Sie sind auf Seite 1von 109

Alliance Lite2

Administration Guide

This guide describes how to perform Alliance Lite2 administration tasks. These tasks include user management and
reference data management. This guide is for security officers and the personnel who have been assigned the role of
Alliance Lite2 administrator.

20 July 2017
Alliance Lite2
Administration Guide Table of Contents

Table of Contents

Preface............................................................................................................................................................... 4

1 Introducing Alliance Lite2.......................................................................................................................6


1.1 What is Alliance Lite2?............................................................................................................................ 6
1.2 What Does the Web Interface Provide?...................................................................................................7
1.3 What Does AutoClient Provide?.............................................................................................................. 9
1.4 How is Alliance Lite2 Packaged?.............................................................................................................9
1.5 System Requirements........................................................................................................................... 10
1.6 Token-Based Certificates and Channel Certificates.............................................................................. 12

2 Get Started............................................................................................................................................. 14
2.1 DNS Installation and Configuration........................................................................................................17
2.2 Firewall Settings.................................................................................................................................... 19
2.3 Install Java............................................................................................................................................. 21
2.4 Configure Java Settings.........................................................................................................................21
2.5 Configure Internet Explorer Settings..................................................................................................... 22
2.6 Install Driver for Personal Tokens.......................................................................................................... 22
2.7 Remove the Token Software..................................................................................................................29
2.8 Activate Tokens for Customer Security Officers.....................................................................................30
2.9 Create a Distinguished Name................................................................................................................32
2.10 Authorise the DN and Approve the Operator and Issue the Activation Code........................................ 36

3 User Management..................................................................................................................................38
3.1 Operators...............................................................................................................................................38
3.2 Operator Profiles................................................................................................................................... 50
3.3 RBAC Roles for Browse Services..........................................................................................................55

4 Reference Data Management............................................................................................................... 62


4.1 Correspondents..................................................................................................................................... 62
4.2 Countries............................................................................................................................................... 70
4.3 Currencies............................................................................................................................................. 74

5 Default Operator Profiles...................................................................................................................... 77


5.1 How Entities, Actions, and Permissions Work....................................................................................... 80

20 July 2017 2
Alliance Lite2
Administration Guide Table of Contents

5.2 AutoClient.............................................................................................................................................. 81
5.3 BIC_View............................................................................................................................................... 82
5.4 LSO and RSO........................................................................................................................................82
5.5 MsgUpload............................................................................................................................................ 83
5.6 Msg_All..................................................................................................................................................84
5.7 Msg_AllOthr...........................................................................................................................................90
5.8 Msg_Audit..............................................................................................................................................90
5.9 Msg_Auth...............................................................................................................................................91
5.10 Msg_Oper..............................................................................................................................................94
5.11 OPER_SignOn...................................................................................................................................... 99
5.12 RMA_All.................................................................................................................................................99
5.13 RMA_Auth........................................................................................................................................... 103
5.14 RMA_Oper...........................................................................................................................................106

6 Relationship Management.................................................................................................................. 108

Legal Notices................................................................................................................................................. 109

20 July 2017 3
Alliance Lite2
Administration Guide Preface

Preface
Purpose of the document
This administration guide describes how to perform Alliance Lite2 administration tasks. These tasks
include user management and reference data management.

Audience
This document is for the following audience:
• Security officers
• Alliance Lite2 administrators

Significant changes
The following table lists all significant changes to the content of the Alliance Lite2 Administration
Guide since the April 2016 edition. This table does not include editorial changes that SWIFT makes
to improve the usability and comprehension of the document.

Updated information Location

New section added How to Change the Name of Customer Security Officers on
page 8

System requirements for AutoClient have System Requirements for AutoClient on page 11
been updated.

The section on how to renew personal Token-Based Certificates and Channel Certificates on page 12
token certificates has been updated, in
case of token expiry.

The firewall settings have been updated. Firewall Settings on page 19

When to use the SWIFTNet Online Log in to SWIFTNet Online Operations Manager on page 32
Operations Manager has been updated.

A section "Next" describing the result of Add an Operator on page 46


adding an operator has been added.

The section on disabling an operator has Disable an Operator on page 49


been updated.

The operator profile <BIC8>_Msg_View Profiles Assignment on page 50


has been added.

Operator profiles visible in Alliance Lite2, Msg_All on page 84


but that cannot be used in Alliance Lite2
have been added for information.

Alliance Lite2 documentation set


• Administration Guide
• Administration Guide - RMA

20 July 2017 4
Alliance Lite2
Administration Guide Preface

• AutoClient User Guide


• Find Your Way in Alliance Lite2
• Security Officer Guide
• Service Description
• User Guide

20 July 2017 5
Alliance Lite2
Administration Guide Introducing Alliance Lite2

1 Introducing Alliance Lite2


1.1 What is Alliance Lite2?
What are the components of Alliance Lite2?
Alliance Lite2 is an Internet-based solution aimed at any SWIFT customer including corporates,
investment managers, funds distributors, and transfer agents that want to connect to SWIFT easily
and securely. You can use Alliance Lite2 to send and receive message transactions using the FIN,
InterAct, FileAct, and Browse services over SWIFTNet.
Alliance Lite2 includes a Web interface and AutoClient. Your organisation can use either or both of
them for manual or automated operations.
• The Web interface: Use the Web interface that has message data entry and business features if
your organisation prefers to manually process a low number of message transactions per day.
This interface offers a web experience for sending and receiving all MT and MX message
transactions and for file exchange. Alliance Lite2 customers who have ordered Browse services
can also connect to Browse from the Web interface. For more information, see What Does the
Web Interface Provide? on page 7.
The Web interface can also monitor the status of message transactions that have been initiated
through AutoClient.
• AutoClient: Use AutoClient if your organisation has business applications and wants to enable
these applications to send and receive message transactions in an automated way. For more
information, see What Does AutoClient Provide? on page 9.

Customer SWIFT

Alliance Lite2
Web interface

Internet or
AutoClient SWIFTNet
MV-SIPN
Alliance
Lite2 Bank
server
Back-office
application
D1370004

20 July 2017 6
Alliance Lite2
Administration Guide Introducing Alliance Lite2

Types of environment
Alliance Lite2 offers two types of environments:
• Live environment: You use this environment to send live business messages and files. This
environment is also called Production environment.
• Test environment: You use this environment to exchange Test and Training messages and
files. Other benefits of this environment are as follows:
- New Alliance Lite2 users can try the Alliance Lite2 service in a safe environment before
using the Live environment. Messages and files that users exchange in the Test environment
have no financial consequences.
- Existing Alliance Lite2 users can exchange test messages and files with a new
correspondent to learn how to send and process messages and files properly.
- Customers can test new Alliance Lite2 releases.
You can view only live messages and files in the Live environment and only test messages and files
in the Test environment. The Test environment is a simulation of the Live environment, and you
cannot send, view, or process a live message or file in the Test environment. Messages or files that
you send from the Test environment are marked as test or pilot so that recipients of these
transactions do not process them as live messages or files.

Who are Alliance Lite2 users?


There are three types of Alliance Lite2 users:
• Customer security officers. See What Can Alliance Lite2 Customer Security Officers Do? on
page 7.
• Operators, use Alliance Lite2 for the creation, update, approval, sending, and receiving of
messages and files to and from SWIFT. See What Can Alliance Lite2 Operators Do? on page
8
• AutoClient operators (with access to the account that runs AutoClient) with a USB token or a
channel certificate. For more information, see the Alliance Lite2 AutoClient User Guide.

1.2 What Does the Web Interface Provide?


The following types of users perform tasks in Alliance Lite2 through the Web interface:
• customer security officers that are responsible for sensitive tasks (for example, creating
operators and defining what tasks operators can do)
• operators that perform day-to-day operations (for example, message creation, monitoring and
approval)
Each customer security officer and operator has a personal token and password.

1.2.1 What Can Alliance Lite2 Customer Security Officers Do?


For each organisation that uses Alliance Lite2, SWIFT configures two customer security officers.
For the most critical tasks, an approval by the other customer security officer is required before the
action can take effect.

20 July 2017 7
Alliance Lite2
Administration Guide Introducing Alliance Lite2

The Alliance Lite2 customer security officers are responsible for user management of both the Live
and Test environments.
A customer security officer's functions fall into the following categories, as shown in the following
table.

User setup tasks Define an operator for each Alliance Lite2 user.

Assign each user an operator profile.

Create and maintain a corresponding personal token for each operator.

Generate reports related to roles, user entitlements, and security audit trails.

Assign RBAC user roles using SWIFTNet Online Operations Manager

Relationship Select the RMA relations or BICs that your organisation wants to transact with.
Management
For more information, see the Alliance Lite2 Administration Guide - RMA.
tasks

1.2.2 How to Change the Name of Customer Security Officers


Change Alliance Lite2 Security Officers
How do you change the names of one or more (or all) of the Alliance Lite2 customer security
officers?
The following situations can occur:
1. One or more of the Alliance Lite2 customer security officers want to handover their role to other
people in the institution.
2. One or all Alliance Lite2 customer security officers have left the institution without handover.
Refer to KB tip 5019265.

1.2.3 What Can Alliance Lite2 Operators Do?


What can operators do with the Alliance Lite2 Web interface?
You can use the Alliance Lite2 Web interface to access some or all of the following functions. For
more information, see the Alliance Lite2 User Guide.
The functions that are available to operators depend on the operator permissions that the Alliance
Lite2 customer security officer allocates. According to their permissions, operators can perform the
following tasks:
• create or initiate message transactions (from scratch, or from a predefined template).
• create and modify message transaction templates.
• approve (sign) message transactions ready for transmission to correspondents.
• reject message transactions or return them for modification.
• view incoming message transactions.

20 July 2017 8
Alliance Lite2
Administration Guide Introducing Alliance Lite2

• monitor and confirm the status of message transactions, from creation to final delivery, including
those transactions handled by AutoClient.
• generate reports on message transactions or file transfers.
• access Browse services that are offered on SWIFTNet. This function is only available if your
institution has subscribed to one or more of these Browse services.
An operator may have the permission to create message transactions, but may not have the
permission to approve these message transactions. Another operator may have the permission to
create and approve message transactions, including their own.

1.3 What Does AutoClient Provide?


AutoClient is an application that provides automated file-based communication to and from FIN,
InterAct (MX), and FileAct services that enables your organisation to send and receive message
transactions. Through the Web interface an Alliance Lite2 operator can monitor the status of these
message transactions that have been initiated through AutoClient.
Note MX files are sent using the XMLv2 format.

Related information
AutoClient User Guide

1.4 How is Alliance Lite2 Packaged?


The Welcome box
SWIFT delivers a Welcome box to the person who is identified as the first Alliance Lite2 customer
security officer.
This box contains the following items:
• A Welcome card
• One mini-USB memory key with the Alliance Lite2 installer used to install AutoClient
Note For existing customers, the latest version of the AutoClient installer is available on
swift.com > Support > Download centre. In Product name field, select Alliance Lite2
from drop-down list.
• 10 personal tokens
• A set of 10 Quick Start cards for each operator that receives a security token
SWIFT creates an initial “technical” certificate for each of the two Alliance Lite2 customer security
officers, and stores their certificate on their personal token. The first customer security officer
receives the box of tokens. SWIFT sends an e-mail to the second customer security officer with a
password to unlock the tokens.
On receipt of the Welcome box and the e-mail, the first customer security officer can start the
installation and bootstrap process. This process replaces the bootstrap certificate with a new
certificate. The certificate is based on a new public and private key pair generated locally on the
personal token. At the first login, the customer security officers must change the password that
protects the token.

20 July 2017 9
Alliance Lite2
Administration Guide Introducing Alliance Lite2

Generating the certificate and key pair on the tamper-proof token ensures that the private key is
completely secret. The key is not known to any other party, not even SWIFT. Only a person that has
a valid token and knows the password associated with this token can use Alliance Lite2.

1.5 System Requirements

1.5.1 System Requirements for Alliance Lite2 Web Interface


Operating system and connectivity

Category Requirement

Operating system The Alliance Lite2 Web interface runs on the following operating systems:
• Windows 7 Professional (32-bit or 64-bit) with Internet Explorer 8.0, 9.0, or 10 (compatibility
mode)
• Windows 8.1 R2 (64-bit) with Internet Explorer 11 (compatibility mode)

Connectivity You have three different possibilities to connect to Alliance Lite2:


• Connect over the Internet from any location, using a PC or laptop and your secure personal
token.
• Connect optionally (by means of a separate subscription) through SWIFT's highly resilient
and reliable multi-vendor secure IP network (MV-SIPN). You can find more information about
SWIFT's Alliance Connect products at www.swift.com > Products & services > Connectivity.
You can ask SWIFT to disable Internet access for all your users, only allowing access
through SWIFT's Virtual Private Network (VPN).
• You can also use both connection methods. For more information, see Infrastructures
connected to both the Internet and MV-SIPN on page 10.
For more information about firewalls, see Firewall Settings on page 19.

Infrastructures connected to both the Internet and MV-SIPN


If your institution has both multi-vendor secure IP network (MV-SIPN) access and Internet access
to the Alliance Lite2 environment, then you need to take specific steps to set up the routing and
naming resolution.
Based on your specific environment, SWIFT strongly recommends the following:
• Segregated environments
Use segregated environments where possible.
• Mixed environments
If you use a mixed environment, then you must do the following:
- Add more specific routes in your local network with next-hop the Internet for SWIFT services
reachable over the Internet.

20 July 2017 10
Alliance Lite2
Administration Guide Introducing Alliance Lite2

For more information, see the most recent version of the Network Access Control Guide >
Multiple Secure IP Network Access Configurations and Routing.
- Decide which host uses which environment (MV-SIPN or Internet).
- Configure the name resolvers in their workstations according to the environment.
• Central DNS proxy/forwarders
If your institution enforces the use of central Domain Name System (DNS) proxy/forwarders,
then it must support DNS capabilities (Views/ Split Horizon) that based on the source IP resolve
the URL according to your institution's policy specification (that is, use MV-SIPN or Internet).

1.5.2 System Requirements for AutoClient


This section outlines the system requirements for AutoClient.
The default installation directory is %Program Files%\SWIFT\Alliance Lite2\, which is referred to
throughout this document as <installation directory>. On 64-bit systems, the default installation
location is: %Program Files (x86)%\SWIFT\Alliance Lite2.
Only the base directory and its subdirectories (by default, C:\Program Files (x86)\SWIFT\Alliance
Lite2\files) must be accessible to the (remote) application for placing and retrieving files. The other
folders and files in the AutoClient installation directory, including logs, configs, and similar files are
by default in C:\Program Files (x86)\SWIFT\Alliance Lite2 and must never be accessible
remotely.

Category Requirement

Operating system AutoClient runs on the following operating systems:


• Windows 7 Professional with any Service Pack (32-bit, 64-bit)
• Windows 8.1 R2 (64-bit)
• Windows Server 2008 R2 (64-bit)
• Windows Server 2012 R2 (64-bit)
Note AutoClient is only qualified on US-English Windows versions.

