Call Analyst Security

Overview
The CDR application is able to accommodate different types of users, for example; Vendors, Call Analysts, Financial Institution(FI) personnel, etc. Users are granted security access to the CDR on a “need to know ” basis. In other words, security is granted in a way that allows the user to perform specific tasks related to their job responsibilities but does not allow access to the functionality in the application the user will not be responsible for.

In most cases, the external user will create their own account by logging into the CDR main site and entering preliminary user information. This process is described in the Help Desk section of the User Help Guide . If the user is the first to enroll for their organization, the CDR Security Administrator(SA) will receive a Notification. Generally, the first user for an organization will be assigned Delegated Site Administrator (DSA) access and will process subsequent access and user management requests for their organization’s users.

Entitlements, Roles , and Role Groups
CDR user security is based on Entitlements, Roles , and Role Groups:

Generally speaking, Entitlements (or permissions) in the CDR are a predefined list of all the tasks that can be performed in the CDR.  Entitlements control the lowest level of access, such as the ability to access a link or button, and not modified by the FFIEC. If modification or additional Entitlements become necessary due to business requirements, permission needs to be granted from the FFIEC-CDR management, and the contractor will be directed to create or modify the Entitlement.  

The key to a user’s access is through the assignment of Roles. Roles are logical groupings of Entitlements that, when properly assigned, enable users to perform specific tasks, usually related to their job function in the CDR.   Similarly, Roles are grouped into to Role Groups. However, Role Groups are only used as a guide for assigning Roles to users.  

Although the goal is to limit changes, Roles and Role Groups are fully configurable and can be modified over time by the SA at the request of the CDR Project manager. The SA or the DSA shall also be responsible for assigning Roles or a Role Group to each user and for updating that assignment from time to time, as requested or required by business needs.

The following is an example of a Role Group a Call Analyst may be assigned, Roles assigned to the Role Group, and Entitlements assigned to one of the Roles in the Role Group:

Role Group

• FFIEC Data Analyst

Roles Assigned to FFIEC Data Analyst Role Group

• Call Report Analyst
• Call Report Submitter
• Data Series Viewer
• FI Structure Data Changer
• Online Call Report creator
• Panel or Universe of Reporter Viewer
• Private Facsimile Viewer

Entitlements Assigned to Call Report Analyst Role

• Access Administrators Utilities
• Access Call Report Change Log
• Access Call Report List
• Access Call Report Submission History
• Access Call Report Utilities
• Access Enrollment Tracking Utility
• Access Reporting Utilities
• Manual Modification to Call Report Online
• Update Call Report Status
• Update Edit Failure Status
• View Call Report
• View Call Report Notes
• View Edit Failures

Managing Security
User security in the CDR will be managed using a distributed network of administrators. There will be a primary and backup SA at the FDIC and FRB. DSAs will be set up at the FIs, Vendors and the Federal Reserve Banks. Generally, the DSA shall manage security-related and user management responsibilities for their organization. The CDR SA will provide advice and support to DSAs on an as-needed basis.

Entitlements, Roles, and Role Groups will be managed at the SA level using the following instructions.

To Create or to Delete Role Groups and to Manage Roles Assigned to the Role Groups:

1. Click on the Administration button on the top navigational bar.
   
   
2. Under the heading User Management on the left navigational bar, click on the Role Groups link. A list of current Role Groups and descriptions will display in alphabetical order along with a Create New button.
   1. Create a Role Group - Click on the Create New button. Enter a Role Group name and a Role Group description in the appropriate text boxes.
      Manage Roles within the Role Group - At the bottom left of this screen is a list of available Roles in a box. Highlight the Role or Roles (this can be done by holding down the ctrl button on the keyboard) and click the Add button. The Role(s) that was highlighted will now move to the box on the right that contains the assigned Roles. If any of the Roles on the right hand box need to be removed, highlight them and click on the DEL button. The Role(s) will be moved back to the box on the left and will not be included as a role in the Role Group. Click on the Save button, this will return you to the screen that has the current Role Groups and descriptions. A message will let you know your new Role group has been created. The Role Groups are listed in alphabetical order.
      
