TARGET2-Securities – DCP T2S Access Right Model – April 2016 TARGET2-Securities – DCP T2S Access Right Model – April 2016 Clearstream Banking TARGET2-Securities DCP – T2S Access Right Model April 2016 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 DCP – T2S Access Right Model 1 Setup Tasks by CBF Introduction Privileges Classes Roles 4-Eyes Mode 2 Setup Tasks by DCP 3 Data Scope Adjustments 4 Power of Attorney Concept 2 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 DCP Customer Setup CBF differentiates between “Full DCP” and “GUI DCP” ‒ A DCP is a CSD Participant which directly interacts with the T2S platform “Full DCPs” can ‒ Inbound by submitting instructions, use all DCP configurations or queries into T2S (A2A or T2S functions offered U2A) Definition by T2S, in U2A as ‒ Outbound by subscribing to messages or well as in A2A configuring reports, so that T2S directly sends mode messages or reports to the CSD Participant or to a third party “GUI DCPs” can access positions, instructions and ‒ On CBF side, two models how to use T2S in a DCP mode 1) can be supported, e.g. static data via the T2S GUI, but they ‒ DCPs may want to use all U2A and A2A services cannot send offered by T2S. In particular, they want to instruct settlement CBF directly into the T2S platform instructions Service ‒ DCPs may want to use only a subset of T2S services in DCP mode, mainly to query instruction status, positions and static data in U2A mode, but without plans to instruct directly into T2S 1) A CBF business partner / institution may have several DCP parties on T2S. For every DCP party, CBF will assign privileges and set up 3 27 April 2016 Admin Users
TARGET2-Securities – DCP T2S Access Right Model – April 2016 DCP Customer Setup Introduction – Setup follows a two step approach Please note: CBF will pre-configure the DCP and its Admin Users ‒ Administrator ‒ CBF sets up the DCP customers’ T2S Parties CBF access rights will ‒ CBF links the DCP’s PTAs with Network Services be granted in Tasks ‒ CBF configures at least two Admin Users per DCP Party in T2S 4-Eyes mode, the ‒ remaining access CBF assigns privileges and pre-defined roles to the DCP Party rights in 2-Eyes mode DCP can configure users and access rights with maximum flexibility ‒ Admin Users complete their setup by granting themselves additional privileges, as CSDs can only grant six basic admin privileges DCP ‒ Admin Users set up additional users Tasks ‒ Admin Users assign privileges and roles of their DCP Party to users as needed ‒ Dedicated users complete the configuration, e.g. by defining message subscriptions and report configuration 4 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 DCP Customer Setup CBF sets up all DCP Parties ‒ A DCP party can be addressed with 1 ‒ BIC of CBF (DAKVDEFFXXX) as Parent BIC and ‒ BIC of the DCP party as related BIC (e.g BANKDEFFXXX) 1 ‒ 2 The party name on T2S will be the same as the account master name of the corresponding 2 account master in KUSTA ‒ 3 Per DCP party there will be at least one Party Technical Address (PTA) from the customer ‒ PTAs of the DCPs will be linked to 3 Network Services as requested by customers Please note all screenshots in this presentation refer to T2S GUI version 00.16.194 (EAC environment) 5 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 Privileges Definition Privileges ‒ Used to steer what a T2S Actor, in this case a DCP, is allowed to do on T2S ‒ A T2S User can only invoke a certain function in T2S if he is granted the related privilege Privilege types ‒ System privilege: Does not apply to a specific static or dynamic data object, e.g. privilege to use a specific ISO transaction code ‒ Object privilege: Applies to a specific static or dynamic data object (party, ISIN, SAC, …), e.g. privilege to send a settlement instruction (on own SACs) 6 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 Privileges High level concept ‒ Granting privileges follows a multi-step process Please note: ‒ CBF will not support CBF � DCP Party � Admin User � DCP Users Third Party ‒ CBF will grant to the DCP Party all available DCP privileges privileges (Admin ‒ Admin users can grant privileges that were granted to their party to flag set to “FALSE”) ‒ users of this party DCP cannot grant privileges ‒ This will give the DCPs maximum flexibility to configure their users to other DCPs in T2S according to their needs ‒ CBF