Disk space • Minimum 500 MB for the software installation


• Minimum 300 MB for the base directory (400 MB is recommended)
• A few hundred MB of free disk space

Memory Windows PC or laptop with a minimum 1 GB of memory.

20 July 2017 11
Alliance Lite2
Administration Guide Introducing Alliance Lite2

Category Requirement

Connectivity • Standard broadband Internet access with minimum 128 kbps (for example, ADSL, WiFi,
cable, and other forms). Dial-up connectivity is insufficient.
- AutoClient can connect to the Internet through a firewall or HTTP proxy (see Firewall
Settings on page 19).
- AutoClient connects to the Alliance Lite2 server over TLS (V1.2 and above), TCP port
443. SSL V3 (or previous versions) is no longer supported.
- When using the configuration tool to create a channel certificate, TCP port 49171
must be open.
• Connect optionally (by means of a separate subscription) through SWIFT's highly resilient
and reliable multi-vendor secure IP network (MV-SIPN). You can find more information
about SWIFT's Alliance Connect products at www.swift.com > Products & services >
Connectivity.
You can ask SWIFT to disable Internet access for all your users, only allowing access
through SWIFT's Virtual Private Network (VPN).
• You can also use both connection methods. For more information, see the "Infrastructures
connected to both the Internet and MV-SIPN" of the Administration Guide.

Unlike the Alliance Lite2 web interface, AutoClient does not need Internet Explorer or a Java plug-in
and can be run on a PC where Internet Explorer is not used to browse.
Note Even if Java is installed, it will not be used by AutoClient. AutoClient comes with its
own Java Runtime Environment (JRE).
The AutoClient software can be installed and operated on a system running under virtualisation
technologies that properly support USB ports, such as VMWare Workstation. A notable
counterexample is the (free) version of VMWare server, which cannot be used due to lack of proper
support for USB ports. USB ports are not required if you use AutoClient with a channel certificate.
AutoClient can be remotely monitored and operated using technologies that do not create conflicts
with USB ports, such as SSH or the VNC protocol (for example, RealVNC). A notable
counterexample is Windows Remote Desktop (or Windows Terminal Services), which cannot be
used due to conflicts with the SafeNet driver for the USB ports. Citrix is not supported, for the same
reason as that for VMWare server.
Note Remote desktop, Citrix, and VMWare Server can be used with channel certificate.

Important SWIFT cannot test against all virtualisation technologies available on the market. It is
the user's own responsibility to verify the suitability of the virtualisation technology
chosen by the user.

1.6 Token-Based Certificates and Channel Certificates


Token-based certificates
A token-based certificate is a certificate that resides on a personal token. A personal token, also
called USB token or physical token, is a piece of hardware that provides a means for SWIFT to
authenticate the identity of a user or an application. The token includes PKI credentials that the
owner of the token has generated. The PKI credentials are used to create digital signatures that

20 July 2017 12
Alliance Lite2
Administration Guide Introducing Alliance Lite2

allow the owner of the token or the application itself to be identified. The token is personal and must
not be shared with another user. It is protected by a password that the owner of the token must
keep private.

How to renew personal token certificates


There is no automatic renewal process for personal token certificates and keys. Manual renewal
must occur at least once every 24 months. The token is ready for renewal as of 90 days before its
expiry date.
When the certificate expiry date is less than 3 months (120 days) away, a warning message is
displayed during login.
The personal token user uses the SWIFT Certificate Centre to renew the token. If the token is not
renewed in time, then the token expires.
If a token has expired, then the token can only be reset, see the SWIFT Certificate Centre Portal
User Guide. However, its certificate can be recovered by using the SWIFTNet Online Operations
Manager, see the SWIFTNet Online Operations Manager guide.

Channel certificates
A channel certificate is an encrypted, disk-based profile file that provides a means for SWIFT to
authenticate the identity of an application. Alliance Lite2 supports channel certificates as an
alternative means to physical tokens. The channel certificate only secures the connection from the
Alliance Lite2 machine to the Alliance Lite2 server in SWIFT's central infrastructure. In addition,
SWIFT uses channel certificates to generate non-repudiation evidence of the emission of a
business message from an Alliance Lite2 customer to the Alliance Lite2 server at SWIFT.
Channel certificates can only be used for AutoClient with an MV-SIPN connection that belongs to
the owner of the channel certificate. Channel certificates cannot be used for the Alliance Lite2 Web
interface. In addition, channel certificates are not permitted for human-to-application flow, such as
SWIFT WebAccess services.

20 July 2017 13
Alliance Lite2
Administration Guide Get Started

2 Get Started
Before you begin
Alliance Lite2 is provisioned with two predefined customer security officers: the left customer
security officer (left-cso) and the right customer security officer (right-cso).
These security officers must receive all of the following items from SWIFT before starting the
installation process:
• the Alliance Lite2 installer (to install AutoClient)
The installer for AutoClient is on the mini-USB memory key that you received from SWIFT.
• the box of 10 personal tokens (sent to one of the security officers)
• the initial token password to unlock the tokens (sent by e-mail to the other security officer)

Start-up process
This section explains how to get started with Alliance Lite2.

20 July 2017 14
Alliance Lite2
Administration Guide Get Started

WHO WHAT/WHERE

Customer Configure
Install/configure DNS Install Java
system firewall security
administrator Depends on customer between Alliance Lite2
workstation and the internet all PCs that use personal token
1 DNS setup 2 3

Installation staff Install driver for


USB tokens
all PCs that use
personal token
4

Customer security officers

Active tokens Create a new Add an operator Authorise and approve


distinguished name operator and issue token
SWIFT SWIFTNet Online Alliance Lite2 interface activation code
Certificate Centre Operations Manager Alliance Lite2 interface
5 6 7 8

All Lite2 users


Log in to Alliance Lite2

Alliance Lite2 interface


9

Operators with
Set up RMA authorisations
appropriate
permissions
Alliance Lite2 interface
10

D1370008
WHEN

20 July 2017 15
Alliance Lite2
Administration Guide Get Started

Step Description Where Who performs the task

1. DNS Installation For MV-SIPN connectivity only Several options are Your system
and Configuration on available including: administrator
Install and configure DNS
page 17 (1)
server. • install a DNS server
on each workstation
• install a DNS server
on one workstation
and point other
workstations to this
workstation
• deploy a central
DNS server
SWIFT recommends
that you discuss the
DNS flow deployment
with your internal IT
department.

2. Firewall Settings on Configure the firewalls to allow Between the Alliance Your system
page 19 the appropriate IP addresses Lite2 workstations (both administrator
and ports. the Alliance Lite2 Web
interface (browser) and
the AutoClient) and the
Internet or the multi-
vendor secure IP
network (MV-SIPN).

3.Install Java on page This is a one-off set-up On all PCs on which the Your system
21 procedure that you must do personal token is used administrator
before you install the driver for
the personal tokens.

4. Install Driver for This is a one-off procedure that On all PCs on which the Your staff responsible for
Personal Tokens on you must complete to have the personal token is used SWIFT installation
page 22 necessary software to configure
and to read the certificates on
personal tokens.

5. Activate Tokens for This is a one-off procedure that SWIFT Certificate Both customer security
Customer Security both customer security officers Centre on officers
Officers on page 30 must complete to access www.swift.com/
SWIFTNet services. certificates

6.Create a DN on Both customer security officers Alliance Lite2) > Both customer security
page 33 must follow this procedure to Browse Services > officers
create the DNs for each of the SWIFTNet Online
institution's Alliance Lite2 Operations Manager (2)
operators.

20 July 2017 16
Alliance Lite2
Administration Guide Get Started

Step Description Where Who performs the task

7. Add an Operator on Add and approve the operators. Alliance Lite2 > User The left or right
page 46 Configuration > customer security officer
Operators (2)

8. Authorise the DN Authorise the operators Alliance Lite2) >


and Approve the Browse Services > The left or right
Operator and Issue SWIFTNet Online customer security officer
the Activation Code Operations Manager (2)
If the left security officer
on page 36 performed step 6, then
Approve the operators then give Alliance Lite2 > User the right security officer
the initial password and token Configuration > performs this step.
activation code to the operators. Operators (2)

9. Log in to Alliance For more information about the Alliance Lite2 All staff that use Alliance
Lite2 normal daily login procedure, Lite2
see the Alliance Lite2 User
Guide.

10. Set up RMA Relationship Management helps Alliance Lite2 > RMA (2) Operators with the
authorisations with you manage business appropriate permissions
your correspondents relationships with counterparties (see the Administration
(banks or other through authorisations that are Guide - RMA > Operator
institutions). sent as XML messages over the Profiles and
RMA service. Permissions)

(1) This task is applicable only to Windows server versions, not Windows 8.1, or Windows 7. For a Windows Client OS, a third-
party DNS server must be installed. Alternatively, you may use an HTTP proxy to deal with the DNS requests.
(2) Alliance Lite2 menu items appear in bold.

2.1 DNS Installation and Configuration


Scope
Installation and configuration of the DNS and name server are only required when Alliance Lite2
connects over MV-SIPN.
This task is applicable only to Windows server versions, not Windows 8.1, or Windows7. For a
Windows Client OS, a third-party DNS server must be installed. Alternatively, you may use an
HTTP proxy to deal with the DNS requests.

Process
1. Install the DNS on page 18.
2. Configure the DNS Server on page 18.
3. Configure the Network Adaptor to Use Local DNS (Windows) on page 18.

20 July 2017 17
Alliance Lite2
Administration Guide Get Started

2.1.1 Install the DNS


Procedure
1. Log in to the computer with administrator privileges.
2. Click Start > All Programs > Administrative Tools >Server Manager.
3. The Server Manager window opens.
4. Click Roles on the top left, then click Add Roles.
5. Click Next on the information window.
6. Select the box with DNS Server.
7. Click Next
8. Click Next on the information window.
9. Confirm your installation selections.
Click Install .
10. When the DNS Server installation is complete, click Close .
Note Host File: C:\Windows\System32\drivers\etc\hosts should not contain any
entries related to SWIFT or SWIFT DNS entries.

2.1.2 Configure the DNS Server


Procedure
1. Log in to www.swift.com and download the DNSConfig ZIP file, located in Knowledge Base tip
5018318.
2. Extract the DnsConfig folder for your operating system to the computer where the DNS server
is installed.
3. Log in with administrator privileges to the computer where the DNS server is installed.
4. Run the DnsConfig.bat file, located inside the extracted DnsConfig folder.
Type Yes when prompted to configure the DNS.
5. Close the Command Prompt window when the configuration is complete.

CAUTION You must disable DNS caching. This is critical for Alliance Lite2 to work correctly.

2.1.3 Configure the Network Adaptor to Use Local DNS


(Windows)
This task verifies that the IP address of the SWIFTNet Link host corresponds to the IP address
provided to SWIFT.

Procedure
1. Log in to the computer with administrator privileges.
2. Click Start > Control Panel > Network and Internet > Network and Sharing Center.
3. Click Local Area Connection.

20 July 2017 18
Alliance Lite2
Administration Guide Get Started

4. Click Properties and select Internet Protocol Version 4 (TCP/IPv4).


5. The Internet Protocol Version 4 (TCP/IPv4) window opens.
6. Click Properties .
7. The IP address and Preferred DNS Server addresses must match.
8. Click OK to save changes.
Close the window.

2.2 Firewall Settings


When a PC uses channel or token-based certificates, SWIFT strongly advises that you use a
firewall between that PC and the Internet or the multi-vendor secure IP network (MV-SIPN).

Firewall security
For services to function correctly, the firewall must allow outgoing TCP connections to the URLs or
IP addresses listed in the table below. Systems using channel or token-based certificates require
these connections.
For AutoClient, open TCP port 49171 so that the configuration tool can create the channel
certificate.
Note No incoming connections are required. SWIFT recommends that users block all
incoming connections from the internet.

Alliance Lite2 URLs

Live environment Test environment

On the Internet https://alliancelite2.swift.com https://test.alliancelite2.swift.com

On MV-SIPN https://alliancelite2.swiftnet.sipn.swift.com https://


test.alliancelite2.swiftnet.sipn.swift.com

FileAct over https://fileact.alliancelite2.swift.com https://fileacttest.alliancelite2.swift.com


Browse through
(for firewall set-up only) (for firewall set-up only)
Internet
connection

If you are using a local (host-based) firewall on the computer that runs AutoClient, then it must be
configured to accept a local connection between two AutoClient processes on this computer
(localhost port 8000). This TCP connection flow is required for AutoClient to function normally.
To benefit from SWIFT's Distributed Denial of Service (DDoS) mitigation solution available for
Internet-facing services, additional firewall configuration is required. This additional configuration
limits the operational impact to your institution in case SWIFT is subject to a DDoS attack. For
additional information, see Knowledge Base tip 5019964

20 July 2017 19
Alliance Lite2
Administration Guide Get Started

Test environment

If you have a firewall set up on your system, and if you encounter problems accessing Alliance
Lite2 because of this, then configure your firewall to allow the following IP addresses:

Description Internet MV-SIPN

For GUI access and AutoClient 149.134.170.12 (TCP port 443) 149.134.63.4 (TCP port 443)

For FileAct over SWIFT 149.134.170.13 (TCP port 443) (1)

WebAccess
fileacttest.alliancelite2.swift.com

For SWIFT WebAccess 149.134.170.14 (TCP port 443) (2)

For SWIFT Certificate Centre 149.134.170.6 (TCP port 443) 149.134.63.252 (TCP port 443)

(1) FileAct over SWIFT WebAccess is not supported with MV-SIPN.


(2) Intentionally left blank: SWIFT WebAccess traffic via MV-SIPN is sent directly to the Alliance Lite2 server, and bypasses the
Alliance Lite2 http proxy.

Live environment

Description Internet MV-SIPN

For GUI access and AutoClient 149.134.170.9 (TCP port 443) 149.134.63.8 (TCP port 443)

For FileAct over SWIFT 149.134.170.10 (TCP port 443) (1)

WebAccess
fileact.alliancelite2.swift.com

For SWIFT WebAccess 149.134.170.11 (TCP port 443) (2)

For channel certificates NA 149.134.252.8 (TCP port 49171 and


(AutoClient only) TCP port 80)
wbcl01.swiftnet.sipn.swift.com
149.134.244.134 (TCP port 49171 and
TCP port 80)
wbcl02.swiftnet.sipn.swift.com

For SWIFT Certificate Centre 149.134.170.6 (TCP port 443) 149.134.63.252 (TCP port 443)
certificates.swift.com
scc.swiftnet.sipn.swift.com

(1) FileAct over SWIFT WebAccess is not supported with MV-SIPN.


(2) Intentionally left blank: SWIFT WebAccess traffic via MV-SIPN is sent directly to the Alliance Lite2 server, and bypasses the
Alliance Lite2 http proxy.

For more information about firewall settings, see the Network Configuration Tables Guide.

