How to establish U2A communication in the services available via the Service Portal:
Key information
To access the applications available through the Service Portal https://online.kdpw.pl, you need to open an access account and download the KDPW Group Authenticator application to a mobile device. The application is used to authenticate application users in the multi-factor authentication (MFA) mechanism implemented in the Service Portal. The application can be downloaded for free from authorised shops: Google Play (Android), App Store (iOS - Apple), and its use is only permitted on phones with unbroken security of the operating systems of these manufacturers.
By using the same attributes, it is also possible to access the test environments of the services available in the Service Portal: TST https://tst-online.kdpw.pl and EDU https://edu-online.kdpw.pl.
More information about MFA can be found here
For detailed information on how to open an access account and how to download and use the KDPW Group Authenticator application, please refer to the User’s Manual: Access Account.
User’s Manual: Access Account
The rules for obtaining access to applications available in the Service Portal by an authorised person, the rules for opening an access account, and the rules for the authentication process are set out in the Rules of Access to KDPW’s IT Systems.
Rules of Access to KDPW’s IT Systems
By using the same attributes, it is also possible to access the test environments of the services available in the Service Portal: TST https://tst-online.kdpw.pl and EDU https://edu-online.kdpw.pl.
More information about MFA can be found here
For detailed information on how to open an access account and how to download and use the KDPW Group Authenticator application, please refer to the User’s Manual: Access Account.
User’s Manual: Access Account
The rules for obtaining access to applications available in the Service Portal by an authorised person, the rules for opening an access account, and the rules for the authentication process are set out in the Rules of Access to KDPW’s IT Systems.
Rules of Access to KDPW’s IT Systems
Requesting access to the application
To get access to an application in the Service Portal, you need to be authorised to act in a given service on behalf of the entity which is a KDPW service participant. In order to do so, you need to submit a request for access to the application.
A request for access to the application may be submitted by a person authorised to do so. The request is submitted after logging in to the access account, by filling in the form in the Service Portal.
After submitting the request, it is mandatory to provide KDPW with a declaration from the entity confirming the details of the person submitting the request and his/her authorisation to act in the application. Delivery of the declaration to KDPW is not required if access is granted by an administrator authorised by the participant.
Instructions:
A request for access to the application may be submitted by a person authorised to do so. The request is submitted after logging in to the access account, by filling in the form in the Service Portal.
After submitting the request, it is mandatory to provide KDPW with a declaration from the entity confirming the details of the person submitting the request and his/her authorisation to act in the application. Delivery of the declaration to KDPW is not required if access is granted by an administrator authorised by the participant.
Instructions:
- Submitting a request for access to the application - instructions for KDPW direct participants and issuers at KDPW, entities required to appoint a permission administrator link
- Submitting a request for access to the application - instruction for entities which are not KDPW direct participants or issuers at KDPW, entities which are not required to appoint a permission administrator link
Revoking the authorisation of a person granted access to the application
Access to the application may be revoked:
Revocation of authorisation - only for KDPW direct participants and issuers who manage application access through a permission administrator - template
- by a permission administrator or a service administrator authorised by the participant, directly in the Service Portal online.kdpw.pl,
- where there is no administrator, by KDPW on the basis of the entity’s statement concerning the revocation of the authorisation (template below).
Revocation of authorisation - only for KDPW direct participants and issuers who manage application access through a permission administrator - template
Permission administrator - FAQ
What is the role of the permission administrator?
The permission administrator is a person authorised by a participant to grant and revoke permissions on its behalf to other persons to act in KDPW applications in the roles of user or administrator of a particular service.
How do I request permission administrator access?
Requests for permission administrator access can be submitted in the Service Portal https://online.kdpw.pl/
Requests are made in the same was as requests for service administrator or user access, by completing a form in the application.
Requests are made in the same was as requests for service administrator or user access, by completing a form in the application.
Who can act as permission administrator, only the Company’s Management Board?
