Access Controls
Administer access rights and permissions to Intelligent Risk Platform™ applications and data
Overview
The Intelligent Risk Platform data access and security model enables risk management organizations to define granular access controls to protected resources and to ensure that end users and client applications that access those resources perform only authorized operations.
This data access and security model is based on three entities: roles, principals, and groups. These entities enable you to manage access rights and permissions for protected Intelligent Risk Platform resources (e.g. exposure sets, server instances, databases).
- A role is an entity that represents a collection of permissions. A permission determines whether a principal may access and perform operations using an API resource. Multiple roles may be assigned to each group.
- A principal is an entity (a user account or API key) that can be authenticated by the Intelligent Risk Platform. A principal must be authenticated before it can be authorized to access Platform resources. A principal may belong to multiple groups.
- A group is an entity that represents a collection of principals. A group may represent a team of principals who share a pool of data or a collection of principals that perform the same job function (i.e. have the same role) within a project. Both access rights and permissions are defined on a group-by-group basis. Principals gain access to resources and permission to perform operations based on being members of a group with those access rights and permissions.
In summary, access rights and permissions to Intelligent Risk Platform resources are not granted directly to principals. Rather, principals are assigned to groups. In this way, both access rights and permissions are defined on a group-by-group basis. A principal gains access rights or permissions by being a member of a group.
Principals
A principal is an entity that can be authenticated by the Intelligent Risk Platform. Authentication is the process by which the platform verifies that an end user or application client is who it claims to be.
The Intelligent Risk Platform supports two types of principals: user accounts and API keys.
- A user account is an entity that identifies an end user of the Intelligent Risk Platform. The user account defines the credentials (user name and password) that enable that end user to log into the Intelligent Risk Platform.
- An API key is a string that identifies a client application using the Intelligent Risk Platform. Client applications must pass a valid API key in the
Authrorizationheader of every request to an Intelligent Risk Platform API.
User accounts and API keys are authorized to access protected resources and to perform operations if they are members of a group that has been assigned the appropriate access rights and role-based permissions.
Token-based authentication
The Intelligent Risk Platform supports two methods of client authentication: API keys and web tokens.
RMS recommends that tenants use API keys to identify their client applications in production environments. Token-based authentication should be used for testing and evaluation purposes only.
In token-based authentication, the application client accesses the API on behalf of a user account and utilizes the user account's credentials to identify itself. For more information, see Authentication and Authorization.
Tenant administrators may create user accounts and API keys in the Admin Center.
Groups
A group is an entity that represents a collection of principals. Groups enable you to manage the access rights and permissions assigned to those principals.
Intelligent Risk Platform access rights and permissions are granted to groups rather than to principals (user accounts or API keys). Principals gain access to protected resources and permission to perform operations as members of an authorized group.
- Access rights specify who may access a protected resource. Access rights to exposure sets, server instances, hosted databases may be granted to groups.
- Permissions specify who may perform operations on a protected resource. A group may be assigned one or more roles, which define the permissions granted to the members of that group. Role-based permissions determine who may view, update, create, upload, or download protected resources.
Team and Role-based groups
RMS recommends that you use distinct groups to manage access rights and permissions.
- An access rights-based group collects together principals that are members of the same team, but that have different roles and responsibilities. The group ensures the members of a team may share data amongst themselves (e.g. exposure sets).
- An permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.
Tenant administrators may create groups, assign roles to groups, and assign principals to groups in the Admin Center. Tenants may also manage groups and assign principals to groups via federated SSO with an Identity Provider. For detailed information about Intelligent Risk Platform groups, roles, and federated SSO configuration, see the Intelligent Risk Platform Administrator Guide.
Group access to secured data resources
All Data Bridge data resources (servers or databases) may implement security controls that restrict access to that resource to members of one or more groups. Group-based security is optional.
Every secured data resource has one owner. The owner of a data resource has exclusive visibility to security settings and the ability to provide or revoke access to that data resource on a group-by-group basis.
For details on server and database-level security, see Administer Server and Database Security.
Roles
A role is a predefined collection of permissions that may be granted to a group. The role represents a particular job title and includes permissions that enable that role to perform operations that are the responsibility of professionals with that title in an underwriting organization.
Intelligent Risk Platform supports three Data Bridge roles: the Consumer role, Contributor role, and the Data Bridge Admin role.
- The Consumer role is a collection of permissions that enable a principal to view but not update managed server instances and databases. Consumers cannot upload or export EDMs or custom databases to Data Bridge or modify data in hosted databases.
- The Contributor role is a collection of permissions that enable a principal to view and update server instances and databases. Contributors may import or export databases, import or export data, and modify data in hosted databases.
- The Data Bridge Admin role is a collection of permissions that enable a principle to administer and manage access to managed SQL Server instances on Data Bridge. The Data Bridge Admin role is distinct from the Intelligent Risk Platform Admin role (the "Tenant Admin").
The Data Bridge API provides broad support for administrative operations. Tenant administrators may manage Data Bridge ACLs, group access to server instances and databases, and server instance logins using Data Bridge API operations.
Role-based permissions control the following Data Bridge operations:
| Operation | Consumer | Contributor | Data Bridge Admin |
|---|---|---|---|
| Get Archives by Server Instance | NO | NO | YES |
| Get Archive | NO | NO | YES |
| Delete Archive | NO | NO | YES |
| Restore Archive | NO | NO | YES |
| Get Data Bridge ACL | NO | NO | YES |
| Get ACL entries | NO | NO | YES |
| Overwrite Data Bridge ACL | NO | NO | YES |
| Delete IP address | NO | NO | YES |
| Delete range of IP addresses | NO | NO | YES |
| Set TLS protocol version | NO | NO | YES |
| Create database | NO | YES | NO |
| Get databases by instance | YES | YES | NO |
| Get database by instance | YES | YES | NO |
| Pin database | NO | YES | NO |
| Import database from flat file | NO | YES | NO |
| Rename database | NO | NO | YES |
| Shrink database | NO | NO | YES |
| Export database to URI | NO | YES | NO |
| Get upload directory URI | NO | YES | NO |
| Initiate multipart upload | NO | YES | NO |
| Get pre-signed URL for multipart upload | NO | YES | NO |
| Upload data part by number | NO | YES | NO |
| Complete multipart upload | NO | YES | NO |
| Get job status | YES | YES | NO |
| Get job details | YES | YES | NO |
| Get jobs by server instance | YES | YES | YES |
| Get job by server instance | YES | YES | YES |
| Get logins by instance | YES | YES | YES |
| Create login | YES | YES | YES |
| Update login password | YES | YES | YES |
| Delete instance login | YES | YES | YES |
| Get instance | YES | YES | NO |
| Get instances | YES | YES | NO |
If security is implemented on a data resource (server or database), the owner of that entity has exclusive access to information about security and the ability to grant or revoke access to that data resource on a group-by-group basis. For details, see Administer Server and Database Security.
Updated 29 days ago