20 July 2017 20
Alliance Lite2
Administration Guide Get Started

2.3 Install Java


To view the Alliance Lite2 Web interface, the minimum supported versions of Java are as follows:
• 1.6.0.45 for Java 6
• 1.7.0.85 for Java 7
• 1.8.0.51 for Java 8
You must install your version of Java (32-bit version) as detailed in the following procedure before
installing the driver for the Alliance Lite2 personal tokens. Make sure that you install Java on each
PC on which a personal token will be used.
Note Java installation is not a requirement for a PC on which you are only installing Alliance
Lite2 AutoClient.
If you have already installed a version of Java, then check the version. If you do not have a recent
enough version, then you must download it from the Java website and configure it.

2.3.1 Verify Which Version of Java is Installed


Procedure
1. Click Start and select Settings > Control Panel > Java.
The Java Control Panel appears. (For Windows 7, click Start > Control Panel > Java).
2. Click the General tab, and click About .
Check which version and build of Java is installed.
If you do not have at least Java version with build 6, or you do not have Java installed at all,
then you must install it.

2.3.2 Download and Install Java


Procedure
1. Access the latest Java software from www.java.com.
2. Download and install the Java software.

Next
Configure Java Settings on page 21

2.4 Configure Java Settings


The required settings of the Java plug-in are normally part of its default settings. If the default
settings of the Java plug-in have been modified or you installed Java after the driver of the personal
USB token, then make sure that the correct settings are configured. You can access the settings by
going to the Java Control Panel > Advanced.
SWIFT recommends correctly configuring the Java settings to improve PC performance and to
avoid pop-up warning messages. See the Knowledge Base tip 5019757 for the latest settings.

20 July 2017 21
Alliance Lite2
Administration Guide Get Started

Depending on the version of Java that you are using, some of the settings may not be applicable. If
a setting does not exist for your version, then please ignore it.

2.5 Configure Internet Explorer Settings


The required Internet Explorer settings are normally part of its default settings. If the default
settings of Internet Explorer have been modified, then make sure that the correct settings are
selected or enabled. You can access the settings by going to Internet Explorer > Tools > Internet
Options > Advanced.
SWIFT recommends correctly configuring the Internet Explorer Settings to improve PC
performance and to avoid pop-up warning messages. See the Knowledge Base tip 5019758 for the
latest settings.

2.6 Install Driver for Personal Tokens


Before you can use your personal token on a PC, you must install the token software. Make sure
that you install the software on each PC on which a personal token will be used.
• AutoClient installer
If you want to use AutoClient with a token, then you must run two installers: the personal token
installer (see following sections) and the Alliance Lite2 installer (to install AutoClient). If you want
to use AutoClient with a channel certificate, then you only need to run the Alliance Lite2 installer
to install AutoClient. Channel certificates are only available for connection over MV-SIPN.
For more information about how to install AutoClient and create channel certificates, see the
AutoClient User Guide.
• Personal token installer
See the following sections:
- Token Software Installation Prerequisites on page 22
- How to Obtain the Token Installation Software on page 23
- Install the Token Software in Silent Mode on page 24
- Install the Token Software in Interactive Mode on page 25

2.6.1 Token Software Installation Prerequisites


General prerequisites
• Administrator rights are required to install the necessary drivers and software.
• Your PC must be running one of the following operating systems:
- Windows 7 (32-bit or 64-bit), optionally with a Service Pack and Internet Explorer 8.0, 9.0, or
10 (compatibility mode)
- Windows 8.1 R2 (64-bit) and Internet Explorer 11 (compatibility mode)
- Windows Server 2008 R2 (32-bit or 64-bit)
- Windows Server 2012 R2 (64-bit)
• Your PC must have free space of at least 500 MB.

20 July 2017 22
Alliance Lite2
Administration Guide Get Started

• To check this, open Windows Explorer, right-click the C: drive and select Properties. A System
(C:) Properties window opens:

• To access the SWIFT Certificate Centre, your system requires a 32-bit version of the Java
Runtime Environment (JRE). For more information about the minimum supported versions, see
Install Java on page 21.
• The Windows Script Host (WSH) must be enabled for the .vbs scripts used by the installer to
execute properly. This setting is enabled by default.
• The Windows Smart Card Service must be started for the proper detection of the certificate by
the SafeNet authentication client. This service is started by default.
You can install the token software on a PC that is running either the 32-bit version or the 64-bit
version of Windows. However, you must use the 32-bit versions of Internet Explorer and the Java
Runtime Environment to access the SWIFT Certificate Centre and configure your tokens.
The installation procedure checks that the required versions are installed on your system. For more
information, see Install the Token Software in Interactive Mode on page 25.

2.6.2 How to Obtain the Token Installation Software

2.6.2.1 Download the installation software

Procedure
1. For Windows 8 and above: From the Start window, click the Desktop tile to enter desktop
mode.
2. Navigate to the SWIFT Certificate Centre.
3. On the Getting started page, there is a link that enables you to download the token installation
software.
Click the link.

20 July 2017 23
Alliance Lite2
Administration Guide Get Started

4. Save the software installation file on your PC. The file name is Personal_token_install.zip.

2.6.2.2 Unzip and run the software installation file

Procedure
1. Navigate to the folder in which you saved the installation software zip file.
Either unzip the archive and navigate to the extracted folder OR
Double-click the zip file. In either case, the following window appears.

2. Double-click the software installation file contained within the zip file.
The Welcome to the SWIFT Token Client Installer window opens and you are ready to start
the installation in Interactive Mode. Refer to Install the software on page 25.

2.6.3 Install the Token Software in Silent Mode


In silent mode, you can remotely install the token software without interactive user input. The
installation procedure takes the input from a response file instead.
You must extract the installer files to one location, and use a script to install the token software in
silent mode.

Prerequisites
To install or remove the token software on PCs in silent mode, you must have administrator rights
for all of the PCs involved.
Note SWIFT recommends that you close all other applications running on the PC before
installing the token software.

Procedure
1. Extract the contents of the zip file Personal_token_install.zip, including the Silent
subfolder to a folder of your choice.

2. Start a DOS command window and navigate to that folder. Execute the following command to
start the silent installation:
If you want to customise the installation, then you can do so by setting the options in the file
silent-install.properties. This file provides the explanation of each option available.

20 July 2017 24
Alliance Lite2
Administration Guide Get Started

2.6.4 Install the Token Software in Interactive Mode

Install the software

Prerequisites
To install or remove the token software on a PC in interactive mode, you must have administrator
rights for that PC.
Note SWIFT recommends that you close all other applications running on the PC before
installing the token software.

Procedure
1. After you double-click the software installation file, the Welcome to the SWIFT Token Client
Installer window opens. This window informs you of the actions that are performed during
installation.

Click Next .
The SWIFT Token Client Location window opens.

Important Although it is possible to customise the options, SWIFT recommends that you
accept the proposed installation options.

2. If you want to customise the installation, then you can do so by selecting or clearing the
following options:
• Install SafeNet Authentication Client - the installer checks whether there is already an
appropriate version of the SafeNet Authentication Client installed on the PC and installs it if
needed. The SafeNet software contains the drivers needed for the token to be recognised.
You can clear this box if you want to install the SafeNet software after the token software is
installed.
• Install SWIFT Token Client - this configures the SWIFT environment on the PC and,
therefore, you cannot modify this setting.

20 July 2017 25
Alliance Lite2
Administration Guide Get Started

• Import SWIFT CA certificate - if you select this box, the installer automatically imports the
SWIFT CA certificate on to your PC.
Clear this box if your company policy does not allow you to import certificates. (In this case,
each time that you access the portal you get a warning pop-up message that says you are
using an untrusted certificate. Click OK on the warning, the pop-up closes, and you can
access the portal.)
• Configure Browser settings - if you select this box, then the installer enables TLS version
1.0, TLS 1.1 and TLS 1.2 on your internet browser and disables SSL 2.0 and SSL 3.0 as
these options are considered not secure.

When you have selected your installation options, click Next .


3. The SWIFT Token Client Location window opens.

It shows the proposed folder location for the software installation files. If you want to change the
default location, then click Browse... and navigate to the required folder for installation.
However, the SafeNet authentication software is stored in a default folder that cannot be
changed. The location of this software is shown in the field SafeNet Authentication Client
Folder Name.
Click Next .
4. The installer then runs a test to verify that the PC can support the token software installation.
This can take a few moments to complete.
If one or more of the configuration tests fail, then the System Configuration Test Results
window opens.
If all of the configuration tests are successful, then the SWIFT Token Client Installer
confirmation window opens (see the next step).

20 July 2017 26
Alliance Lite2
Administration Guide Get Started

The tests compare the Recommended conditions for installation to the Actual conditions of
the user's PC.
The Result in each case appears as OK, as a Warning or an ERROR.
If there is a Warning/ERROR, then an explanation appears in the lower half of the screen.
In the case of a Warning, the installation can continue. In the case of an ERROR, it cannot.
In the example above, the PC does not have a recommended version of Java installed on it. It
is only a Warning because the installation can complete with a lower version of Java, but there
can be problems when accessing the SWIFT portal.
In this case, there is also a link directly to the Java web site from where you can download the
latest version of Java software.
Click Next .
5. The SWIFT Token Client Installer confirmation window opens.

It confirms the actions that are performed during installation.

20 July 2017 27
Alliance Lite2
Administration Guide Get Started

Click Install to proceed with the installation.


The installation can take a couple of minutes. Do not interrupt the installation procedure during
this time.
6. The results of the installation appear.

If there is a Warning, then an explanation appears at the bottom of the window.


Click Next .
7. The Installation Complete window opens.

20 July 2017 28
Alliance Lite2
Administration Guide Get Started

Click Finish .
8. The Reboot notice window opens.

Restart your computer to complete the installation. Click Restart now or Restart later .

2.7 Remove the Token Software


You must have administrator rights on each PC from which you want to remove the token software.

2.7.1 Remove the Token Software in Interactive Mode


Procedure
1. From the Control Panel menu, ensure that you have the View by: Category option active.
Click the link Uninstall a program.
The Uninstall or change a program window opens.
2. Select the appropriate SWIFT Token Client program from the list and click Uninstall .
The Welcome to the SWIFT Token Client Uninstaller window opens.
3. Click Next .
Click Yes to confirm the uninstallation.
The Uninstallation Complete window opens.
Click Finish .
The Reboot notice window opens.
The token software is removed, but you must restart your computer for the uninstallation to take
effect. You can choose to Restart now or Restart later .

2.7.2 Remove the Token Software in Silent Mode


In silent mode, you can remotely uninstall the token software without interactive user input.
To install or remove the token software on PCs in silent mode, you must have administrator rights
for all of the PCs involved.
Note The directory in which the uninstall command is executed is important.
The command must not be under the installation directory otherwise the uninstaller will
not be able to remove some installation files.

20 July 2017 29
Alliance Lite2
Administration Guide Get Started

Execute the uninstaller as shown in the above example.


The uninstall.exe-silent command line requires a response file as argument. A sample
response file is present in the installation folder at %PDI_HOME%\..\config\silent-
uninstall.properties.

2.8 Activate Tokens for Customer Security Officers


Token activation prerequisites
Ensure that the IP address 149.134.170.6 is allowed through your firewall as the SWIFT Certificate
Centre resolves to this IP address.

2.8.1 Token Activation Process


Customer security officers
Alliance Lite2 is provisioned with two predefined customer security officers: the left security officer
(left-cso) and the right security officer (right-cso).
SWIFT creates a distinguished name (DN) for these two security officers:
• cn=left-cso, o=<BIC8>, o=swift
• cn=right-cso, o=<BIC8>, o=swift

Token Activation Process


1. The customer security officers must have all the items ready that are needed to activate their
tokens, see Before you begin.
2. The customer security officers activate their tokens on the SWIFT Certificate Centre. The
activation process generates the PKI private key on the token (see Activate the Token on page
30).
3. After the token activation, the customer security officers can register operators and set them up
for certification in the SWIFTNet Online Operations Manager portal to create a DN for the
operator and provide the activation code (see Create a DN on page 33).

Important For back-up purposes, SWIFT recommends the creation of an additional left security
officer (LSO) and an additional right security officer (RSO). This means that your
institution will have four operators with security officer permissions. This is very useful
when one of the two original customer security officers is unavailable (for example, on
holiday) or forgets his password. Certain actions can only be done if both the left
security officer and the right security officer are present. To create these additional
operators with security officer permissions, see Knowledge Base tip 5017169.

2.8.2 Activate the Token


When you receive your personal token from SWIFT, the token is inactive because it does not yet
contain your certificate.
You must activate your token on the SWIFT Certificate Centre before you can use it for SWIFT
services. The activation process generates your PKI private key and stores it on the token.

20 July 2017 30
Alliance Lite2
Administration Guide Get Started

Procedure
1. Retrieve the activation code from Secure Channel (see the Secure Channel User Guide).
2. Open Internet Explorer and navigate to http://www.swift.com/certificates.
The SWIFT Certificate Centre window appears.
3. Insert your token into a free USB port of your workstation.
4. Click Login .
The Confirm Certificate window appears.
5. Check that you are using the correct certificate by clicking the link Click here to view
certificate propr....
The correct certificate is issued by SWIFT and has a numeric name.
6. Select the certificate and click OK .
The Token Logon window appears.
7. Type the initial password that was supplied with the token in the Token Password field and
click OK .
You receive your token from one security officer, and the initial password from the other security
officer.
8. You may have to provide the password a second time.
The SWIFT Certificate Centre Login window appears.
9. Type the initial password that was supplied with the token in the Enter your token password
field and click Login .
The Token Activation window appears.
10. Click Next .
11. In the Enter Activation Code window, type the activation code that you obtained through
Secure Channel and click Validate .
If there is a problem with the activation code, then re-enter the code and click Validate again.
Note The activation code is required only once to complete the activation. After
activation is complete, this code cannot be reused.
12. You must now set your own password for the token. Complete the following fields in the
Change password window:

Current Password Enter the initial password that was supplied with the token.

New Password(1) Provide a strong new password. The rules for passwords are as follows:
• Minimum length is four characters (maximum is 20 characters).
• Lowercase (a-z) and uppercase (A-Z) characters are allowed.
Password is case-sensitive.
• Digits 0-9 are allowed.
• All printable ASCII characters are allowed.
• You must use at least two different characters. For example, you cannot
set the password to aaaa or 11111.
• You cannot reuse the previous password. There is a password history
of two years.

20 July 2017 31
Alliance Lite2
Administration Guide Get Started

Confirm new password Re-enter the new password.

(1) There is no expiry date set on this password. The system will never ask you to change the password.

13. Click Change .


Your private key is now being generated on the token and certified by SWIFT.
The Activation complete window appears.
14. Click Logout to quit the SWIFT Certificate Centre.
When the activation has been completed successfully your personal token is ready for use.

