FUJ00232820
FUJ00232820
FUJITSU RESTRICTED
HNG-X / HNGA/DDS+P2C+
Programme: istiketnrougn as appicabie Other:
CHANGE PROPOSAL Conor
CP TITLE: HNG-X CP2831 - Refinement of access rights to non- DATE RAISED: 18" January
BRDB databases 2021
REQUIRED APPROVAL DATE: ORIGINATOR: Steve Evans
January 2022
CHANGE OWNER: Manisha Mistry
REQUIRED IMPLEMENTATION / PURCHASE (RECEIVED)
DATE:
February 2022 SDM/SERVICE OWNER: Geoff Baker
(RECEIVED)
SOFTWARE Delivery Required
Yes/No (strikethrough as applicable) TECHNICAL SPONSOR: Gareth Seemungal
(RECEIVED)
DATE BY WHICH CP TO BE IMPACTED: Approval for Impacting:
N/A - Pre impacted (Email or Hard Copy Signature)
CP Assessment Team (RECEIVED)
Ghargeable+ Service Improvement
All work to be booked to
Project Code : 156156
Task Code: 355POAI
CP CLASSIFICATION: FAST-FRACK+ROUTINE / FOR INFORMATION* (strikethrough as applicable)
Note: Pre-impacted CP
DAB Required: Yes/No (strikethrough as applicable) Date DAB Authorised: N/A - TG
GDPR Affected: Yes/No (strikethrough as applicable) GDPR DPIA/Lower Level risk
Assessment Reference: (Note: Change owner
to attach DPIA/Lower Level Risk Assessment to the CP -
Technical Sponsor to own the Requirements)
N/A - Service improvement - SAE
RELATED Change Request/Request for Work Package: N/A
RELATED PEAKs: INC8311143A.
RELATED CPs: N/A
Attachments to the CP: No (strikethrough as applicable)
Purpose/Summary of Change: (Define why the CP is required and what it seeks to achieve)
The SSC require a standardised configuration for SSC users to have the required levels of
write access to non-BRDB databases which enable them to perform their contract
obligations, and to remove the variants that currently exist across the team.
Any granted role that provides an SSC user with write permissions to a database should
NOT be set by default - so the user has to switch to the write access role.
The SSC simply require write access to specific database tables, and NOT DBA privileges.
Description of Change Proposed: (Provide a full description of the change unless detailed in attached
documentation):
The SSC users will be re-aligned to have both ‘SSC’ and ‘RESOURCE’ granted with default
set to YES. This is to provide the SSC User with read access to the tables when they logon
©Copyright Fujitsu Services Ltd 2021 FUJITSU RESTRICTED. Ref: PGM/CHM/TEM/0001
Version: 11.0
Date: 27-AUG-2021
UNCONTROLLED IF PRINTED Page No: Lof8
FUJ00232820
FUJ00232820
FUJITSU RESTRICTED
to the database.
Any other default write access is to be revoked from the SSC users for the following
databases.
Database Application (Host Dev) Changes:
_ . Description
[Application [Baselines
Patch to create roles and assign roles to
b (1 changes, 1 software) Pre-existing SSC users,
update create_db_user.sh
IBRSS
Patch to create roles and assign roles to
pre-existing SSC users,
2 (1 changes, 1 software)
update create_db_user.sh
NPS
Patch to create roles and assign roles to
J? (1 changes, 1 software) pre-existing SSC users
IAPOP
Patch to create roles and assign roles to
pre-existing SSC users,
2 (1 changes, 1 software)
jupdate create_db_user.sh
\TES
Patch to create roles and assign roles to
2 (1 changes, 1 software) pre-existing SSC users
IDRS
Patch to create roles and assign roles to
J? (1 changes, 1 software) pre-existing SSC users
RDMC
Patch to create roles and assign roles to
2 (1 changes, 1 software) [pre-existing SSC users
IRDDS
Anew role of ‘SSC_RW’ is to be introduced and granted to the SSC users with default set
to NO (so the user has to switch to the role).
The ‘SSC_RW’ role will be configured to provide the SSC user with write access to the
database tables owned by the application schema(s), but it will not provide any of the DBA
type privileges that the SSC do not require.
Fujitsu will continue to follow the ‘Horizon Data Change’ process
SVM/SDM/PRO/4293 - HORIZON DATA CHANGES PROCESS WORK INSTRUCTION.
Note:
For the BRDB database, use of the APPSUP role will remain the same, requiring approvals
and Unix to add the role on a temporary basis.
All associated process documentation is to be brought up to date and into line to describe
the revisions.
SecOps require that all ‘SSC_RW’ actions taken are logged and audited as this provides the
assurance to POA that Fujitsu Services can provide evidence if required to do so - this
‘©Copyright Fujitsu Services Ltd 2021 FUJITSU RESTRICTED. Ref: PGM/CHM/TEM/0001
Version: 11.0
Date: 27-AUG-2021
UNCONTROLLED IF PRINTED PageNo: 2 of 8
FUJ00232820
FUJ00232820
FUJITSU RESTRICTED
should be the same as any switching of role to one of elevated privileges.
