Entitlements Flashcards
What are entitlements?
Entitlements define what a user is allowed to do using a specific system
What types of entitlements are there?
Access Control - Governs and enforces the data a user has access to, the business functions he or she can perform on that data and the additional constraints that apply when performing business functions.
Limits - Manage additional constraints on top of the permissions granted using Access Control. This allows banks and their customers to define financial constraints on different levels ranging from transactions limits on one-off payment orders to daily liits on an individual user
Approvals - Approvals works in conjunction with any process to enable requiring approval from one or more users before proceeding with the process.
What is a legal entity?
Any person or non-person entity that is involved in a transaction or an arrangement with the bank. Both the bank and its customers are legal entities
Legal entities has one or more users that act on its behalf
Owner of users and arrangements and other legal entities
Describe the hierarchy of a legal entity
There is always a root level, usually a bank. The root can have several bank branches as children. The bank branches can have customers or businesses or departments as children.
What is a user?
A person that interacts with the Bank using our Banking Applications on behalf of themselves or the legal entity they are representing
For retail customer the relationship is usually one-to-one legal user to legal entity
For corporate it can be one legal entity to many users
What is a product?
The financial instruments that a bank can sell. Ex, credit card, debit card, current account
What is an arrangement?
When a product is sold to a customer, it becomes an arrangement. Another way to think about it is arrangement is an instance of a product associated with a customer
What is an account group(data group)?
A grouping mechanism for for a set of arrangements. They can be combined with job roles to assign permissions to users. You always assign the permissions to the group, not the arrangement!
They are unique in the scope of a service agreement
What is a business function?
A logical function that represents a method on the backend.
Ex manage.user.profiles, manage.notifications
What is a privlidge
What can be assigned to a business function. Execute View Create Edit Delete Approve Cancel
What are applicable function privileges?
applicable function privileges define the privileges that are available for a specific business function
What is a job role?
A combination of business functions.
Defines what a user can do
Job roles can be constrained by limits
Are assigned to users optionally combined with product groups
For example, job roles for contact management do not need to be associated with an arrangement. However job roles associated with transactions functionality would need to be associated with an arrangement/product group
Limits can be assigned to job roles. Ex you can only execute $50k in sepa payments per month.
THIS IS CALLED FUNCTION GROUP IN THE DATABASE
What is a service agreement?
A contract that includes one or more legal entities. A service agreement is created every time a legal entity is created.
A legal entity that is associated with a service agreement can share users and/or arrangements. Each service agreement defines the access given across one or more legal entities given to these users.
It is a way to give third party users specific access to your arrangements
Hookup for permissions and access to arrangements across multiple legal entities via permissions and data groups
How are permissions assigned?
Assigning permissions is essentially assigning a join of a service agreement, an account group (set of arrangements) and job role (set of function privlidges)
What is context?
The context of the service agreement.
A user may belong to multiple service agreements. In order to correctly enforce permissions. When a user logs in, they must log in in the context of a service agreement. In the UI, this basically means the user needs to select their service agreement from a dropdown at login.