2.9 Create a Distinguished Name


One of the customer security officers must create a Distinguished Name (DN) for each operator
before creating the new operator in Alliance Lite2. The operator can then be approved by the other
customer security officer.
The customer security officer must provide the following to the new operator:
• the initial token password
• a token activation code that is used to activate the operator's token and to access Alliance Lite2
To use AutoClient with a channel certificate, you must first create a Distinguished Name (DN) for
the AutoClient operator and then configure it in the setPasswords tool. For more information about
how to create a channel certificate and a Distinguished Name for AutoClient, see the AutoClient
User Guide
The customer security officers create distinguished names in the SWIFTNet Online Operations
Manager.

2.9.1 Log in to SWIFTNet Online Operations Manager


You must log in to the SWIFTNet Online Operations Manager to create DNs and set them up for
certification. These steps are needed to provide the end users in your institution a token or channel
certificate.

Prerequisites
You must be a Alliance Lite2 customer security officer to perform this task.

Procedure
1. Insert the activated token.
2. Log in to Alliance Lite2 with the appropriate URL:
• on the Internet
https://alliancelite2.swift.com
• on MV-SIPN
https://alliancelite2.swiftnet.sipn.swift.com
3. Click Login to Live Service - Alliance Lite2 customers on the right of the page.
The Select a Certificate window appears.

20 July 2017 32
Alliance Lite2
Administration Guide Get Started

4. Select the corresponding certificate.


5. On the Token Logon window, enter the token password that you chose in step 12 on page 31
of Activate the Token on page 30.
6. Click OK .
The Alliance Lite2 login page appears.
7. Select Browse Services > SWIFTNet Online Operations Manager.

Important The SWIFTNet Online Operations Manager can be accessed only through the
Alliance Lite2 login page for the Live environment (see step 2). It is not accessible
through the Test environment.
If you (customer security officer) must create a DN for an operator in the Test
environment, then do the following:
• Go through the Alliance Lite2 Live environment to create the DN in SWIFTNet
Online Operations Manager.
• Log in to the Test environment to create the Test and Training operator with the
DN.
You follow the procedure of creating an operator in the Test environment in the
same way as you do to create an operator in the Live environment, see the
Administration Guide.

8. Select your Alliance Lite2 certificate and click OK .


9. In the Token Logon window, enter the token password that you chose in step 11 of Activate the
Token on page 30. Click OK .
You are now in SWIFTNet Online Operations Manager.
Note If you select the Message Confirmation checkbox in the Browse Preferences window
(accessible through the Preferences button on the top right corner of Alliance Lite2
home page), then the Browse Confirmation window appears. If this check box is not
selected, then the Token Logon window appears.

2.9.2 Create a DN

2.9.2.1 Create a new distinguished name

Procedure
1. Log in to the SWIFTNet Online Operations Manager (O2M). For more information, see Log in to
SWIFTNet Online Operations Manager on page 32.
2. Go to Security > Certificate Management - User and click the User certs tab.
Note In the same way as you click New to create new users, you also have a Recover
option that allows generating new codes and secrets in case they are required for
existing users. You must follow the same procedure as the one for creating new
users (described as follows) when you use the Recover option

20 July 2017 33
Alliance Lite2
Administration Guide Get Started

3. In the tree view, determine where in the hierarchy the new user is to be positioned. This
position in the tree determines the unique distinguished name created for the new user. SWIFT
recommends that you minimise the number of levels used in the tree to facilitate maintenance
of the tree. Put the user under an existing node by clicking that node to select it. The DN has a
size limit of 100 characters.
Example of a DN: cn=john-smith,ou=departmentname,o=bankbebb,o=swift, where:
• the cn= segment has the name of the token holder
• the ou= segment allows you to group multiple users under the same organisation unit in your
tree
• the first o= segment contains your live BIC

CAUTION You must not put multiple cn=xxx in one DN as this does not work. It is possible to
create the node in the SWIFTNet Online Operations Manager, but it is not possible
to use it for Browse. For example, you must NOT use
cn=bruno,cn=john,o=bankbebb,o=swift.

Because one DN corresponds to one physical token, it is not possible to duplicate


tokens for the same DN (for example for usage in disaster sites). The AutoClient
User Guide describes that the DN names, corresponding to the AutoClient token,
can be preceded by %1, %2... to have several AutoClient tokens. That only applies
to AutoClient operators and not to any other types of operator.

4. Click New .
The New window appears.

Type a name for the new user and select the type Human or Application.

20 July 2017 34
Alliance Lite2
Administration Guide Get Started

The rules for entering the name are as follows:


• Minimum length is four characters (maximum is 20 characters)
• First character must be alphabetic, but can be lowercase or uppercase
• Subsequent characters, in any order, can be:
- alphabetic (lowercase or uppercase)
- digits (0-9)
- hyphen (-)
Note Human or Application identifies an individual or an application. For Alliance Lite2
always select Human or Application.
Organisational Unit enables identification by department or by geographical
location.
5. Click OK .
6. Enter your token password.
7. Click OK .
8. A confirmation window appears and asks you if you want to set up the user for certification.
9. Click OK

The Setup for Certification window appears.

10. Select the certificate class:


Personal token.
For Alliance Lite2, channel certificates are used only for AutoClient. For information about
setting up the channel certificate for AutoClient, see the AutoClient User Guide.

20 July 2017 35
Alliance Lite2
Administration Guide Get Started

Important Do not select the Business, Lite, or Channel certificate class.

11. Click OK .
The 4-Eyes-Token window appears. This window displays a 14-digit code. Copy the full name
of the created DN for reference later.

12. Copy the 4-eyes token code and click OK .


Give the 4-eyes token code to another customer security officer. The other customer security
officer must perform the 4-eyes authorisation of the action before midnight GMT of the next
calendar day.
13. Click Log off to quit the SWIFTNet Online Operations Manager.
14. You are still logged in to Alliance Lite2. Select Operators from the User Configuration menu.
15. Follow the procedure Add an Operator on page 46.

2.10 Authorise the DN and Approve the Operator and


Issue the Activation Code
The customer security officer who created the DN cannot authorise the DN. Another customer
security officer must perform the authorisation procedure.

Procedure
1. In Alliance Lite2, the other customer security officer must select the Browse Services menu
and select the SWIFTNet Online Operations Manager.
2. Go to Security > 4-eyes Authorisation.
3. Enter the 14-digit 4-eyes token code (see step 11 on page 36) and click Retrieve .
Once the retrieval is done, the Authorise button is enabled.
4. Click Authorise .
After a few moments, the information for the DN is updated.
5. Enter your token password and click OK .
An Operation Successful window appears. Click OK .
6. Go to Security > Certificate Management - User.

20 July 2017 36
Alliance Lite2
Administration Guide Get Started

Note The status Ready for Certification will be shown and the Certify button does not
need to be used.
7. Double-click the DN that the first security officer has created to display the information for the
DN.
8. Click the + sign to the left of the Activation Secrets field to display the 28-digit activation code.
9. Copy the activation secrets and pass them to the personal token user (operator).
Give also the initial password to the operator. The initial password was sent by SWIFT to the
right customer security officer. It is the same for all tokens. The operator needs this password to
activate the token on the SWIFT Certificate Centre.
10. You can optionally enter a description of the new user and DN in the Description field.
11. Click Log off to quit the SWIFTNet Online Operations Manager.
12. You are still logged in to Alliance Lite2. Select Operators from the User Configuration menu.
13. From the list of operators, select the check box next to the operator that has been created. Click
Approve .

The Approval Status of the operator is now Approved. The Enable Status of the operator is
now Enabled.

Next
Activate the Token on page 30

20 July 2017 37
Alliance Lite2
Administration Guide User Management

3 User Management
3.1 Operators

3.1.1 Operators: Definition


Overview
Alliance Lite2 is installed with two predefined operators: the left customer security officer (left-cso)
and the right customer security officer (right-cso). The left customer security officer and the right
customer security officer are initially used to define other operators. Each operator that you define
has a current status which indicates whether the operator can use the system. Until a new operator
is approved separately by both security officers, the operator cannot sign on. Before approving a
new operator, a security officer must assign profiles to the operator. The name, current status, and
assigned profile or profiles that an operator has are called an operator definition.
For back-up purposes, SWIFT recommends the creation of an additional left security officer (LSO)
and an additional right security officer (RSO). This means that your institution will have four
operators with security officer permissions. This is very useful when one of the two original
customer security officers is unavailable (for example, on holiday) or forgets his password. Certain
actions can only be done if both the left security officer and the right security officer are present. To
create these additional operators with security officer permissions, see Knowledge Base tip
5017169.
Note Operators who have not logged in successfully during the last 90 days will be disabled.

Types of security officers

At SWIFT, there are different types of security officers:

Type of security Description Who plays the role


officer

SWIFTNet security Authorised representative for all the The SWIFT Customer Security
officer communication with SWIFT about Management (CSM) department plays the
SWIFTNet security. role of SWIFTNet security officer for all
Alliance Lite2 customers.
SWIFTNet security officers control the
security of their institution by maintaining
the certificates of their institution and
assigning roles to these certificates.
An institution must have at least two
security officers.

20 July 2017 38
Alliance Lite2
Administration Guide User Management

Type of security Description Who plays the role


officer

Alliance security Configures and manages the security SWIFT controls the left security officer
officer functions within Alliance Access or Alliance (LSO) and the right security officer (RSO)
Entry. role of the Alliance Lite2 infrastructure.
There are two security officers, the left
security officer (LSO) and the right security
officer (RSO). Together they control which
users can sign on to Alliance Access and
what those users are permitted to do.

Alliance Lite2 Used to create, manage and approve This role is played by staff of each Alliance
customer security operators. Lite2 customer and allows them, for their
officer own institution, to maintain operators on
This role combines the roles of SWIFTNet
Alliance Lite2 and to control security on
security officer and Alliance security officer
SWIFTNet.
but the role is restricted for some
operations and is assigned to one
institution only. Each institution has a copy
of this role that restricts operations to the
institution itself.

3.1.2 Operators Page


Content
The Operators page contains these elements:
• Filtering criteria and functionality that enable you to filter the list entities on the Operators page:
- See Operators on page 40
- See Functions on page 45
• Details of the operators
See Operators on page 40
• Details of security officers: LSO, RSO, and new security officers (visible with the name assigned
during their creation) are visible to security officers.
• Functions that enable you to manage the operators

20 July 2017 39
Alliance Lite2
Administration Guide User Management

Display

Operators

Operators page

Field Description Filtering


criteria

Name The operator's login. ✓


For filtering, the wildcard characters % and _ enable you to search for a
group of names.
% Replaces one or more contiguous unknown characters in a string
_ Replaces one unknown character in a string

Status You can select one of these values to filter on the approval status of the ✓
operator definitions:
• Approved
• Wait RSO Approval
• Wait LSO Approval
• Unapproved
You can also select one of these values to filter on the operator status
values:
• Enabled
• Disabled
• Time Disabled

Authenticati The value is set to Token.


on type

20 July 2017 40
Alliance Lite2
Administration Guide User Management

Operators page

Field Description Filtering


criteria

Last Login This picker enables you to filter operators who have not logged in since a ✓
Date selected date. No result is returned for an operator who has never logged in.

Profiles You can filter on the profiles using one of these two options: ✓
• Matching String: If you select this option, then type an operator
profile name in the corresponding field. The wildcard characters % and _
enable you to search for a group of names.
• Matching Selection: If you select this option, then select one or
several operator profiles in the Available list.

Units The only available unit is <BIC8>_Unit.


SWIFT can configure additional units for Alliance Lite2 customers as a
payable option.
Additional units can be requested either as part of the initial set-up services,
or ordered as additional configuration change requests. To request this
configuration change, contact SWIFT Support.

3.1.3 Operator Details: Configuration Tab


Content
To view the operator details, click the row of a specific operator. The Operator Details window
opens.
The Configuration tab contains these elements:
• Details for the configuration of the operator selected
See Details on page 42
• Functions that enable you to manage the operator
See Functions on page 45

20 July 2017 41
Alliance Lite2
Administration Guide User Management

Display

Details

Field Description

Name The operator's login. This name must be unique and can have up to 150 alphanumeric
characters. The following characters are allowed: @ . _ - : .
The operator's name must be prefixed with <BIC8>_. For example,
BANKBEBB_James.
The <BIC> in the operator's name is the Live BIC.

Description The full name of the operator or other description

Status The approval status of the operator definition and operator status

Last Login The date and time of the last login

Type The type of operator that connects to Alliance Lite2:


• Human user
• Application user
For Alliance Lite2 (including AutoClient), always select Human.

20 July 2017 42
Alliance Lite2
Administration Guide User Management

Field Description

User DN The distinguished name of the operator as created by the left or right customer
security officer on the SWIFT Online Operations Manager.
DN validation is performed on this field as follows:
• Length <= 100
• Number of levels between 2 and 10
• All levels of the form "…=<<value>>", with <value> between 1 and 20
alphanumeric characters (plus "-", "%", " ")
• Last level = "o=swift"
• Next-to-last level = "o=<bic8>" or "o=swift"
• Others in the format "ou=…" or "cn=…"

Profiles/Available The list of available operator profiles


To request additional profiles, contact SWIFT Support.

Profiles/Selected The list of operator profiles selected for the operator

Units/Available and The only available unit is <BIC8>_Unit.


Units/Selected SWIFT can configure additional units for Alliance Lite2 customers as a payable option.
Additional units can be requested either as part of the initial set-up services, or
ordered as additional configuration change requests. To request this configuration
change, contact SWIFT Support.

3.1.4 Operator Details: Monitoring Tab


Content
To view the operator details, click the row of a specific operator. The Operator Details window
opens.
The Monitoring tab contains these elements:
• Details for the monitoring of the sessions currently open by the operator selected
See Details on page 44
• Functions that enable you to manage the operator
See Functions on page 45

20 July 2017 43
Alliance Lite2
Administration Guide User Management

Display

Details

Field / Column Description

Last Login The date and time of the last login

Host Address The IP address or host name of the Alliance Web Platform Server-Embedded host
where the operator initiated a session. The address of the browser used to create the
session is logged in Alliance Web Platform Server-Embedded. For more information,
see viewing user session properties in the Web Platform Administration and
Operations Guide.

Expiration For Web services sessions, the time at which the session automatically expires if no
action is taken before

20 July 2017 44
Alliance Lite2
Administration Guide User Management

Field / Column Description

Session Type The type of session.


WebService: for sessions run through Alliance Web Platform Server-Embedded or
Web service applications

3.1.5 Operator Functions


Overview
These functions enable you to manage operators.

