers have modified the default R7.0_RMA_Oper profiles, or
defined their own profile and assigned it to you, then the tasks and functions
available to you may be different to those described in the documentation.
If you are not sure which profile is assigned to you, then ask your Security Officers.

52 Getting Started
 User Roles

2.8.1 Applications Used

Description
The profile R7.0_RMA_Oper profile provides access to specific functions in the Relationship
Management Application. For more information about these functions, see "Standard Default
Profiles" in the System Management Guide.

2.8.2 Relationship Management Application Operator Tasks

Tasks
A Relationship Management Application Operator can perform the following tasks:

• create an authorisation (normal or granular authorisation)

• modify an authorisation

• print an authorisation

• send a query message to a correspondent, which requests information

• answer a query message from a correspondent

31 December 2010 53
Alliance Access 7.0

Legal Notices
Copyright
SWIFT © 2010. All rights reserved.
You may copy this publication within your organisation. Any such copy must include these legal notices.

Confidentiality
This publication may contain SWIFT or third-party confidential information. Do not disclose this publication
outside your organisation without the prior written consent of SWIFT.

Disclaimer
SWIFT supplies this publication for information purposes only. The information in this publication may
change from time to time. You must always refer to the latest available version on www.swift.com.

Translations
The English version of SWIFT documentation is the only official version.

Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: SWIFT,
the SWIFT logo, 3SKey, Innotribe, Sibos, SWIFTNet, SWIFTReady, and Accord. Other product, service, or
company names in this publication are trade names, trademarks, or registered trademarks of their respective
owners.

54 Getting Started