User Permissions, Roles, and Authorization
Chinese source: 柜员权限、岗位与授权
Locale: en-US
Audience: Internal learning
Key Terms
| Chinese | English | Usage Note |
|---|---|---|
| 柜员 | Operations User / Teller | Use teller only when branch context matters. |
| 岗位 | Role / Position | Permission grouping assigned to users. |
| 操作权限 | Operating Permission | Permission to initiate or run a transaction. |
| 授权权限 | Authorization Permission | Permission to approve or authorize another user's transaction. |
| 岗位制衡 | Segregation of Duties | Separation of maker/checker or operator/authorizer roles. |
Concept
Whether a user can process a transaction is usually determined by multiple dimensions:
- The user exists and is active.
- The user is signed on and allowed to transact.
- The user's institution is allowed to process the transaction.
- The user's role has the operating permission.
- The transaction may require authorization.
- The authorizing user must have the required authorization permission.
Operating Permission vs. Authorization Permission
| Permission Type | Meaning | Typical Question |
|---|---|---|
| Operating permission | Can the user initiate or execute the transaction? | Can this user process this transaction? |
| Authorization permission | Can the user approve or authorize another user's transaction? | Can this user authorize this transaction? |
These are not the same. A user may be able to perform inquiries or maintenance but not authorize high-value transactions. A supervisor may have authorization responsibilities but should not directly perform every operation.
Why Separation Matters
Core banking relies on segregation of duties to reduce the risk of self-approval, abuse of high privileges, missing review for high-risk transactions, and unclear accountability.
Good permission design follows:
- Least privilege.
- Separation of maker, checker, and authorizer.
- Tiered authorization by amount and risk.
- Auditability for operations, approvals, and changes.
Troubleshooting Path
When a user cannot process a transaction:
- Check
[9302] User Information Inquiry. - Check
[9311] Role Permission Information Inquiry. - Check whether the institution can process the transaction.
- Check transaction rules, amount rules, and account restrictions.
- If authorization is needed, check authorizer permissions.
- Review user events and transaction records.
Risk Controls
- Authorization permission should be stricter than operating permission.
- High-risk transactions should not allow the same user to initiate and authorize.
- Permission exports expose system security structure and should be controlled.
- Role changes, departures, and dormant users require timely cleanup.