Functions

Function Purpose Operators Operator Details Operator Details


page - Configuration - Monitoring tab
tab

Hides the content of the filtering ✓ x x


criteria area
Present only when the content
is visible

Shows the content of the ✓ x x


filtering criteria area
Present only when the content
is hidden

Clear Resets the filtering criteria fields ✓ x x


to the default values

Submit Filters the list of entities ✓ x x


according to the current filtering
criteria values

Report Produces reports of the entities ✓ x x


returned by the filtering criteria
as well as the filtering criteria

Change View Changes the layout of the list for ✓ x x


the current page

20 July 2017 45
Alliance Lite2
Administration Guide User Management

Function Purpose Operators Operator Details Operator Details


page - Configuration - Monitoring tab
tab

Add / Add As To add an operator ✓ x x


You can also create an operator
using the characteristics of an
existing operator with the
Add As button

Procedure: Add an Operator on


page 46

Delete To delete an operator ✓ x x


Procedure: Delete an Operator
on page 48

Enable To enable an operator ✓ ✓ ✓


Procedure: Enable an Operator
on page 49

Disable To disable an operator ✓ ✓ ✓


Procedure: Disable an Operator
on page 49

Reset Password This function is not available for Alliance Lite2.

Approve To approve the operators' ✓ ✓ x


definitions
Procedure: Approve an
Operator on page 48

Report Produces summary or details ✓ ✓ ✓


reports

Previous Displays the details of the x ✓ ✓


previous entity

Next Displays the details of the next x ✓ ✓


entity

Close Closes the current window x ✓ ✓

3.1.6 Add an Operator


Prerequisites

Procedure
1. From the list of operators, click Add .

20 July 2017 46
Alliance Lite2
Administration Guide User Management

You can also add an operator using the characteristics of an existing operator.
Select the check box of an operator and click Add As .
The Operator Details window opens.
The status is Unapproved/Disabled.
2. In the Configuration tab, type a name for the operator in the Name field.
This name must be unique and can have up to 150 alphanumeric characters. The following
characters are allowed: @ . _ - : .
SWIFT recommends that you select something simple, such as the operator's first name.
The name must be prefixed with your <BIC8>_. For example, BANKBEBB_James.
If you are using the AutoClient token, then <BIC8>_AutoClient appears by default in the Name
field. You must not change this value.
3. In the Description field, type the full name of the operator or another description.
4. In the Type drop-down list, select one of the following values:
• Application
• Human

Note For Alliance Lite2 (including AutoClient), always select Human.


5. The Authentication Type field is set to Token by default.
6. In the User DN field, type the distinguished name (DN) of the operator that you just created in
the SWIFT Online Operations Manager.
7. Assign one or more profiles from the Profiles/Available list to the operator definition.

Note SWIFT can configure additional operator profiles for Alliance Lite2 customers as a
payable option. Additional operator profiles can be requested either as part of the
initial set-up services, or ordered as additional configuration change requests. To
request this configuration change, contact SWIFT Support.
8. The only available unit is <BIC8>_Unit that appears in the Units Selected list by default.
Note SWIFT can configure additional units for Alliance Lite2 customers as a payable
option. Additional units can be requested either as part of the initial set-up
services, or ordered as additional configuration change requests. To request this
configuration change, contact SWIFT Support.
9. Click Save then click Approve .
On the Operators page, the Approval Status of the operator that you just added changes to
Wait LSO Approval or Wait RSO Approval.
If you change the profiles, then the operator must be re-approved by both security officers or
operators with the appropriate approval entitlement.

20 July 2017 47
Alliance Lite2
Administration Guide User Management

Next
Effect on passwords when modifying an operator:
• If user passwords are used on your system, then the modified operator can continue to sign on
with an existing password.
• If you are using a Radius one-time passwords:
- If you change the Authentication Type to Radius One-time Password, then the operator
must sign on using the one-time password generated by the hardware token, even if it is the
first sign-on.
- If Radius One-time Password is selected and you select another authentication method,
then the operator must use the associated user password. If the new authentication method
is Password, then the user is prompted to change password.
• If the authentication method is LDAP, then the operator must sign on with an LDAP password.

3.1.7 Delete an Operator


This procedure enables you to delete an operator.

Procedure
1. From the list of operators, select the check box for one or several operators in the left column.
2. Click Delete .
The Delete Confirmation window opens.
3. Click OK .
A status popup message appears.
Note The action of deleting an operator does not need to be approved.
When the security officers log in to SWIFTNet Online Operations Manager, they
still see the certificates (if any) for that operator as valid for eight days after the
operator is deleted from the Alliance Lite2 user management. The security officer
must not change anything to these certificates. The certificates of the deleted
operator will be automatically removed from the user tree after additional 124 days
and after automatic deletion of all its child nodes.

3.1.8 Approve an Operator


This procedure enables you to approve an operator.

Procedure
1. From the list of operator sessions, click the row of the operator that you want to approve.
The Operator Details window opens.
2. Click Approve .
A status popup message appears.

20 July 2017 48
Alliance Lite2
Administration Guide User Management

Note The other security officer or operator with the necessary entitlements and permissions
must now sign on and approve the operator or operators. When both security officers
or operators have approved the changes, the status changes to Approved and the
operator is automatically enabled.

3.1.9 Disable an Operator


This procedure enables you to disable an operator or a security officer (LSO/RSO).
The operator definition for an approved and enabled operator can be disabled, so that the operator
cannot sign on to Alliance Lite2. For example, you may decide to disable an operator's definition
because the operator has left your institution.
You can disable an operator definition until a specific date and time, or disable it indefinitely. You
can also automatically disable an operator who has not signed on for a certain period of time. For
more information, see the .
An LSO can only be disabled if there is at least one other LSO and at least one RSO must be
approved and enabled. The same rule applies when disabling an RSO (at least one other RSO and
at least one LSO must be approved and enabled). If it is not the case an error message is
returned:”You are not allowed to perform the requested operation. Cannot disable because there is
not another enabled and approved security officer pair."

Prerequisites

Procedure
1. From the list of operator sessions, click the row of the operator that you want to disable.
The Operator Details window opens.
2. Click Disable .
The Disable Operator window opens.
3. In the Next Sign On Allowed drop-down list, select one of the following options:
• By Enable Command: To disable the operator definition until you enable the definition again
with the Enable button.
• On the Following Date: To disable the operator definition until the date, and time that you
specify.
4. Click OK .
A status popup message appears.

Next
An LSO or an RSO that has been disabled will have the approval status Unapproved and must be
approved. For more information, see Approve an Operator on page 48.

Related information

3.1.10 Enable an Operator


This procedure enables you to enable an operator.

20 July 2017 49
Alliance Lite2
Administration Guide User Management

Prerequisites

Procedure
1. From the list of operator sessions, click the row of the operator that you want to enable.
The Operator Details window opens.
2. Click Enable .
A status popup message appears.

3.1.11 Monitor an Operator Session


This procedure enables you to monitor an operator session.

Prerequisites

Procedure
1. From the list of operators, click the row of the operator which you want to monitor.
The Operator Details window opens.
2. Click the Monitoring tab.
3. You can click Refresh to refresh the list.
4. Click Close .
The Operator Details window closes.

3.2 Operator Profiles

3.2.1 Operator Profiles: Definition


Alliance Lite2 consists of a number of entities. The security officers in your institution are
responsible for deciding which entities that you can use. The security officers do this by creating an
operator definition for each Alliance Lite2 operator. As part of this definition, the security officers
assign an Alliance Lite2 profile to operators.
An operator profile defines:
• The entities that an operator is allowed to use.
• The entitlements to use actions (functions) within a particular entity.
• The permissions associated with an entitlement.

3.2.2 Profiles Assignment


Operator profiles
The operator profile assigned to you depends on your job role. Your profile determines the menus,
menu options, windows, and available choices which are displayed on the screen when you sign on
to Alliance Lite2.

20 July 2017 50
Alliance Lite2
Administration Guide User Management

Any number of operators can be given the same profile, so that the duties which involve Alliance
Lite2 can be shared within your institution. If an operator has a combination of responsibilities, then
more than one profile can be assigned to the operator, provided there is no conflict between the
entitlements and the permissions in one profile and those in another.
Alliance Lite2 is delivered with various default profiles (pre-defined profiles) that security officers
can assign to new operators. Each profile corresponds to a specific user role.

Operator profiles in Alliance Lite2


SWIFT creates the operator profiles for Alliance Lite2 customers. Alliance Lite2 customers cannot
create these profiles.
The <BIC8>_ in the following table is replaced by the BIC8 of each Alliance Lite2 customer. Each
BIC has its own version of the profiles.
As described in the following table, the <BIC8>_OPER_SignOn profile is mandatory for all
operators.
Note SWIFT can configure additional operator profiles for Alliance Lite2 customers as a
payable option. Additional operator profiles can be requested either as part of the
initial set-up services, or ordered as additional configuration change requests. To
request this configuration change, contact SWIFT Support.

For each institution, the following profiles are created:

Operator profile Description

<BIC8>_AutoClient (1) For connectivity through the AutoClient

<BIC8>_BIC_View Allows queries on the BIC Directory

<BIC8>_LSO Creation, management, and approval of operators

<BIC8>_MsgUpload Manual upload of files through message partners already defined on


Alliance Lite2

<BIC8>_Msg_All (2) All permissions for message handling

<BIC8>_Msg_AllOthr (2) All permissions for message handling except for the authorisation of own
message

<BIC8>_Msg_Audit Message search

<BIC8>_Msg_Auth Message verification and approval

<BIC8>_Msg_Oper (2) Message creation

<BIC8>_Msg_View Enables an operator to view messages of an 8-character BIC even when it


moves from an Alliance Lite2 subscription to an Alliance Remote Gateway
subscription

<BIC8>_OPER_SignOn Required to log in to the application (mandatory for all human users,
including SWIFT WebAccess)

<BIC8>_RMA_All All permissions for RMA

20 July 2017 51
Alliance Lite2
Administration Guide User Management

Operator profile Description

<BIC8>_RMA_Auth RMA approval

<BIC8>_RMA_Oper RMA creation

<BIC8>_RSO Creation, management, and approval of operators

(1) This profile must not be assigned to an operator as it is for internal use only. However, the security officer must assign the
OPER_SignOn profile to the AutoClient operator.
(2) To enable operators with these profiles to send MT messages from Message Management, the security officer must also
assign the BIC_View profile to these operators.

Security officers' profiles and security-related entitlements


Security officers (left security officer and right security officer) have a specific set of entitlements
assigned to them by SWIFT. Both security officers have the same operator profile. This profile
cannot be displayed, modified, or removed.
The operators with<BIC8>_LSO and <BIC8>_RSO profiles are the Alliance Lite2 customer security
officers.
The operator details of the left security officer and right security officer must never be changed. If
these details are changed, then the security officer (left or right) will not be able to log in to the
Alliance Lite2 environment and SWIFT will need to intervene.
The approval of both security officers is needed when creating or modifying operators. All other
operations that fall within the scope of a security officer only need one security officer.

3.2.3 Operator Profiles Page


Content
The Operator Profiles page contains these elements:
• A filtering criterion and filtering functionality that enable you to filter the list entities on the
Operator Profiles page. See Details on page 53.
• Details of the available operator profiles
See Details on page 53
• Functions that enable you to manage the operator profiles
See Functions on page 53

20 July 2017 52
Alliance Lite2
Administration Guide User Management

Display

Details

Column Description Filtering criterion

Name The operator profile name ✓


The BIC in the operator profile
name is the Live BIC.

Functions

Function Description

Hides the content of the filtering criteria area


Present only when the content is visible

20 July 2017 53
Alliance Lite2
Administration Guide User Management

Function Description

Shows the content of the filtering criteria area


Present only when the content is hidden

Clear Resets the filtering criteria fields to the default values

Submit Filters the list of entities according to the current filtering criteria values

Report Enables you to produce reports of the entities returned by the filtering criteria as well
as the filtering criteria

Change View Changes the layout of the list for the current page

Report Enables you to produce summary or details reports

Previous Displays the details of the previous entity

Next Displays the details of the next entity

Close Closes the current window

3.2.4 Operator Profile Details


Content
The Operator Profile Details page contains these elements:
• Details of the operator profile selected
See Details on page 55
• Functions that enable you to manage the operator profile
See Functions on page 53

20 July 2017 54
Alliance Lite2
Administration Guide User Management

Display

Details

Field Description

Name The operator profile name

Entities/Available The entities that can be added to the operator profile

Entities/Selected The entities selected for the operator profile

Actions/Available For the entity selected, the actions that can be added to the operator profile

Actions/Selected For the entity selected, the actions selected for the operator profile

Permissions The permissions linked to the action selected

3.3 RBAC Roles for Browse Services

3.3.1 Assign and Approve RBAC Roles for Browse Users


In some Browse services, subroles can be assigned to operators to determine what the operator is
allowed to access within the Browse service. These are called RBAC roles (RBAC = Role-Based
Access Control). To perform tasks in Browse, these users must have the RBAC roles assigned by
the first Alliance Lite2 customer security officers (for example, the left customer security officer)
(see Assign RBAC Roles to a Browse User on page 56).This creates the 4-eyes token number.
The left customer security officer then provides the 4-eyes token number to the second customer
security officer (for example, the right customer security officer) who logs in and approves the
action (see Approve the assigned RBAC roles on page 59).

20 July 2017 55
Alliance Lite2
Administration Guide User Management

3.3.1.1 Assign RBAC Roles to a Browse User

Procedure
1. On the Browse home page, click Browse Services > SWIFTNet Online Operations Manager.
The SWIFTNet Browse Confirmation window appears indicating that you must enter your
password. You will be required to enter your password twice.

Note The Browse option does not appear if you logged on to the Test and Training
environment.
2. Enter your password.
3. Click OK .
The system starts the Authenticating process.
When the authentication completes, the SWIFTNet Online Operations Manager window
appears.

20 July 2017 56
Alliance Lite2
Administration Guide User Management

4. Click Security > Role Management.


The following window appears that displays a tree view with user nodes and the Role
Information pane on the right side of the window.

5. In Alliance Lite2, the customer security officer defines the Distinguished Name (DN) used by
the token. The Browse nodes add cn=%51 or cn=%52 (or cn=tt for Test and Training) in front of
the DN.

For example, if the token is cn=user,o=<bic8>,o=swift, then the browse nodes are as follows:

For live environment For test environment

cn=%51,cn=user,o=<bic8>,o=swift cn=tt,cn=user,o=<bic8>,o=swift

cn=%52,cn=user,o=<bic8>,o=swift

20 July 2017 57
Alliance Lite2
Administration Guide User Management

CAUTION The %51, %52, and tt nodes are automatically created when the corresponding
operator logs in for the first time to Alliance Lite2. The security officers should
never create these nodes.
The %51 and %52 nodes must always be aligned in terms of roles assignments.

6. Double-click a user on the tree view and assign both the %51 and %52 for the live environment
and tt for the test environment the necessary RBAC roles.
The %51 and %52 nodes relate to the high available configuration of the two Alliance Lite2
servers. It is important that you grant the same roles to both %51 and %52. The easiest way of
doing this is to double-click to select both %51 and %52 in the tree view so that they are
displayed on the right side of the screen. You can then use the Group Grant function to assign
the same roles to both %51 and %52 at the same time.
For more information, see the Certificate Administration Guide > Distinguished Name
Equivalence.
7. Expand the roles in the Role Information pane as needed.
8. For each role, select the corresponding checkbox to grant the role (to ungrant a role, clear the
corresponding checkbox).
When you do a modification, a light icon appears above the checkboxes.
This window looks like the following:

Note The meaning of these roles is decided by the third party Browse service provider
(for example, TARGET2). You must follow the guidelines provided by your service
provider to understand and set the right roles.
9. Click Save .
The system prompts you to enter your password.

