Permissions Management
Global Shared permissions
Accountable institutions can define shared permissions configurations that can be applied across tenants to enforce those permissions. Any updates to the shared permission configuration are immediately applied to the tenants where those permissions are enforced.
Shared permissions can be general tenant permissions as well as wallet specific permissions. An example to use shared permissions is described below.
General tenant shared permissions
Define general tenant shared permissions in a global property that is prefixed with global.permissions.shared - e.g. global.permissions.shared.default
Address.CREATE.Allowed=GLOBAL_ADMIN,GLOBAL_TECH_SUPPORT,GLOBAL_SUPPORT_L_3,INSTITUTION_ADMIN,INSTITUTION_TECH_SUPPORT,INSTITUTION_SUPPORT_L_3
Address.DELETE.Allowed=GLOBAL_ADMIN,INSTITUTION_ADMIN
Address.READ.Allowed=GLOBAL_FINANCE_L_1,GLOBAL_FINANCE_L_2,GLOBAL_FINANCE_L_3,GLOBAL_TECH_SUPPORT,GLOBAL_SUPPORT_L_3,GLOBAL_ADMIN,INSTITUTION_ADMIN,INSTITUTION_FINANCE_L_1,INSTITUTION_FINANCE_L_2,INSTITUTION_FINANCE_L_3,INSTITUTION_TECH_SUPPORT,INSTITUTION_SUPPORT_L_3
Address.UPDATE.Allowed=GLOBAL_TECH_SUPPORT,GLOBAL_ADMIN,GLOBAL_SUPPORT_L_3,INSTITUTION_ADMIN,INSTITUTION_SUPPORT_L_3,INSTITUTION_TECH_SUPPORT
Card.CREATE.Allowed=GLOBAL_ADMIN,GLOBAL_TECH_SUPPORT,INSTITUTION_ADMIN,INSTITUTION_TECH_SUPPORT
Card.DELETE.Allowed=GLOBAL_ADMIN,INSTITUTION_ADMIN
Card.READ.Allowed=GLOBAL_ADMIN,GLOBAL_FINANCE_L_1,GLOBAL_FINANCE_L_2,GLOBAL_FINANCE_L_3,GLOBAL_TECH_SUPPORT,GLOBAL_SUPPORT_L_1,GLOBAL_SUPPORT_L_2,GLOBAL_SUPPORT_L_3,INSTITUTION_ADMIN,INSTITUTION_FINANCE_L_1,INSTITUTION_FINANCE_L_2,INSTITUTION_FINANCE_L_3,INSTITUTION_TECH_SUPPORT,INSTITUTION_SUPPORT_L_1,INSTITUTION_SUPPORT_L_2,INSTITUTION_SUPPORT_L_3
Card.UPDATE.Allowed=GLOBAL_ADMIN,GLOBAL_SUPPORT_L_3,GLOBAL_SUPPORT_L_2,INSTITUTION_ADMIN,INSTITUTION_TECH_SUPPORT,INSTITUTION_SUPPORT_L_1,INSTITUTION_SUPPORT_L_2,INSTITUTION_SUPPORT_L_3
CardOnFile.CREATE.Allowed=GLOBAL_ADMIN,INSTITUTION_ADMIN
Apply general tenant shared permissions to a particular tenant by setting tenant config SharedPermissionsConfig and specifying the global property that defines the shared permissions. e.g. to use the shared permissions defined in global property global.permissions.shared.default, tenant config SharedPermissionsConfig should be set to default
General wallet specific shared permissions
Define wallet specific permissions in a global property that is prefixed with global.permissions.shared.wallet - e.g. global.permissions.shared.wallet.system
BarWallet.WalletType.UPDATE.Allowed=GLOBAL_FINANCE_L_2,GLOBAL_FINANCE_L_3,GLOBAL_SUPPORT_L_2,GLOBAL_SUPPORT_L_3,GLOBAL_ADMIN,GLOBAL_SUPPORT_L_1,INSTITUTION_FINANCE_L_2,INSTITUTION_FINANCE_L_3,INSTITUTION_SUPPORT_L_2,INSTITUTION_SUPPORT_L_3,INSTITUTION_ADMIN,INSTITUTION_SUPPORT_L_1
UnbarWallet.WalletType.UPDATE.Allowed=GLOBAL_FINANCE_L_2,GLOBAL_FINANCE_L_3,GLOBAL_SUPPORT_L_3,INSTITUTION_FINANCE_L_2,INSTITUTION_FINANCE_L_3,INSTITUTION_SUPPORT_L_3
Reservation.WalletType.CREATE.Allowed=GLOBAL_FINANCE_L_2->GLOBAL_FINANCE_L_2,GLOBAL_FINANCE_L_3->GLOBAL_FINANCE_L_2,GLOBAL_ADMIN,GLOBAL_TECH_SUPPORT,INSTITUTION_FINANCE_L_2->INSTITUTION_FINANCE_L_2,INSTITUTION_FINANCE_L_3->INSTITUTION_FINANCE_L_2,INSTITUTION_ADMIN,INSTITUTION_TECH_SUPPORT
Reservation.WalletType.DELETE.Allowed=GLOBAL_FINANCE_L_2->GLOBAL_FINANCE_L_2,GLOBAL_FINANCE_L_3->GLOBAL_FINANCE_L_2,GLOBAL_ADMIN,GLOBAL_SUPPORT_L_2,GLOBAL_SUPPORT_L_3,INSTITUTION_FINANCE_L_2->INSTITUTION_FINANCE_L_2,INSTITUTION_FINANCE_L_3->INSTITUTION_FINANCE_L_2,INSTITUTION_ADMIN,INSTITUTION_SUPPORT_L_2,INSTITUTION_SUPPORT_L_3