will not grant privileges to DCPs in other Grant DCP privileges CSDs or NCBs (cross-entity) Admin A1 CBF DCP A (7999) User A3 DAKVDEFFXXX BANKDEFFXXX Grant privileges Admin A2 to users Grant basic admin privileges DCP B User of B 7 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 Privileges Detailed process 1. a) Party gets admin privileges from CBF b) Party gets all other DCP privileges from CBF 2. Admin User gets six basic admin privileges and two Data Changes privileges (4-Eyes related role) from CBF 3. The Admin User need to grant to themselves additional admin privileges previously given to the DCP party (in 4-Eyes mode) 4. The Admin Users can create other users and grant privileges to those users in 4-Eyes mode 4 All DCP privileges 1 4 Admin A1 Sett user A3 CBF DCP A (7999) Settlement and 3 DAKVDEFFXXX BANKDEFFXXX query privileges Admin A2 Config user A4 6 basic admin privileges 2 4 Additional + 2 data change privileges Configuration and admin privileges query privileges 8 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 Privileges Granting privileges in the T2S GUI 1 3 2 Granting privileges to a user Static Data � Grant / Revoke Privilege 1 Click “User“ and select the user you want to grant the privilege to 2 Move privileges to be granted from the left side (all available privileges granted by CBF) to the right side (already granted privileges) 3 9 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 Classes Definition of T2S privilege classes ‒ In T2S there are about 150 privileges that can be granted to DCP � Grouping of T2S privileges is required ‒ T2S has grouped privileges into so called classes for better overview ‒ Single privileges from a class can be assigned individually, or all privileges from a class can be granted as set ‒ Single privileges override privileges granted in a role 1) 1) For example, if a privilege is granted in 2-Eyes mode in a role, it can be additionally granted in 4-Eyes mode as a single privilege. 10 27 April 2016 The user can then only use the respective privilege in 4-Eyes mode.
TARGET2-Securities – DCP T2S Access Right Model – April 2016 Roles Roles on T2S defined by CBF ‒ Please note: CBF will group privileges into roles. In some areas, the roles defined by CBF are in line with the classes defined by T2S, but in other areas CBF roles and T2S classes deviate Admin Users will initially have two roles: ‒ Roles can only be defined by CSDs, but DCPs can re-use the roles defined by ‒ Access Rights their CSD Administrator – Basic ‒ CBF plans to group the 150 DCP privileges in 15 roles 1) (6 basic privileges) ‒ ‒ Administrator 4-Eyes Once a role is created, filled with certain privileges and granted to a DCP party, the Configuration Admin Users of the DCP can grant this role to their Users To complete their setup, Admin Users must also grant themselves the roles ‒ Access Rights Administrator – Advanced ‒ Access Rights Administrator – Queries and confirm the change in 4-Eyes mode 1) More details can be found in the appendix 11 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 Roles Roles on T2S defined by CBF – Overview CBF will grant to each DCP Party Full GUI ‒ a set up roles 1) In addition, CBF will DCP DCP grant to all Admin Users Access Rights Administrator – Advanced Y Y the roles “Access Rights Access Rights Administrator – Queries Y Y Administrator – Basic” 4-Eyes Configuration Y Y and “Administrator 4- Eyes Configuration” Configuration Manager Y N ‒ CBF will grant every Configuration Reading Y N privilege granted to a DCP party as part of a Report Configuration Y Y role also as individual privilege (except admin Message Management Y N privileges) Static Data Queries Y Y ‒ Admin User can choose whether they prefer Settlement Queries Y Y granting roles or granting privileges Report and Queries Y Y individually Send Instructions Y N ‒ Single privileges override privileges Settlement ISO Codes Y N granted in a role Settlement General Y Y 1) More details can be found in the appendix 12 27 April 2016
TARGET2-Securities – DCP T2S Access Right Model – April 2016 Roles Process of granting roles in the T2S GUI 1 3 2 Granting roles to a user Static Data � Grant / Revoke Role 1 Click “User“ and select the user you want to grant the role to 2 Move roles to be granted from the left side (all available roles) to the right 3 side (already granted roles) 13 27 April 2016
Recommend
More recommend