20 July 2017 58
Alliance Lite2
Administration Guide User Management

10. Enter your password and click OK .


The 4-Eyes Token window appears providing you with a 4-eyes token number that the second
customer security officer needs to approve the roles that are assigned to the user. It also
provides additional information about the token. An example 4-Eyes Token is as follows:

11. Click OK to complete the RBAC role assigning procedure.

3.3.1.2 Approve the assigned RBAC roles

Procedure
1. If the left customer security officer assigned the RBAC roles, then the right customer security
officer must approve the RBAC roles. For more information, see Assign and Approve RBAC
Roles for Browse Users on page 55.
2. On the SWIFTNet Online Operations Manager window, click Security > 4-eyes
Authorisations.
3. In the text box as indicated on the screen, type or paste the token that the first customer
security officer received at the end of the procedure for assigning the RBAC roles.

20 July 2017 59
Alliance Lite2
Administration Guide User Management

4. Click Retrieve .
The details of the action to authorise appear in the right pane.

5. Verify the details and click Authorise .


The Operation Successful confirmation window appears.

20 July 2017 60
Alliance Lite2
Administration Guide User Management

6. Click OK .
For more information about SWIFTNet Online Operations Manager, see the SWIFTNet
Online Operations Manager User Guide.

20 July 2017 61
Alliance Lite2
Administration Guide Reference Data Management

4 Reference Data Management


The reference data described in this section can only be viewed (that is, not modified) by Alliance
Lite2 customers. SWIFT automatically manages this data for Alliance Lite2 customers.

4.1 Correspondents

4.1.1 Correspondents
In Alliance Lite2, a correspondent can be an institution, a department, or an individual with which
Alliance Lite2 can communicate through SWIFT.
You can display the details of correspondents or groups of related correspondents.

4.1.2 Correspondents Page


Content
The Correspondents page contains these elements:
• Filtering criteria and functionality that enable you to filter the list entities on the Correspondents
page:
- See Correspondents on page 63
- Functions on page 69
• Details of the available correspondents
See Correspondents on page 63
• Functions that enable you to view the correspondents
See Functions on page 69

20 July 2017 62
Alliance Lite2
Administration Guide Reference Data Management

Display

Correspondents

Correspondents

Field Description Filtering


criteria

Type The correspondent type. This can be either an institution, a department, or ✓


an individual.
These are the possible filtering criteria:
• Institution: to search only for correspondents that are institutions
• Department: to search only for correspondents that are departments
• Individual: to search only for correspondents that are individuals

Institution The BIC-11 address of the institution. The BIC-8 destination address is ✓
followed by either a specific three-character branch code or by a default
branch code of XXX.
For filtering, the wildcard characters % and _ can also be used.
% Replaces one or more contiguous unknown characters in a string
_ Replaces one unknown character in a string

Department If the correspondent is a department or individual, this is the name of the ✓


department within the institution. Otherwise, it is blank.
For filtering, if the Type drop-down list is empty or set to Department or
Individual, then in the Department field, you can enter the name of the
department within the institution that you are searching for. The wildcard
characters % and _ can be used.

20 July 2017 63
Alliance Lite2
Administration Guide Reference Data Management

Correspondents

Field Description Filtering


criteria

Last Name If the correspondent is an individual, this is the last name of the individual. ✓
Otherwise, it is blank.
For filtering, if the Type drop-down list is empty or set to Individual, then
in the Last Name field, you can enter the last name of the individual who
you are searching for. The wildcard characters % and _ can be used.

First Name If the correspondent is an individual, this is the first name of the individual. ✓
Otherwise, it is blank.
For filtering, if the Type drop-down list is empty or set to Individual, then
in the First Name field, you can enter the first name of the individual who
you are searching for. The wildcard characters % and _ can be used.

Definition These are the possible values: ✓


• Internal: to search only for internal correspondents. These are
correspondents owned by the institution.
• External: to search only for external correspondents. These are
correspondents not owned by the institution.

Institution The name of the institution. ✓


Name
For filtering, the BIC-11 address of the institution. The BIC-8 destination
address is followed by either a specific three-character branch code or by a
default branch code of XXX
The full name of the institution. The wildcard characters % and _ can be
used.

Branch (Info) The name of the branch. ✓


For filtering, the full name of the branch. The wildcard characters % and _
can be used.

City Name The full name of the city in which the correspondent is located. ✓
For filtering, the wildcard characters % and _ can be used.

Country The two-character ISO standard code for the country in which the ✓
(Code) correspondent is based - the same as characters 5 and 6 of the BIC-11
address in the Institution field.
For filtering, the wildcard characters % and _ can be used.

20 July 2017 64
Alliance Lite2
Administration Guide Reference Data Management

Correspondents

Field Description Filtering


criteria

Status The status of the correspondent. This can be Active or Inactive. You ✓
cannot send a message to an inactive correspondent.
For filtering, these are the possible values:
• Active: to search only for correspondents with an Active status.
• Inactive: to search only for correspondents with an Inactive status.
You cannot send a message to an inactive correspondent.

Modified Enter a date using the date picker. Only correspondent records which have ✓
Since been modified since this date are included in the search.

Update on Select this check box to filter on any unpublished BICs that you have ✓
BIC Load defined on your correspondents.

Application These are the possible values: ✓


• APPLI: to search only for correspondents that have APPLI as one of
their defined applications. APPLI is the Alliance application interface to
external message partners (such as back-office banking systems).
If you select APPLI, then the Exit Point drop-down list appears. Select the
exit point to which any messages for the correspondent are routed.

4.1.3 Correspondent Details : Profile Tab


Content
The Profile tab contains these elements:
• Details of the correspondents
See Details on page 66
• Functions that enable you to view the correspondents
See Functions on page 69

20 July 2017 65
Alliance Lite2
Administration Guide Reference Data Management

Display

Details

Field Description

Status The status of the correspondent. This can be Active or Inactive. You cannot send
a message to an inactive correspondent.

Definition These are the possible values:


• Internal: to create an internal correspondent. An internal correspondent is
owned by the institution.
• External: to create an external correspondent. An external correspondent is not
owned by the institution.

20 July 2017 66
Alliance Lite2
Administration Guide Reference Data Management

Field Description

Header Select a correspondent type in the Type drop-down list.


These are the possible values:
• Institution: to create a correspondent that is an institution
• Department: to create a correspondent that is a department
• Individual: to create a correspondent that is an individual
Then, you can complete the following fields:
• Institution: The BIC-11 address of the institution. The BIC-8 destination address is
followed by either a specific three-character branch code or by a default branch
code of XXX. Special characters are not allowed.
• Department: If the Type field is set to Department or Individual, then in the
Department field, you can enter the name of the department. Special characters
are not allowed.
• Last Name: If the Type field is set to Individual, then in the Last Name field,
you can enter the last name of an individual. Special characters are not allowed.
• First Name: If the Type field is set to Individual, then in the First Name field,
you can enter the first name of an individual. Special characters are not allowed.
Optionally, a more specific description of the correspondent type can appear in the
Sub Type field.

Details In the Profile drop-down list, specify the following:


• Specific: The correspondent profile is specific to this correspondent and is not
inherited from a parent correspondent.
• Same as Institution: The correspondent is a department and inherits its
profile from the institution to which it is associated.
• Same as Department: The correspondent is an individual and inherits its profile
from the department to which it is associated.
The available choices depend on the correspondent type selected in the Type drop-
down list.
If you selected Specific, you have to complete the following fields:

• Institution Name: the full name of the institution


• Branch: the full name of the branch
• City: the name of the city in which the correspondent is located.
The Country field shows the ISO standard country code for the country in which
the correspondent is based. This is character 5 and 6 of the BIC-11 address in the
Institution field.
• Address: the address of the correspondent
• Location: the location of the correspondent
• POB Number: the post office box of the correspondent
• POB Location: the location of the post office box

20 July 2017 67
Alliance Lite2
Administration Guide Reference Data Management

Field Description

Preferred The preferred language that Alliance Lite2 must use when expanding messages sent
Language to the correspondent
These are the possible values:
• English
• Francais
• Deutsch
• Italiano
• Espanol

Comments Any general comment about the correspondent

Update on BIC Select this check box if you want the correspondent record to be updated when an
Load Alliance Bank File is loaded. This means that the record may be changed or even
deleted as a result of the update.
Clear the check box if you do not want the correspondent record to be updated when
an Alliance Bank File is loaded.
This means that if the Alliance Bank File shows that the correspondent must be
modified, the record is not modified. If the Alliance Bank File shows that the
correspondent must be deleted, then the record is not deleted, but SWIFT is removed
from the list of Preferred Networks for the correspondent.

Last Modification This field shows the date on which the correspondent record was last modified.

4.1.4 Correspondent Details: Preferred Networks Tab


Content
The Preferred Networks tab displays the network applications that Alliance Lite2 can use to send
messages to the correspondent.
The Preferred Networks tab contains these elements:
• Details of the correspondents
See Details on page 66
• Functions that enable you to view the correspondents
See Functions on page 69

20 July 2017 68
Alliance Lite2
Administration Guide Reference Data Management

Display

Details

Field Description

Preferred All the defined applications for the correspondent that are also network applications.
Networks
By default, Alliance Lite2 sends any message to the correspondent using the first
network application in the Selected list that can handle the message format, unless
you specify a different network application during message creation or modification.
Your correspondent may prefer you to use the applications in a specific order.

4.1.5 Correspondent Functions


Overview
These functions enable you to view correspondents.

Functions

Function Description Correspondents Correspondent


page Details window

Hides the content of the filtering criteria area ✓ x


Present only when the content is visible

20 July 2017 69
Alliance Lite2
Administration Guide Reference Data Management

Function Description Correspondents Correspondent


page Details window

Shows the content of the filtering criteria area ✓ x


Present only when the content is hidden

Clear Resets the filtering criteria fields to the default ✓ x


values

Submit Filters the list of entities according to the ✓ x


current filtering criteria values

Report Enables you to produce reports of the entities ✓ x


returned by the filtering criteria as well as the
filtering criteria

Change View Changes the layout of the list for the current ✓ x
page

Report Enables you to produce summary or details ✓ ✓


reports

Previous Displays the details of the previous entity ✓ ✓

Next Displays the details of the next entity ✓ ✓

Close Closes the current window x ✓

4.2 Countries

4.2.1 Countries
You can display the reference data country records. Most of the reference data details are imported
from the Alliance Bank File. Each country record includes a field that defines whether the record
must be updated automatically when an Alliance Bank File is loaded into Alliance.

20 July 2017 70
Alliance Lite2
Administration Guide Reference Data Management

4.2.2 Countries Page


Content
The Countries page contains these elements:
• Filtering criteria and functionality that enable you to filter the list entities on the Countries page.
See Countries on page 72.
• Details of the available countries
See Countries on page 72
• Functions that enable you to view the countries
See Functions on page 72

Display

20 July 2017 71
Alliance Lite2
Administration Guide Reference Data Management

Countries

Countries

Field Description Filtering


criteria

Code The unique two-character ISO standard country code. ✓


For filtering, the wildcard characters % and _ enable you to search for a
group of codes.
% Replaces one or more contiguous unknown characters in a string
_ Replaces one unknown character in a string

Name The country name. ✓


For filtering, the wildcard characters % and _ enable you to search for a
group of names.

Functions

Function Description

Hides the content of the filtering criteria area


Present only when the content is visible

Shows the content of the filtering criteria area


Present only when the content is hidden

Clear Resets the filtering criteria fields to the default values

Submit Filters the list of entities according to the current filtering criteria values

Report Enables you to produce reports of the entities returned by the filtering criteria as well
as the filtering criteria

Change View Changes the layout of the list for the current page

Report Enables you to produce summary or details reports

Previous Displays the details of the previous entity

Next Displays the details of the next entity

Close Closes the current window

Upload now After prompting you to confirm or modify the configuration details, loads the Bank
Update File.

20 July 2017 72
Alliance Lite2
Administration Guide Reference Data Management

4.2.3 Country Details


Content
The Country Details window contains these elements:
• Details of the countries
See Details on page 73

Display

Details

Field Description

Code The unique two-character ISO standard country code

Name The name of country

Update on BIC Select this check box if you want the country record to be updated when an Alliance
Load Bank File is loaded. This means that the record may be changed or even deleted as a
result of the update.
Clear the check box if you do not want the country record to be updated when an
Alliance Bank File is loaded.

20 July 2017 73
Alliance Lite2
Administration Guide Reference Data Management

4.3 Currencies

4.3.1 Currencies
You can display the reference data currency records. Most of the reference data details are
imported from the Alliance Bank File. Each currency record includes a field that defines whether
the record must be updated automatically when an Alliance Bank File is loaded into Alliance.

4.3.2 Currencies Page


Content
The Currencies page contains these elements:
• Filtering criteria and functionality that enable you to filter the list entities on the Currencies
page:
- See Currencies on page 75
- See Functions on page 75
• Details of the available currencies
See Currencies on page 75
• Functions that enable you to view the currencies
See Functions on page 75

Display

20 July 2017 74
Alliance Lite2
Administration Guide Reference Data Management

Currencies

Currencies

Field Description Filtering


criteria

Code The unique three-character ISO standard currency code. ✓


For filtering, the wildcard characters % and _ enable you to search for a
group of codes.
% Replaces one or more contiguous unknown characters in a string
_ Replaces one unknown character in a string

Name The currency name. ✓


For filtering, the wildcard characters % and _ enable you to search for a
group of names.

Digits The maximum number of digits needed to correctly display fractional


amounts of the currency. This can be any number between 0 and 6.

Functions

Function Description

Hides the content of the filtering criteria area


Present only when the content is visible

Shows the content of the filtering criteria area


Present only when the content is hidden

Clear Resets the filtering criteria fields to the default values

Submit Filters the list of entities according to the current filtering criteria values

Report Enables you to produce reports of the entities returned by the filtering criteria as well
as the filtering criteria

Change View Changes the layout of the list for the current page

Report Enables you to produce summary or details reports

Previous Displays the details of the previous entity

Next Displays the details of the next entity

Close Closes the current window

Upload now After prompting you to confirm or modify the configuration details, loads the Bank
Update File.

20 July 2017 75
Alliance Lite2
Administration Guide Reference Data Management

4.3.3 Currency Details


Content
The Currency Details window contains these elements:
• Details of the currencies
See Details on page 76

Display

Details

Field Description

Code The unique three-character ISO standard currency code

Name The name of the currency

Number of Digits The maximum number of digits needed to correctly display fractional amounts of the
currency. This can be any number between 0 and 6.