   2. Delete a Role Group – Find the Role Group you want to delete. Click on the name of the Role Group. A screen will display with that Role Group and description along with the boxes containing the available and assigned Role(s). Click on the Delete Role Group button. You will be prompted with a pop up box letting you know the Role Group is going to be deleted. Click OK if you want to continue to delete the Role Group. You will be returned to the screen with the current Role groups and descriptions. A message will let you know the Role Group has been removed.
      
   3. Manage Roles assigned to the Role Group- Roles can also be added or deleted to existing Role groups. From the screen with the Role Groups and descriptions, click on the Role Group that will need the Role(s) modified. Highlight the Role or Roles (this can be done by holding down the ctrl button on the keyboard) in the box on the left containing the available Roles and click the Add button. The Role(s) that was highlighted will now move to the box on the right that contains the assigned Role(s). If any of the Roles on the right hand box need to be removed, highlight them and click on the DEL button. The Role(s) will be moved back to the box on the left and will not be included as a Role in the Role Group. Click on the Save button, this will return you to the screen that has the current Role Groups and descriptions. A message will let you know the Role Group has been modified.

To Create or to Delete Roles and to Manage Entitlements Assigned to the Roles:

1. Click on the Administration button on the top navigational bar.
   
   
2. Under the heading User Management on the left navigational bar, click on the Roles link. A list of current Roles and descriptions will display in alphabetical order along with a Create New button.
   1. Create a Role - Click on the Create New button. Enter a Role name and a Role description in the appropriate text boxes.
      Manage Entitlements within the Role Group - At the bottom left of this screen is a list of available Entitlements in a box. Highlight the Entitlement or Entitlements (this can be done by holding down the ctrl button on the keyboard) and click the Add button. The Entitlement(s) that was highlighted will now move to the box on the right that contains the assigned Entitlements. If any of the Entitlements on the right hand box need to be removed, highlight them and click on the DEL button. The Entitlement(s) will be moved back to the box on the left and will not be included as an Entitlement in the role. Click on the Save button, this will return you to the screen that has the current Roles and descriptions. A message will let you know your new Role has been created. The Roles are listed in alphabetical order.
      
   2. Delete a Role – Find the Role you want to delete. Click on the name of the role. A screen will display with that role and description along with the boxes containing the available and assigned Entitlement(s). Click on the Delete Role button. You will be prompted with a pop up box letting you know the Role is going to be deleted. Click OK if you want to continue to delete the Role. You will be returned to the screen with the current Roles and descriptions. A message will let you know the Role has been removed.
      
   3. Manage Entitlements assigned to the Role Group- Entitlements can also be added or deleted to existing Roles. From the screen with the Roles and descriptions click on the Role that will need the Entitlement(s) modified. Highlight the Entitlement or Entitlements (this can be done by holding down the ctrl button on the keyboard) and click the Add button. The Entitlement(s) that was highlighted will now move to the box on the right that contains the assigned Entitlements. If any of the Entitlements on the right hand box need to be removed, highlight them and click on the DEL button. The Entitlement(s) will be moved back to the box on the left and will not be included as an Entitlement in the Role Group. Click on the Save button, this will return you to the screen that has the current Roles and descriptions. A message will let you know the Role has been modified.

To Change the Description of an Entitlement:

1. Click on the Administration button on the top navigational bar.
   
   
2. Under the heading User Management on the left navigational bar, click on the Entitlements link. A list of current Entitlements and descriptions will display in alphabetical order.
   1. Click on the Entitlement that needs to have the description modified. A screen will display with an editable box for the description. Modify the description and click the Save button. Click on the Back to List button to see the modified description in the Entitlement list

Access Review
SAs and DSAs should continually monitor the security logs and reports to identify sensitive transactions. Some of the activities monitored are: excessive failed access attempts, password reset activity, and modifications of Roles or Role Groups.   In addition, if a user has not accessed the CDR in the last four months, the user should be contacted to determine if their account should be deleted.

Security-Related Notifications:
Change Password
Created Account
Help Desk Reset Password
Password Reset
Requested Account Denied
User Account Activated
User Account Deactivated
User Self Registration