An admission profile is linked to a user ID, see section “Admission checking workflow” (Admission profile (FT profile)). Thus, it is usually the task of each user to administer his own admission profiles (creating, displaying, modifying, deleting).
An admission profile includes the following and other items:
A transfer admission. This transfer admission must be unique. If a request is to work with the FT profile, this transfer admission must be specified. FTAC only permits access rights for this request which are defined in the FT profile. In order to uniquely assign the responsibility for request, it is recommended that a transfer admission be assigned to exactly one person in precisely one partner system.
If necessary, specifications relating to transfer requests such as file name, file name prefix, follow-up processing commands or prefix and/or suffix for follow-up processing commands.
If necessary, specification of the partner systems which may access this FT profile.
Specifications relating to permitted file transfer functions and transfer direction, writing rules or encryption.
If necessary, specification of whether and how long the FT profile is valid.
Specifications indicating whether, and to what extent, the profile can ignore the set values entered in the admission set. Users can always ignore their own entries. Only privileged profiles can ignore the set values entered by the FTAC administrator, see “Privileged admission profiles”.
Example for a file name prefix
A file name prefix contains a part of the file or path name. The user of the profile can only navigate below this specified path name.
C:\Users\Hugo\ as a file name prefix on a Windows system means that the user of this profile can only access directories and files below the path C:\Users\Hugo\. The same principle applies on a Unix system if, for example, /home/hugo/ is specified as a file name prefix.
For example, if you specify PREFIX = USER. in BS2000 then an FT request in which FILE-NAME = HUGO has been specified will access the file USER.HUGO.
On z/OS, for instance, a filename prefix is understood to be the "first-level qualifier" and where appropriate one or more further qualifiers, e.g. 'OPUSERS.HUGO.NEW.'.
This prevents anyone with this profile to navigate within locked directories or from using the preprocessing function. Note, however, that it is also possible to specify a remote preprocessing command as the file name prefix, in which case, only the parameters for that command would then need to be specified in the request.
Effects of an admission profile
The following table contains possible restrictions to the access rights in an FT profile in the left-hand column, and the entries for the file transfer request required for the partner system in the right-hand column. Some differences apply to a standard admission profile. See above.
Entry in the FT profile | Entry in the file transfer request |
Transfer admission | The transfer admission addresses the admission profile. If the user ID and password are specified, it is only possible to address the standard admission profile of the user, if this has been defined. |
Transfer direction restricted | The parameter specified must be the opposite of the entry in the FT profile. If the profile contains transfer direction “From Partner”, the remote system may only send data to the local system; with “To partner”, it is only possible to transfer files to the remote system. Therefore, only read access is permitted in the local system. |
Partner systems specified | The request can only be issued by the partner systems entered in the profile. |
File name specified | The file name must be omitted in the request. |
Prefix for the file name specified | Only part of the file name which is not is present in the request. FTAC supplements this entry with the prefix defined in the profile to obtain the complete file name. The specification of absolute file names, or exiting a directory with “..” is prohibited by FTAC. |
Processing prohibited | No processing may be requested for your processor. |
Processing specified | No processing may be requested for your processor. |
Prefix/suffix for followup processing specified | Only that part of the follow-up processing not defined in the profile may be specified in the request. FTAC supplements this entry to produce the complete follow-up processing command. If no follow-up processing is specified in the request, none is carried out. |
Write mode restriction | The request is executed only if it complies with this write mode. |
Force or forbid encryption | The request will only be carried out if it corresponds to the presets in the admission profile. |
Privileged admission profiles
An admission profile is said to be privileged if the owner of the profile can override the (administrator's) entries for his admission set. Privileged admission profiles are only intended to be used in exceptional circumstances, e.g.:
if a particular file needs to be transferred,
if follow-up processing is not permitted or severely restricted,
if a partner system with a higher security level is permitted to carry out file transfers with the user ID, but others with lower security levels are not.
In a privileged admission profile, users may only modify the transfer admission and reset the privileged status. This prevents the misuse of admission profiles that have previously been privileged.
Only the FTAC administrator is able to privilege an admission profile.
Notes on the standard admission profile
Unlike a normal profile, a standard admission profile has no FTAC transfer admission, because access is controlled implicitly using the user ID and password. On the other hand, this profile allows most of the normal parameters to be set, such as the permitted FT functions, a filename prefix or the write mode. You cannot set the expiry period, whether or not the profile is locked and whether the profile is private or public.
A standard admission profile must be set up explicitly and a maximum of one standard admission profile can be set up for each user ID.