Update on BIC Select this check box if you want the currency record to be updated when an Alliance
Load Bank File is loaded. This means that the record may be changed or even deleted as a
result of the update.
Clear the check box if you do not want the currency record to be updated when an
Alliance Bank File is loaded.

20 July 2017 76
Alliance Lite2
Administration Guide Default Operator Profiles

5 Default Operator Profiles


SWIFT creates the operator profiles for Alliance Lite2 customers. Alliance Lite2 customers cannot
create these profiles.
Note SWIFT can configure additional operator profiles for Alliance Lite2 customers as a
payable option. Additional operator profiles can be requested either as part of the
initial set-up services, or ordered as additional configuration change requests. To
request this configuration change, contact SWIFT Support.
This section describes the following:
• Alliance Lite2 default operator profiles on page 77
• Entities and operator profiles on page 78
• How Entities, Actions, and Permissions Work on page 80
• Specific entities, actions, and permissions available to each operator profile
Note In this chapter several entities or permissions, visible on the screen as 'selected', are
not documented because they cannot be used with Alliance Lite2.

Alliance Lite2 default operator profiles

For each institution, the following profiles are created:

Operator profile Description

AutoClient on page 81 (1) For connectivity through the AutoClient

BIC_View on page 82 Allows queries on the BIC Directory

LSO Creation, management, and approval of operators

MsgUpload on page 83 For manual upload of files

Msg_All on page 84 (2) All permissions for message handling

Msg_AllOthr on page 90 (2) All permissions for message handling except for the authorisation of own
message

Msg_Audit on page 90 Message search

Msg_Auth on page 91 Message approver

Msg_Oper on page 94 (2) Message creator

OPER_SignOn on page 99 Required to log in to the application (mandatory for all human users)
Required for Browse users

RMA_All on page 99 All permissions for RMA

RMA_Auth on page 103 RMA approver

RMA_Oper on page 106 RMA creator

20 July 2017 77
Alliance Lite2
Administration Guide Default Operator Profiles

Operator profile Description

RSO Creation, management, and approval of operators

(1) This profile must not be assigned to an operator as it is for internal use only. However, the security officer must assign the
OPER_SignOn profile to the AutoClient operator.
(2) To enable operators with these profiles to send MT messages from Message Management, the security officer must also
assign the BIC_View profile to these operators.

Entities and operator profiles

The following table describes the different entities in Alliance Lite2 and the default operator profiles
that have certain permissions for each entity:

Entity Description Default operator profiles

Access Control Controls all access to Alliance LSO and RSO


Lite2 and, therefore, to all of the
OPER_SignOn
other entities and functions.

Application Interface Controls the transfer of messages AutoClient


and files between Alliance Lite2
MsgUpload
and back-office applications,
printers, or any other system that
communicates with Alliance Lite2.
Suitable messages for transferring
include SWIFT FIN, MX, FileAct,
and system messages. Suitable
files include payload files, or files
that contain several messages.

Correspondent Information File Contains essential data about a BIC_View


user's correspondents, in the form
of correspondent, alias, country,
network, and currency records.

Message Creation Provides all the functions Msg_All (1)


necessary to create messages.
Msg_Oper (1)
Msg_AllOthr (1)

Message Modification Messages that fail validation during Msg_All


message creation, or that fail
Msg_Auth
verification or authorisation can be
sent to a Text Modification Msg_Oper
message queue for later editing. Msg_AllOthr
An entitled user can use the
Message Modification entity to edit
the messages in these queues.

20 July 2017 78
Alliance Lite2
Administration Guide Default Operator Profiles

Entity Description Default operator profiles

Message Approval Allows entitled operators to verify Msg_All


and authorise messages.
Msg_Auth
Msg_Oper
Msg_AllOthr (2)

Message File Provides a central query, Msg_All


maintenance, and archiving facility
Msg_Auth
for all messages processed by
Alliance Lite2. Msg_Oper
Msg_AllOthr
Msg_Audit

Relationship Management The Relationship Management RMA_All


functionality allows institutions to
RMA_Auth
manage business relationships
with their counterparties. RMA_Oper

When one party in a business


relationship consents to receive
messages from a specific
correspondent, that consent is
recorded in an Authorisation.
The Relationship Management
entity allows an entitled user to
create and manage the
authorisations that restrict the
sending of messages between
parties in a business relationship.

Security Definition The LSO/RSO or other entitled LSO and RSO


user can use the Security
Definition entity to define which
Alliance Lite2 entity functions each
user can access, by assigning an
operator profile to each user.

(1) To enable operators with these profiles to send MT messages from Message Management, the security officer must also
assign these operators the BIC_View profile.
(2) An operator with this profile can verify his own message, but cannot authorise his own message.

Related information
Operator Profile Details on page 54

20 July 2017 79
Alliance Lite2
Administration Guide Default Operator Profiles

5.1 How Entities, Actions, and Permissions Work


Example of an operator profile with no permissions

Description

1 The BIC_View profile can use the Correspondent Info entity as this is the entity that is
selected.

2 Within the Correspondent Info entity, this profile can perform the three actions that are
selected:
• OpenPrint Corr Dets
• OpenPrint Country
• OpenPrint Currency

3 There are no specific permissions linked to these actions.

20 July 2017 80
Alliance Lite2
Administration Guide Default Operator Profiles

Example of an operator profile with specific permissions

Description

1 The Msg_Oper profile can use the Mesg Approval, Mesg Creation, Mesg Modification,
and Message File entities.

2 Within the Mesg Modification entity, this profile can perform the three actions that are
selected:
• Complete Message*
• Dispose Message*
• Modify Message*

3 An asterisk indicates that there are specific permissions linked to an action. In this case,
there are specific permissions for all of the selected actions.

4 This example shows the permissions for Complete Message*.

5.2 AutoClient
The AutoClient operator profile can perform certain actions related to the Application Interface
entity:

Actions Permissions Specific permissions for AutoClient

Create Message Own destination Allowed


(Allowed/Prohibited)

MT Prohibited
(Allowed/Prohibited)

20 July 2017 81
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for AutoClient

CCY+[AMOUNT] Prohibited
(Allowed/Prohibited)

Service $ identifier Prohibited


(Allowed/Prohibited)

Dispose Message Bypass verify MT Prohibited


(Allowed/Prohibited)

Bypass verify CCY Prohibited


(Allowed/Prohibited)

Bypass auth. MT Prohibited


(Allowed/Prohibited)

Bypass auth. CCY Prohibited


(Allowed/Prohibited)

Bypass authorisation: service $ identifier Prohibited


(Allowed/Prohibited)

Move to Routing Point

Important This profile must not be assigned to an operator as it is for internal use only. However,
the security officer must assign the OPER_SignOn profile to the AutoClient operator.

5.3 BIC_View

Entity Actions allowed for BIC_View Specific permissions for BIC_View

Correspondent Info OpenPrint Corr Dets (Correspondent details) None

OpenPrint Country None

OpenPrint Currency None

5.4 LSO and RSO

Entities Actions allowed for LSO and Specific permissions LSO Specific permissions RSO
RSO

Access Control Signon

20 July 2017 82
Alliance Lite2
Administration Guide Default Operator Profiles

Entities Actions allowed for LSO and Specific permissions LSO Specific permissions RSO
RSO

Start time 0000 0000

End time 2357 2357

Start time 2358 2358

End time 2359 2359

WS Session Timeout 0 0

Security Definition Add Operator None None

Approve Operator Left Right


Approve Left or Right part

Create Op List

Disable Operator

Enable Operator None None

Mod Operator

Rem Operator

5.5 MsgUpload
The MsgUpload operator profile can perform certain actions related to the Application Interface
entity:

Actions Permissions Specific permissions for


MsgUpload

Create Message Own destination Allowed


(Allowed/Prohibited)

MT Prohibited
(Allowed/Prohibited)

CCY+[AMOUNT] Prohibited
(Allowed/Prohibited)

Service $ identifier Prohibited


(Allowed/Prohibited)

20 July 2017 83
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for


MsgUpload

Dispose Message Bypass verify MT Allowed


(Allowed/Prohibited)

Bypass verify CCY Allowed


(Allowed/Prohibited)

Bypass auth. MT Allowed


(Allowed/Prohibited)

Bypass auth. CCY Allowed


(Allowed/Prohibited)

Bypass authorisation: service $ identifier Allowed


(Allowed/Prohibited)

Move to Routing Point

Open/Print Partner Local Authentication Key:

First part (Yes/No) No

Second part (Yes/No) No

Session Authentication Key:

First part (Yes/No) No

Second part (Yes/No) No

Message Partner(s) e.g. Batchinput or Batch% Allowed


(Allowed/Prohibited)

Start Session Message Partner(s) Allowed


(Allowed/Prohibited)

5.6 Msg_All
Introduction
The Msg_All operator profile can perform certain actions related to the following entities:
• Mesg Approval on page 85
• Mesg Creation on page 86
• Mesg Modification on page 87

20 July 2017 84
Alliance Lite2
Administration Guide Default Operator Profiles

• Message File on page 89


• SWIFTNet Interface on page 90
Note To enable operators with the Msg_All profile to send MT messages from Message
Management, the security officer must also assign these operators the BIC_View
profile (see BIC_View on page 82).
Note Only operators with the Msg_All profile can manage locked templates.

Entities, actions, and permissions

Mesg Approval

Actions Permissions Specific permissions for Msg_All

Advanced Editing Not in use in Alliance Lite2 Not in use in Alliance Lite2

Approve Message Own destination Allowed


(Allowed/Prohibited)

Can Verify (Yes/No) Yes

Can Authorise (Yes/No) Yes

Verify own entered mesg (Yes/No) Yes

Auth. own entered mesg (Yes/No) Yes

Auth. own verified mesg (Yes/No) Yes

Group authorise (Yes/No) Yes

CCY/Amount Prohibited
(Prohibited/Allowed)

SWIFT FIN User MT Prohibited


(Prohibited/Allowed)

SWIFT FIN System MT Prohibited


(Prohibited/Allowed)

SWIFT APC System MT Prohibited


(Prohibited/Allowed)

Service $ identifier Prohibited


(Prohibited/Allowed)

trans App Limit Not in use in Alliance Lite2


(Allowed/Prohibited)

20 July 2017 85
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for Msg_All

Daily App Limit Not in use in Alliance Lite2


(Allowed/Prohibited)

Final Approver (Yes/No)(1) Yes

Dispose Message Bypass Authorisation CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN User MT Prohibited


(Allowed/Prohibited)

Own Destination Allowed


(Allowed/Prohibited)

Route Message Own Destination Allowed


(Allowed/Prohibited)

(1) Decides whether a message to be sent to SWIFT requires dual or single approval.

Mesg Creation

Actions Permissions Specific permissions for Msg_All

Add/Mod/Rem Template Own destination Allowed


(Allowed/Prohibited)

Advanced Editing Not in use in Alliance Lite2 Not in use in Alliance Lite2

Create Message List of Own-Destination Allowed


(Allowed/Prohibited)

Can create broadcasting (Yes/No) No

CCY/Amount Prohibited
(Allowed/Prohibited)

Swift FIN User MT Prohibited


(Allowed/Prohibited)

Swift FIN System MT Prohibited


(Allowed/Prohibited)

SWIFT APC System MT Prohibited


(Allowed/Prohibited)

20 July 2017 86
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for Msg_All

Multiple Retrieval Allowed for FIN System mesg. No


(Yes/No)

Multiple Retrieval Allowed for APC System mesg. No


(Yes/No)

FIN-Copy Allowed (Yes/No) Yes

Service $ identifier Prohibited

Dispose Message Bypass Verification CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Authorisation CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Verification SWIFT FIN User MT Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN User MT Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN System MT Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT APC System MT Prohibited


(Allowed/Prohibited)

Own Destination Allowed


(Allowed/Prohibited)

Bypass Authorisation: service $ identifier Prohibited


(Allowed/Prohibited)

Route Message Own Destination Allowed


(Allowed/Prohibited)

Mesg Modification

Actions Permissions Specific permissions for Msg_All

Advanced Editing Not in use in Alliance Lite2 Not in use in Alliance Lite2

Complete Message Own Destination Allowed


(Allowed/Prohibited)

20 July 2017 87
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for Msg_All

Dispose Message Bypass Verification CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Authorisation CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Verification SWIFT FIN User MT Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN User MT Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN System MT Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT APC System MT Prohibited


(Allowed/Prohibited)

Own Destination Allowed


(Allowed/Prohibited)

Bypass Authorisation: service $ identifier Prohibited


(Allowed/Prohibited)

Modify Message Own destination Allowed


(Allowed/Prohibited)

Mod. in Text_modifcation (Yes/No) Yes

Mod. in Emission_security (Yes/No) Yes

Mod. in Transmission_modif (Yes/No) Yes

Mod. in modif_after_reception (Yes/No) Yes

Mod. in Reception_security (Yes/No) Yes

CCY/Amount Prohibited
(Allowed/Prohibited)

SWIFT FIN User MT Prohibited


(Allowed/Prohibited)

SWIFT FIN System MT Prohibited


(Allowed/Prohibited)

20 July 2017 88
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for Msg_All

SWIFT APC System MT Prohibited


(Allowed/Prohibited)

Multiple Retrieval Allowed for FIN System Mesg. No


(Yes/No)

Multiple Retrieval Allowed for APC System Mesg. No


(Yes/No)

FIN-Copy Allowed Yes

Service $ identifier Prohibited


(Allowed/Prohibited)

Reporting Not in use in Alliance Lite2 Not in use in Alliance Lite2

Route Message Own Destination Allowed


(Allowed/Prohibited)

Message File

Actions Permissions Specific permissions for Msg_All

Complete Instance Own Destination Allowed


(Allowed/Prohibited)

Export Messages Not in use in Alliance Lite2 Not in use in Alliance Lite2

Search Completely hide messages of other units No


(Yes/No)

Own destination Allowed


(Allowed/Prohibited)

Reporting

Actions Permissions Specific permissions for Msg_All

View I/O Reports Not in use in Alliance Lite2 Not in use in Alliance Lite2

View Oper Reports Not in use in Alliance Lite2 Not in use in Alliance Lite2

20 July 2017 89
Alliance Lite2
Administration Guide Default Operator Profiles

SWIFTNet Interface

Actions Permissions Specific permissions for Msg_All

Open/Print RProf RT

RT File Get Request Service(s) e.g. swift.fin Prohibited


(Allowed/Prohibited)

Request type(s) e.g. pacs.001.001.01 Prohibited


(Allowed/Prohibited)

Own Destination(s) (BIC8) e.g. BBBBCC22 Allowed

5.7 Msg_AllOthr
The Msg_AllOthr operator profile can perform the same actions as the profile Msg_All on page 84
except for the Mesg Approval entity, where the specific permission for “Auth. own entered mesg” is
set to “No”.
Note To enable operators with the Msg_AllOthr profile to send MT messages from Message
Management, the security officer must also assign these operators the BIC_View
profile (see BIC_View on page 82).

