Tip #11: Task-Based Authorization

Typically, authorization profiles in SimCorp tend to be defined by roles. For example, performance, data management, accounting, settlement, etc.

This poses a challenge as often there are different levels of access in any given role. In data management, a manager usually has more rights than a new employee. For example he might be able to update market prices from data providers, whereas a new employee would not be able to.

It becomes especially tricky when a person moves to another part of the organization, still working with SimCorp Dimension. In order to transition you need the flexibility and access to still help your old team members. This could be someone moving from the performance team to data management for example. In data management, the person will get access to update static data (SMF) and prices while at the same time having access to their former job in performance. Hence changing how performance numbers are being calculated. If the profiles instead were role-based you would be able to manage security in a better way and prevent a scenario like the above from happening.

In performance you will have multiple roles, however for the sake of simplicity our explanation refers to these 2 examples:

- Read access performance

- Execute performance calc and measurement

In data management on the other hand we would have these roles:

- Read Prices

- Update Prices

- Insert New Prices

- Read Securities Data (SMF)

- Updated And Insert Securities Data (SMF)

In our example, we stated that the person from performance moving to data management would originally have the role ‘Execute Performance Calc and Measurement’. If they then move onto data management, they would get the ‘Read Access Performance’ role and, for example, ‘Update Prices’ and ‘Update and Insert Securities Data (SMF)’. That way they will still be able to assist the performance team, but they will not be able to execute any calculations as they have access to change prices. After the transition period is over, their access role to Read Performance would then be removed.

In this circumstance, you would then need to map a job profile to multiple roles, which are clearly defined and reviewed regularly. When someone changes job function you can then allow for a transition period (an exception) for a short period such as 6 months. There will always be exceptions as with anything, which is fine, as long as they are documented, managed, controlled, and reviewed on a regular basis.