The function of permission administrator may be performed by any person who is authorised to represent the company in this respect. This can be a member of the Management Board, if he or she has the authority to represent the Company single-handedly or holds a power of attorney from the Management Board granted to him or her to act as permission administrator, or any other person who is an agent of the Company.
Can the permission administrator process events in the application?
No. A permission administrator in this role does not have the authority to act directly in the application. Nevertheless, a person in this role can simultaneously act as a service user but must submit a separate access request in this role. The user’s access request must in this case be approved by another administrator as a person in the permission administrator role cannot authorise themselves to act in the application in another role.
Can a permission administrator act as a user in an application?
The role of permission administrator is solely to manage access for persons acting in other roles (user, service administrator), and therefore, when acting in permission administrator role, they will not have access to the application’s production environments.
However, a person acting as permission administrator can access the application as a user, but their permissions will have to be approved by another person acting as administrator.
However, a person acting as permission administrator can access the application as a user, but their permissions will have to be approved by another person acting as administrator.
Can a permission administrator approve a user request for themselves?
No. A request for user rights from a person in the role of permission administrator must be approved by another administrator.
Can there be more than one permission administrator?
Yes. A participant may authorise more than one person to act as permission administrator.
I am a direct participant of KDPW. After the introduction of the permission administrator under the LEI code, will the permissions for application users be granted as before under the participation codes?
Yes, once the changes have been implemented, user access to KDPW applications will continue unchanged, i.e. separately for each application and separately for each institution code.
I am a direct participant of KDPW. Can I appoint a permission administrator for each institution code I hold in KDPW?
No, the new permission model does not allow you to appoint a permission administrator for each institution code. The permission administrator (new role) will manage permissions for all institution codes of the direct participant (in CSD services), as well as permissions under the entity's other institution codes in other KDPW services (e.g. TR, ARM, if the entity is a participant in those services) included in the group of services assigned to the direct participant.
However, it will still be possible for the permission administrator to appoint a service administrator (existing role) to manage user permissions within a given application which the participant uses under a given institution code.
However, it will still be possible for the permission administrator to appoint a service administrator (existing role) to manage user permissions within a given application which the participant uses under a given institution code.
Can an entity which is both a KDPW direct participant and an issuer appoint one person as permission administrator to manage access to all KDPW applications?
No. If a participant holds both issuer and direct participant status, it is required to appoint at least two permission administrators, one for each participation status.
I am a direct participant of KDPW. Will the changes related to the introduction of the permission administrator affect the administrator permissions I currently hold?
No, the introduction of the new role of permission administrator will not affect the existing permissions granted in KDPW applications to administrators of the applications (the only exception being the permissions granted to persons representing FIZ in the Benefit Payments application – see question below).
Therefore, the roles of service administrator that have been granted so far will still be able to be performed. These roles apply only in individual applications, while the role of permission administrator covers all applications in which the participant acts or will act in the future. Therefore, the role of the current service administrator has much narrower permissions than the role of permission administrator, so the participant will be required to appoint a person or persons to perform this role.
Therefore, the roles of service administrator that have been granted so far will still be able to be performed. These roles apply only in individual applications, while the role of permission administrator covers all applications in which the participant acts or will act in the future. Therefore, the role of the current service administrator has much narrower permissions than the role of permission administrator, so the participant will be required to appoint a person or persons to perform this role.
Does the obligation to establish a permission administrator cover all issuers of securities which have an agreement with KDPW?
The obligation to establish a permission administrator for the applications offered by KDPW in the services provided to issuers of securities, such as Corporate actions, General Meetings, Issuers' Obligations, only covers those issuers which access these applications directly and not through other entities representing them.
The obligation therefore does not cover issuers acting through an issue agent and a paying agent.
The obligation therefore does not cover issuers acting through an issue agent and a paying agent.
Are participants with issuer status who have not yet obtained or requested access to KDPW applications due to their issue being handled by the Paying Agent required to appoint a permission administrator?
No. Issuers on whose behalf paying agents are acting are not required to appoint a permission administrator.