FUJ00194687
FUJ00194687
20/02/2019 Print WI3028L
Transaction Correction Tool / Appsup role
The Horizon security design has two main groups with privileged access to the
system, Belfast Operations (for operational purposes) and SSC (for data correction
and support). This privilege was deliberately split between the two units to separate
the roles for security purposes and prevent a single point of failure. In each case the
requirement is for a distinct privileged role that would only be used when suitable
change control has been raised for audit trail (not authorisation) purposes.
In the case of the BRDB there are two methods used to provide the required
privileged access for the SSC:
1. The Transaction Correction Tool (BRDBX015)
2. The Oracle role Appsup
When either of these facilities are used the SSC will apply the two man rule as
described in the data correction work instruction.
The Transaction Correction Tool
This tool (AKA BRDBX015) provides a packaged and audited interface to run defined
data correction scripts. It is no longer well named as it has evolved to perform not
only standardised and necessary financial transaction corrections, but also
corrections to non-financial data.
Details of the transaction correction tool and the scripts that are available can be
found in the Host Branch Database Support Guide (5.6 SCC Transaction Correction
Tools). At the time of writing the following correction scripts are defined:
1. Clear Stock Unit Lock (clear_su_lock.sh)
2. Clear Rollover Lock (clear_ro_lock.sh)
3. Update Outstanding Recovery Transaction Tool (upd_rvy_txn.sh)
4. Branch & Stock Unit Financial Year Update (upd_ro_fad_fyr.sql)
Check the current version of the Host Branch Database Support Guide for up to date
functionality.
Use
Whenever the SSC need to use the facilities of this tool there will be an associated
Peak. The use of the tool is recorded on the Account change control system and
reference for the change is recorded on the incident. This provides the required audit
trail. There is no requirement for an approval process.
The Appsup Role
The standard SSC role for BRDB access (named SSC) has sufficient functionality to
investigate and gather evidence. The APPSUP role has elevated privilege and can be
assigned temporarily to an SSC user by Belfast Operations under approved change
control, for un-envisaged ad-hoc live amendment not covered by BRDBX015.
https://ssc.fs.fujitsu.com/SSC3/SSC_MI/popupMIPrintjsp?MIRef=WI3028L 112
20/02/2019
FUJ00194687
FUJ00194687
Print WI3028L
When SSC require ad-hoc activity, compatible (insert only) but not yet covered by
BRDBX015, that may be required again in the future, a Peak (or Cloned Peak) should
be raised to request this functionality via the Transaction Correction Tool
(BRDBX015) and directed to the BDB-Host-Dev stack.
Use
Use of the Appsup role requires explicit approval before Belfast Operations can grant
access.
The current (In hours) process is:
1.
ObhWN
SSC to contact Sec Ops - possibly by action a Peak on their team and voice
prompting them
. Sec Ops raise TFS to UNIX
. UNIX apply rights to account
. SSC makes amendments and confirms once complete to Sec Ops
. Sec Ops request UNIX (via TfS) to revoke access.
Out of hours the SSC diagnostician will escalate the requirement to use Appsup to
the POA DM. The POA DM can give ISD Unix permission to provide the role to the
SSC.
References:
Reference Type Value Description
DOC DESAPPHLD0020 Branch Database HLD
Doc DESAPPSPGO0001 Host Branch Database Support Guide
WI WI3649S Data corrections
WI Reference: WI3028L
Title: Transaction Correction Tool / Appsup role
Created: by Steve Parker on 31/10/2016
Last update: by Mark Wright on 04/01/2019
Version: 8
End date: 31/12/2019
https://ssc.fs.fujitsu.com/SSC3/SSC_MI/popupMIPrintjsp?MIRef=WI3028L 212