A level of access control that is often overlooked is the possibility to limit access to certain records in a given window – also called record-based authorization. Depending on your installation file in SimCorp Dimension, this can be found in around 100 windows.
You might have noticed that in a few windows, for example, the collateral manager window, only the user who set it up can access and view it. In order to grant users access, you have to go under the File menu, select Properties and then select the tab Security. In there you can change the owner and grant other users or profiles access to view, update or delete the setup. It should be noted that most windows act differently and allow all users access to view, update or delete any records created.
But what can this be used for?
Rather than restrict access for users to create segments or Data Format Setups, you can restrict a subset of the records in these windows. This could for example be records and sub-records that are running in the nightly batch setup. In other words, secure records that need to be protected via the promotion process while still allowing users to work freely in the production environment and not mess things up.
How should you structure this?
Before changing any access, we recommend setting up new authorization profiles and clearly pre-fix them so it is clear these are only for record based authorization. This makes it easier to maintain and allows you to create easier permutations of authorization profiles. Plus you might only need a few such as 1) promotion, 2) read, 3) batch / execute and 4) free access to all, but adding a few more per department is still possible without using the profiles used to tasks and commands.
How do you identify related sub-windows and setup IDs?
Once you have identified the main windows, for batch flows this would be the batch job group window, simply open them up in the window and do a deep export with the transport tool. This will list all windows associated with a record that needs to be updated.
How do you update all those records?
Obviously, no one wants to click through thousands of records. The System Administrator user has access to a Record Based Authorizations Editor where he or she can add, remove and update profiles. Furthermore, this user can change the owner or a record. A record owner in this case should be the profile allowed to promote the records. Note that normal users only have the rights to view records they own themselves. There is a second option to create a fast-import and automate the promotion of records; if you are interested in learning more about this option, please contact us.
A word of caution: not all windows can be protected, for example, formulas and translations will not support record based authorization. To protect those windows you need to restrict access via the tasks and commands profile and have a manual procedure in place to make changes.
Hopefully, this post has given some insight into the use of Record Based Authorisation in the SimCorp Dimension© platform. Please leave a comment below to let us know what you think.