Current state of Auditing (See Reqt 005):
DB is SYS.AUD* Files output to NAS ARC ‘ARC Share Name
Audition SubPoint
for Role
ENABL
ED?
Tapp/brdbitrans/audivhostaudiBRDBAU
BRDB_I Yes DO HOST \pnas002\NAS_BDB_AUDSthostaudit
HxSolRDMC
ROMC I Yes fovnw01/rdme/audS/output/*AUD* AU \\M_DB_SRV\dmelaudSioutput
\\M_DB_SRV\rddsaout
HxSoIRDDS I Note***
RODS I Yes fovnw01/rdds/aud$/output/*AUD* AU fddsaout -> /bynw01/rdds/audS/output
DRS __I Yes Tovnw01/drs/trans/drsaudiDRS*AUD* I HxSolHost__I \M_DB_SRVidrsaudit
Tes I Yes fovnw01/tes/trans/tesauditTESAUD* HxHost DB _SRVitesaudits
Tovnw01/apoproot/support/apopaudit/AP ipnas002\
Apop_I Yes OPAUD* HxAPOPAud I NAS_APOPROOTS\support\apopaudit
NPS__I Yes 7REPLnpsfftransinpsaudiNPSAUD* I NPS1 \\pnas002\NAS_NPSFS\trans\npsaudit
/app/brssitrans/audithostaudi/BRSSAU
BRSS_I Yes DO BRSHOST _I \\pnas002\NAS_BRS_AUDS\hostaudit
Testing:
It is assumed in the impacts that this will be tested once in LST utilising two Test resources,
and then the changes will be retro fitted back into SV&I as part of its monthly top up.
It is assumed that this will speed up the delivery and reduce the testing impact on SV&I test
resources assigned to HNG-X functional changes and support of P2C migration projects .
The testing would be conducted over 5 elapsed days with 2 additional days for regression
testing.
Scope:
This change relates to the named systems Fujitsu own and operate and to which POA
determines access configuration. As such this is only applicable to Belfast as POC is for
Post Office to set rights and access on.
Acceptance Criteria and Methods (Functional and Non Functional):
Requirement ID 001
Requirement SSC default write access revocation.
Acceptance SSC Users do not have default write access for non-
Criteria BRDB databases.
BRSS
NPS
APOP
TES
DRS
RDMC
RDDS
Acceptance Solution Test
Method
Requirement ID 002
‘©Copyright Fujitsu Services Ltd 2021 FUJITSU RESTRICTED. Ref. PGM/CHM/TEM/0001
Version: 11.0
Date: 27-AUG-2021
UNCONTROLLED IF PRINTED Page No: 3 of 8
FUJ00232820
FUJ00232820
FUJITSU RESTRICTED
Requirement SSC User Read Access
Acceptance The SSC users will be re-aligned to have both ‘SSC’ and
Criteria ‘RESOURCE’ granted with default set to YES. This is to
provide the SSC User with read access to the tables when
they logon to the database.
Acceptance Solution Test
Method
Requirement ID 003
Requirement SSC_RW Role Defined
Acceptance New role of ‘SSC_RW’ defined and granted to SSC users.
Criteria with default set to NO (so the user has to switch to the
role).
The ‘SSC_RW’ role will be configured to provide the SSC
user with write access to the database tables, but it will
not provide any of the DBA type privileges that the SSC
do not require.
Acceptance Solution Test
Method
Requirement ID 004
Requirement Use of SSC_RW
Acceptance Where a change is required to any non-BRDB
Criteria databasethe SSC operator will require an explicit
enablement of the ‘SSC_RW’ role..
Acceptance Solution Test
Method
Requirement ID 005
Requirement Security Audit and Testing
Acceptance Audit team to confirm they can see production audit log
Criteria entries that prove it is working as expected
All ‘SSC_RW’ actions taken are logged and audited, and
evidence retrievable from ARC (via the filenames and
Archive subpoints identified): this should be the same as
any switching of role to one of elevated privileges
Acceptance Solution Test
Method
Requirement ID 006
Requirement Document updates
Acceptance All associated and appropriate Process documentation,
Criteria including but not limited to:
SVM/SDM/PRO/4293 - HORIZON DATA CHANGES
‘©Copyright Fujitsu Services Ltd 2021 FUJITSU RESTRICTED Ref. PGM/CHM/TEM/0007
Version 11.0
Date: 27-AUG-2021
UNCONTROLLED IF PRINTED
Page No: 4of8
FUJITSU RESTRICTED
FUJ00232820
FUJ00232820
PROCESS WORK INSTRUCTION
revisions.
is to be brought up to date and into line to describe the
Acceptance
Method
Document Review
Requirement ID
007
Requirement Design Document updates
Acceptance All associated and appropriate Design documentation,
Criteria including but not limited to:
HORIZON DATA CHANGES PROCESS WORK
INSTRUCTION_
Database HLDs (for each updated database)
is to be brought up to date and into line to describe the
revisions.