5.8 Msg_Audit
Introduction
The Msg_Audit operator profile can perform only the Search action related to the Message File
entity.

Entities, actions, and permissions

Message File

Actions Permissions Specific permissions for Msg_Audit

Search Complete hide messages of other units No


(Yes/No)

Own destination Allowed


(Allowed/Prohibited)

20 July 2017 90
Alliance Lite2
Administration Guide Default Operator Profiles

5.9 Msg_Auth
Introduction
The Msg_Auth operator profile can perform certain actions related to the following entities:
• Mesg Approval on page 91
• Mesg Modification on page 92
• Message File on page 94

Entities, actions, and permissions

Mesg Approval

Actions Permissions Specific permissions for


Msg_Auth

Approve Message Own destination Allowed


(Allowed/Prohibited)

Can Verify (Yes/No) Yes

Can Authorise (Yes/No) Yes

Verify own entered mesg (Yes/No) Yes

Auth. own entered mesg (Yes/No) Yes

Auth. own verified mesg (Yes/No) Yes

Group authorise (Yes/No) Yes

CCY/Amount Prohibited
(Allowed/Prohibited)

Swift FIN User MT Prohibited


(Allowed/Prohibited)

Swift FIN System MT Prohibited


(Allowed/Prohibited)

Swift APC System MT Prohibited


(Allowed/Prohibited)

Service $ identifier Prohibited


(Allowed/Prohibited)

Final Approver (Yes/No)(1) No

20 July 2017 91
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for


Msg_Auth

Dispose Message Bypass Authorisation CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN User MT Allowed for MT 999s


(Allowed/Prohibited)

Own destination Allowed


(Allowed/Prohibited)

Route Message Own destination Allowed


(Allowed/Prohibited)

(1) Decides whether a message to be sent to SWIFT requires dual or single approval.

Mesg Modification

Actions Permissions Specific permissions for


Msg_Auth

Complete Message Own Destination Allowed


(Allowed/Prohibited)

Dispose Message Bypass Verification CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Authorisation CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Verification SWIFT FIN User MT Allowed for MT 999s


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN User MT Allowed for MT 999s


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN System MT Allowed


(Allowed/Prohibited)

Bypass Authorisation SWIFT APC System MT Allowed


(Allowed/Prohibited)

Own Destination Allowed


(Allowed/Prohibited)

20 July 2017 92
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for


Msg_Auth

Bypass Authorisation: service $ identifier Prohibited


(Allowed/Prohibited)

Modify Message Own destination Allowed


(Allowed/Prohibited)

Mod. in Text_modifcation (Yes/No) Yes

Mod. in Emission_security (Yes/No) Yes

Mod. in Transmission_modif (Yes/No) Yes

Mod. in modif_after_reception (Yes/No) Yes

Mod. in Reception_security (Yes/No) Yes

CCY/Amount Prohibited
(Allowed/Prohibited)

SWIFT FIN User MT Prohibited


(Allowed/Prohibited)

SWIFT FIN System MT Prohibited


(Allowed/Prohibited)

SWIFTAPC System MT Prohibited


(Allowed/Prohibited)

Multiple Retrieval Allowed for FIN System Mesg. No


(Yes/No)

Multiple Retrieval Allowed for APC System Mesg. No


(Yes/No)

FIN-Copy Allowed Yes

Service $ identifier Prohibited


(Allowed/Prohibited)

Route Message Own destination Allowed


(Allowed/Prohibited)

20 July 2017 93
Alliance Lite2
Administration Guide Default Operator Profiles

Message File

Actions Permissions Specific permissions for


Msg_Auth

Complete Instance Own destination Allowed


(Allowed/Prohibited)

Search Complete hide messages of other units No


(Yes/No)

Own destination Allowed


(Allowed/Prohibited)

5.10 Msg_Oper
Introduction
The Msg_Oper operator profile can perform certain actions related to the following entities:
• Mesg Approval on page 94
• Mesg Creation on page 95
• Mesg Modification on page 97
• Message File on page 98
• SWIFTNet Interface on page 99
Note To enable operators with the Msg_Oper profile to send MT messages from Message
Management, the security officer must also assign these operators the BIC_View
profile (see BIC_View on page 82).

Entities, actions, and permissions

Mesg Approval

Actions Permissions Specific permissions for


Msg_Oper

Approve Message Own destination Allowed


(Allowed/Prohibited)

Can Verify (Yes/No) Yes

Can Authorise (Yes/No) No

Verify own entered mesg (Yes/No) No

Auth. own entered mesg (Yes/No) No

Auth. own verified mesg (Yes/No) No

20 July 2017 94
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for


Msg_Oper

Group authorise (Yes/No) No

CCY/Amount Prohibited
(Allowed/Prohibited)

Swift FIN User MT Prohibited


(Allowed/Prohibited)

Swift FIN System MT Prohibited


(Allowed/Prohibited)

Swift APC System MT Prohibited


(Allowed/Prohibited)

Service $ identifier Prohibited


(Allowed/Prohibited)

Final Approver (Yes/No)(1) No

Dispose Message Bypass Authorisation CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN User MT Allowed for MT 999s


(Allowed/Prohibited)

Own destination Allowed


(Allowed/Prohibited)

Route Message Own destination Allowed


(Allowed/Prohibited)

(1) Decides whether a message to be sent to SWIFT requires dual or single approval.

Mesg Creation

Actions Permissions Specific permissions for


Msg_Oper

Add/Mod/Rem Template Own destination Allowed


(Allowed/Prohibited)

Create Message List of Own-Destination Allowed


(Allowed/Prohibited)

20 July 2017 95
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for


Msg_Oper

Can create broadcasting (Yes/No) No

CCY/Amount Prohibited
(Allowed/Prohibited)

Swift FIN User MT Prohibited


(Allowed/Prohibited)

Swift FIN System MT Prohibited


(Allowed/Prohibited)

SWIFT APC System MT Prohibited


(Allowed/Prohibited)

Multiple Retrieval Allowed for FIN System mesg. No


(Yes/No)

Multiple Retrieval Allowed for APC System mesg. No


(Yes/No)

FIN-Copy Allowed (Yes/No) Yes

Service $ identifier Prohibited

Dispose Message Bypass Verification CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Authorisation CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Verification SWIFT FIN User MT Allowed for MT 999s


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN User MT Allowed for MT 999s


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN System MT Allowed


(Allowed/Prohibited)

Bypass Authorisation SWIFT APC System MT Allowed


(Allowed/Prohibited)

Own Destination Allowed


(Allowed/Prohibited)

20 July 2017 96
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for


Msg_Oper

Bypass Authorisation: service $ identifier Allowed


(Allowed/Prohibited)

Route Message Own Destination Allowed


(Allowed/Prohibited)

Mesg Modification

Actions Permissions Specific permissions for


Msg_Oper

Complete Message Own Destination Allowed


(Allowed/Prohibited)

Dispose Message Bypass Verification CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Authorisation CCY/Amount Prohibited


(Allowed/Prohibited)

Bypass Verification SWIFT FIN User MT Allowed for MT 999s


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN User MT Allowed for MT 999s


(Allowed/Prohibited)

Bypass Authorisation SWIFT FIN System MT Allowed


(Allowed/Prohibited)

Bypass Authorisation SWIFT APC System MT Allowed


(Allowed/Prohibited)

Own Destination Allowed


(Allowed/Prohibited)

Bypass Authorisation: service $ identifier Allowed


(Allowed/Prohibited)

Modify Message Own destination Allowed


(Allowed/Prohibited)

Mod. in Text_modifcation (Yes/No) Yes

Mod. in Emission_security (Yes/No) No

20 July 2017 97
Alliance Lite2
Administration Guide Default Operator Profiles

Actions Permissions Specific permissions for


Msg_Oper

Mod. in Transmission_modif (Yes/No) Yes

Mod. in modif_after_reception (Yes/No) Yes

Mod. in Reception_security (Yes/No) No

CCY/Amount Prohibited
(Allowed/Prohibited)

SWIFT FIN User MT Prohibited


(Allowed/Prohibited)

SWIFT FIN System MT Prohibited


(Allowed/Prohibited)

SWIFTAPC System MT Allowed


(Allowed/Prohibited)

Multiple Retrieval Allowed for FIN System Mesg. No


(Yes/No)

Multiple Retrieval Allowed for APC System Mesg. No


(Yes/No)

FIN-Copy Allowed Yes

Service $ identifier Prohibited


(Allowed/Prohibited)

Route Message Own destination Allowed


(Allowed/Prohibited)

Message File

Actions Permissions Specific permissions for


Msg_Oper

Search Complete hide messages of other units No


(Yes/No)

Own destination Allowed


(Allowed/Prohibited)

20 July 2017 98
Alliance Lite2
Administration Guide Default Operator Profiles

SWIFTNet Interface

Actions Permissions Specific permissions for


Msg_Oper

Open/Print RProf RT

RT File Get Request Service(s) e.g. swift.fin Prohibited


(Allowed/Prohibited)

Request type(s) e.g. pacs.001.001.01 Prohibited


(Allowed/Prohibited)

Own Destination(s) (BIC8) e.g. BBBBCC22 Allowed

5.11 OPER_SignOn
The OPER_SignOn profile can perform the Signon action related to the Access Control and the
Monitoring entities.

Access Control

Action Permissions Specific permissions for


OPER_SignOn

Signon Start time 0000

End time 2357

Start time 2358

End time 2359

WS Session Timeout 0

Monitoring

Action Permissions Specific permissions for


OPER_SignOn

Abort File Transfer None None

5.12 RMA_All
The RMA_All profile can perform all actions related to the Relationship Mgmt entity.

20 July 2017 99
Alliance Lite2
Administration Guide Default Operator Profiles

Action Permissions Specific permissions for RMA_All

Accept Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval Yes


(Yes/No)

Answer Message Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

App Granularity Dest

Approve Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Approve own Actions Yes


(Yes/No)

Approve Create Yes


(Yes/No)

Approve Revoke Yes


(Yes/No)

Approve Accept Yes


(Yes/No)

Approve Reject Yes


(Yes/No)

Approve Delete Yes


(Yes/No)

Clean up Auth

20 July 2017 100


Alliance Lite2
Administration Guide Default Operator Profiles

Action Permissions Specific permissions for RMA_All

Creat Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval Yes


(Yes/No)

Def Granularity Dest

Def Signing BIC T&T

Delete Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval Yes


(Yes/No)

Delete Query/Answer Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Export Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Store Schedule Yes


(Yes/No)

Modify Operator Mode Yes


(Yes/No)

Export on Change

20 July 2017 101


Alliance Lite2
Administration Guide Default Operator Profiles

Action Permissions Specific permissions for RMA_All

Import Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Store Schedule Yes


(Yes/No)

Modify Operator Mode Yes


(Yes/No)

Mark Obsolete Auth

Modify Signing BIC T&T Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed
BBBBCC%
(Allowed/Prohibited)

Modify Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval Yes


(Yes/No)

Open/Print Auth Del Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Query Message Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

20 July 2017 102


Alliance Lite2
Administration Guide Default Operator Profiles

Action Permissions Specific permissions for RMA_All

Reject Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval Yes


(Yes/No)

Revoke Auth Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval Yes


(Yes/No)

Treat Query/Answer Own Destination(s) (BIC8) e.g. BBBBCC22 or Allowed


BBBBCC%
(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

5.13 RMA_Auth
The RMA_Auth profile can perform certain actions related to the Relationship Mgmt entity.
The RMA_Auth profile cannot create or modify authorisations.

Action Permissions Specific permissions for RMA_Auth

Accept Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval No
(Yes/No)

20 July 2017 103


Alliance Lite2
Administration Guide Default Operator Profiles

Action Permissions Specific permissions for RMA_Auth

Answer Message Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

App Granularity Dest

Approve Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Approve own Actions no


(Yes/No)

Approve Create Yes


(Yes/No)

Approve Revoke Yes


(Yes/No)

Approve Accept Yes


(Yes/No)

Approve Reject Yes


(Yes/No)

Approve Delete Yes


(Yes/No)

Clean up Auth

Def Granularity Dest

Def Signing BIC T&T

Delete Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

20 July 2017 104


Alliance Lite2
Administration Guide Default Operator Profiles

Action Permissions Specific permissions for RMA_Auth

Bypass Approval No
(Yes/No)

Delete Query/Answer Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Export Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Store Schedule Yes


(Yes/No)

Modify Operator Mode Yes


(Yes/No)

Export on Change

Import Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Store Schedule Yes


(Yes/No)

Modify Operator Mode Yes


(Yes/No)

Mark Obsolete Auth

Modify Signing BIC T&T Own Destination(s) Allowed


(Allowed/Prohibited)

Open/Print Auth Del Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

20 July 2017 105


Alliance Lite2
Administration Guide Default Operator Profiles

Action Permissions Specific permissions for RMA_Auth

Query Message Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Reject Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval No
(Yes/No)

Revoke Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval No
(Yes/No)

Treat Query/Answer Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

5.14 RMA_Oper
The RMA_Oper profile can perform certain actions related to the Relationship Mgmt entity.

Action Permissions Specific permissions for RMA_Oper

Answer Message Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

20 July 2017 106


Alliance Lite2
Administration Guide Default Operator Profiles

Action Permissions Specific permissions for RMA_Oper

Creat Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval No
(Yes/No)

Modify Auth Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Bypass Approval No
(Yes/No)

Open/Print Auth Del Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Query Message Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

Treat Query/Answer Own Destination(s) Allowed


(Allowed/Prohibited)

Service(s) Prohibited
(Allowed/Prohibited)

20 July 2017 107


Alliance Lite2
Administration Guide Relationship Management

6 Relationship Management
RMA (Relationship Management Application) enables an institution to control the traffic that it
accepts from other institutions. An RMA relationship is a set of authorisations exchanged between
your BIC and your counterparty's BIC that defines who can send traffic to whom and when. The
use of the Relationship Management Application mechanism is mandatory for the FIN service.
As an administrator, you can add, view, and delete data related to RMA relations.
When you add an RMA relationship in Alliance Lite2, you are sending a special message over the
SWIFT network to your counterparty. This message is called an RMA authorisation. This message
grants your correspondent the permission to send you SWIFT messages. Your counterparty can
also send you an RMA message to grant you permission to send messages. Alliance Lite2 users
can request that you, as an administrator, add a new authorisation to the system.
For more information, see the Alliance Lite2 Administration Guide - RMA.

20 July 2017 108


Alliance Lite2
Administration Guide Legal Notices

Legal Notices
Copyright
SWIFT © 2017. All rights reserved.

Restricted Distribution
Do not distribute this publication outside your organisation unless your subscription or order
expressly grants you that right, in which case ensure you comply with any other applicable
conditions.

Disclaimer
The information in this publication may change from time to time. You must always refer to the
latest available version.

Translations
The English version of SWIFT documentation is the only official and binding version.

Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT:
the SWIFT logo, SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo,
MyStandards, and SWIFT Institute. Other product, service, or company names in this publication
are trade names, trademarks, or registered trademarks of their respective owners.

20 July 2017 109