Reservation.WalletType.READ.Allowed=GLOBAL_FINANCE_L_2,GLOBAL_ADMIN,GLOBAL_FINANCE_L_1,GLOBAL_TECH_SUPPORT,GLOBAL_SUPPORT_L_1,GLOBAL_SUPPORT_L_2,GLOBAL_SUPPORT_L_3,INSTITUTION_FINANCE_L_2,INSTITUTION_ADMIN,INSTITUTION_FINANCE_L_1,INSTITUTION_TECH_SUPPORT,INSTITUTION_SUPPORT_L_1,INSTITUTION_SUPPORT_L_2,INSTITUTION_SUPPORT_L_3
Reservation.WalletType.UPDATE.Allowed=GLOBAL_ADMIN,GLOBAL_FINANCE_L_2->GLOBAL_FINANCE_L_2,GLOBAL_FINANCE_L_3->GLOBAL_FINANCE_L_2,INSTITUTION_ADMIN,INSTITUTION_FINANCE_L_2->INSTITUTION_FINANCE_L_2,INSTITUTION_FINANCE_L_3->INSTITUTION_FINANCE_L_2
TransactionDescription.WalletType.READ.Allowed=GLOBAL_ADMIN,GLOBAL_FINANCE_L_1,GLOBAL_FINANCE_L_2,GLOBAL_FINANCE_L_3,GLOBAL_TECH_SUPPORT,GLOBAL_SUPPORT_L_1,GLOBAL_SUPPORT_L_2,GLOBAL_SUPPORT_L_3,INSTITUTION_ADMIN,INSTITUTION_FINANCE_L_1,INSTITUTION_FINANCE_L_2,INSTITUTION_FINANCE_L_3,INSTITUTION_TECH_SUPPORT,INSTITUTION_SUPPORT_L_1,INSTITUTION_SUPPORT_L_2,INSTITUTION_SUPPORT_L_3
Wallet.WalletType.CREATE.Allowed=GLOBAL_ADMIN,GLOBAL_FINANCE_L_2,GLOBAL_TECH_SUPPORT,INSTITUTION_ADMIN,INSTITUTION_FINANCE_L_2,INSTITUTION_TECH_SUPPORT
Wallet.WalletType.DELETE.Allowed=GLOBAL_ADMIN,INSTITUTION_ADMIN
Apply wallet specific tenant shared permissions to a particular tenant by setting wallet type attribute SharedPermissionsConfig to the global property that defines the shared permissions. e.g. to use the shared permissions defined in global property global.permissions.shared.wallet.system on System wallets, the SharedPermissionsConfig wallet type attribute should be set to system on the System wallet type.
Global shared permissions can be viewed in the Eclipse Admin Portal but are not editable. The OVERRIDE_SHARED permissions configurations can be used to allow administrators to override the global shared permissions in circumstances where this is required:
Reporting Permissions
Eclipse has a rich reporting capability where standard and bespoke reports can be accessed through the Eclipe Admin Portal or via API calls. For more details please refer to the Reporting section in the Eclipse Integration Guide here.
Eclipse supports granular permissions when accessing these reports and READ access to individual reports can be granted to specific roles and positions. Default permissions are applied to standard and dashboard reports, identified as reports where the Report ID starts with the keyword Report or Dashboard. The following roles and positions have READ access to these reports by default:
Category | Role/Position |
---|---|
GLOBAL roles | GLOBAL_ADMIN, GLOBAL_FINANCE_L_1, GLOBAL_FINANCE_L_2, GLOBAL_FINANCE_L_3, GLOBAL_TECH_SUPPORT, GLOBAL_SUPPORT_L_1, GLOBAL_SUPPORT_L_2, GLOBAL_SUPPORT_L_3 |
INSTITUTION roles | INSTITUTION_ADMIN, INSTITUTION_FINANCE_L_1, INSTITUTION_FINANCE_L_2, INSTITUTION_FINANCE_L_3, INSTITUTION_TECH_SUPPORT, INSTITUTION_SUPPORT_L_1, INSTITUTION_SUPPORT_L_2, INSTITUTION_SUPPORT_L_3, INSTITUTION_INTEGRATOR |
TENANT positions | LEVEL_01, LEVEL_02, LEVEL_03, LEVEL_04, LEVEL_05, TENANT_SYSTEM |
If additional roles/positions need access to these reports or the reports are not standard or dashboard reports then explicit permissions can be granted to that report by setting the Report permission as a tenant configuration in the following format:
Report.{Report_ID}.{READ/UPDATE/DELETE}.Allowed
The following example will allow the TENANT_SYSTEM position to read the PaymentDetails report and the LEVEL_06 position to read the standard Report_user_detail report.
Updated 6 months ago