Acceptance Document Review
Method
Requirement ID
008
Requirement Regression Testing
Acceptance All Databases in scope will require targeted regression
Criteria testing
Acceptance Solution Testing
Method
Pilot Requirements: (identity any considerations and timescales for Pilot associated with this CP - where known)
N/A
Dependencies (e.g. Third Party or Technical): (identify dependencies on Post Office or third parties or of a
technical nature that would be required to deliver this CP - where known)
Ref Type Description Applicable
(internal, Y - (provide details)
external, N
technical)
D001 External 3rd Party data-files e.g. AP I N
Client files
Doo2 External PODG Route /IN
Transformations (If Y consider
the use of SSC to deliver Ref
Data/PODG Live Route Copy
Objects to the XCS)
D003 External Post Office Reference data N
‘©Copyright Fujitsu Services Ltd 2021
UNCONTROLLED IF PRINTED
FUJITSU RESTRICTED Ref:
Version:
Date:
Page No:
PGM/CHM/TEM/0001
11.0
27-AUG-2021
Sof8
FUJ00232820
FUJ00232820
FUJITSU RESTRICTED
D004 External 3rd Party implementations N
DOOS External APADC scripts / transactions N
boos External New CC counter base version I N
required
D007 External End to End testing required I N
(including third parties)
boos Internal Other? N
/External
PCI Requirements: (identify any considerations and timescales for Payment Card Industry requirements associated with
this CP - where known) PCI Platforms affected should be identified in appropriate section below.)
None
GDPR Requirements: (if GDPR is affected, the Technical Sponsor must identify any considerations and timescales for
Personal Data Protection requirements associated with this CP - where known. Any Platforms or functional areas affected should be
identified in appropriate sections below.)
None
Platforms (Physical) Affected: (insert identity and details of all platforms requiring software update by this CP -
where known. Please use platform types as defined in the PHIL, unless new. And explicitly list any other hardware such as
network devices)
Platform Database
NPS NPS
APOP
DAT TES
DRS
RDMC
RDDS
Account Teams Affected: (insert identity and details of all functional areas/teams requiring update by this CP - where
known, also identify any impact on INGENICO)
UNIX, Host Dev, SSC, Test, Project Management, Release Management
Decommissioning Costs: (identity any decommissioning considerations and cost that are covered by this CP - where
known)
None
Non-Labour Items required: (identify any non-labour items required including (but not limited to) License Costs, 3%
Party License costs, Operating Systems, Tivoli, Red Hat, Anti-Virus, Applications) identifying if supplier is not on APL (Approved
Technology List) - costs to be supported by quotes to be attached to CP):
N/A
Risks: (insert identity and details of all risks associated with this CP - where known, either the introduction of , or containment of
Risks could be Programme, finance, business, [S027001,etc - please specify identify Risk Owner - to be added to Risk Register
under Project on approval of the CP)
N/A
Post Office Account resources (For Pre-impacted CPs only): (insert additional rows as required)
‘©Copyright Fujitsu Services Ltd 2021 FUJITSU RESTRICTED. Ref: PGM/CHM/TEM/0001
Version: 11.0
Date: 27-AUG-2021
UNCONTROLLED IF PRINTED Page No: 6 of 8
FUJITSU RESTRICTED
FUJ00232820
FUJ00232820
Documents Affected:
Service I Team/Sub-Team Contract Days Non-Labour Item & Cost (€)
Line Grade
DTS Development - LSE 5
GDC Host team
On-shore
DTS I Development - LSE-OS 15
GDC Host team
Off-shore
DTS _I Test-LST SSE-OS 7
DTS I Test-LST SSE 5
DTS I Release LSE 9
Management
DTS I Release UL 1
Management
DTS_I UNIX UL 3
DTS I Project LSE 5.5
Management
DTS _I Integration LSE 7
DTS _I SSC UL 3
Sub-Total: 60.5 £0.00
Off-Account resources (For Pre-Impacted CPs only): (insert additional rows as required)
Service I Team/Sub-Team Contract Days Non-Labour Item & Cost (E)
Line Grade
NIA N/A N/A N/A N/A
Sub-Total: 0 £0.00
TOTAL: 60.5 £0.00
(insert additional rows as required)
Document Reference Title Current Version
SVM/SDM/PRO/4293 HORIZON DATA CHANGES PROCESS WORK See Dimensions
INSTRUCTION
DES/APP/HLD/0023 BRSS High Level Design See Dimensions
DES/APP/HLD/0017 NPS High Level Design See Dimensions
DES/APP/HLD/0129 ‘APOP High Level Design See Dimensions
DES/APP/HLD/0036 TES High Level Design See Dimensions
NB/HLD/003 DRS High Level Design See Dimensions
DES/APP/HLD/0004 RDMC High Level Design See Dimensions
DES/APP/HLD/0005 RDDS High Level Design See Dimensions
NIA UNIX User Management Procedure for SSC HTML
‘See PGM/CHM/MAN/0002 for guidance on completing the template
‘©Copyright Fujitsu Services Ltd 2021 FUJITSU RESTRICTED Ref PGM/CHM/TEM/0007
Version: 11.0
Date: 27-AUG-2021
UNCONTROLLED IF PRINTED
PageNo: of 8