Access Controls
Administer access rights and permissions to Intelligent Risk Platform™ applications and data
Overview
The Intelligent Risk Platform data access and security model enables risk management organizations to define granular access controls to protected resources and to ensure that end users and client applications that access those resources perform only authorized operations.
This data access and security model is based on three entities: roles, principals, and groups. These entities enable you to manage access rights and permissions for protected Intelligent Risk Platform resources (e.g. exposure sets, server instances, databases).
- A role is an entity that represents a collection of permissions. A permission determines whether a principal may access and perform operations using an API resource. Multiple roles may be assigned to each group.
- A principal is an entity (a user account or API key) that can be authenticated by the Intelligent Risk Platform. A principal must be authenticated before it can be authorized to access Platform resources. A principal may belong to multiple groups.
- A group is an entity that represents a collection of principals. A group may represent a team of principals who share a pool of data or a collection of principals that perform the same job function (i.e. have the same role) within a project. Both access rights and permissions are defined on a group-by-group basis. Principals gain access to resources and permission to perform operations based on being members of a group with those access rights and permissions.
In summary, access rights and permissions to Intelligent Risk Platform resources are not granted directly to principals. Rather, principals are assigned to groups. In this way, both access rights and permissions are defined on a group-by-group basis. A principal gains access rights or permissions by being a member of a group.
Principals, groups, and roles may be managed by a tenant administrator in Admin Center. The following sections describe core entities in detail.
Principals
A principal is an entity that can be authenticated by the Intelligent Risk Platform. Authentication is the process by which the platform verifies that an end user or application client is who it claims to be.
The Intelligent Risk Platform supports two principals: user accounts and API keys.
- A user account is an entity that identifies an end user of the Intelligent Risk Platform. The user account defines the credentials (user name and password) that enable that end user to log into the Intelligent Risk Platform.
- An API key is a string that identifies a client application using the Intelligent Risk Platform. Client applications must pass a valid API key in the
Authrorization
header of every request to an Intelligent Risk Platform API.
User accounts and API keys are authorized to access protected resources and to perform operations if they are members of a group that has been assigned the appropriate access rights and role-based permissions.
Token-based authentication
The Intelligent Risk Platform supports two methods of client authentication: API keys and web tokens.
Moody's recommends that tenants use API keys to identify their client applications in production environments. Token-based authentication should be used for testing and evaluation purposes only.
In token-based authentication, the application client accesses the API on behalf of a user account and utilizes the user account's credentials to identify itself. For more information, see Authentication and Authorization.
Tenant administrators may create user accounts and API keys in the Admin Center.
Groups
A group is an entity that represents a collection of principals. Groups enable you to manage the access rights and permissions assigned to those principals.
Intelligent Risk Platform access rights and permissions are granted to groups rather than to principals (user accounts or API keys). Principals gain access to protected resources and permission to perform operations as members of an authorized group.
- Access rights specify who may access a protected resource. Access rights to exposure sets, server instances, hosted databases may be granted to groups.
- Permissions specify who may perform operations on a protected resource. A group may be assigned one or more roles, which define the permissions granted to the members of that group. Role-based permissions determine who may view, update, create, upload, or download protected resources.
Token-based authentication
Moody's recommends that you use distinct groups to manage access rights and permissions.
- An access rights-based group collects together principals that are members of the same team, but that have different roles and responsibilities. The group ensures the members of a team may share data amongst themselves (e.g. exposure sets).
- An permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.
Tenant administrators may create groups, assign roles to groups, and assign principals to groups in the Admin Center. Tenants may also manage groups and assign principals to groups via federated SSO with an Identity Provider. For detailed information about Intelligent Risk Platform groups, roles, and federated SSO configuration, see the Intelligent Risk Platform Administrator Guide.
Group access to exposure sets
The Risk Modeler API supports group-level access controls for exposure sets.
An exposure set is a collection of exposure data and related analysis results data that is managed by means of an access control list (ACL). The exposure set ACL specifies the principals that may access the data in that exposure set.
A principal is included in an exposure set ACL if it is a member of a group that has been granted access to that exposure set.
- A new exposure set is created whenever an EDM or RDM is uploaded or created. The exposure set is owned by the principal that uploaded or created the EDM or RDM.
- The owner of the exposure set may keep it private or share it with other groups. The owner may share the exposure set with any group that it belongs to. Members of groups with access rights to an exposure set may share that exposure set with other groups provided they have the appropriate role-based permissions.
- Groups with access rights to an exposure may access and perform operations on the data in that exposure set. The exposure set includes all data in the EDM and all analysis results based on those exposures.
- The Risk Modeler API enables client applications to grant or revoke group access to exposure sets using the Update exposure set operations.
For detailed information on exposure sets, see the Intelligent Risk Platform Administrator Guide.
Group access to database resources
The Data Bridge API supports group-level access controls for managed server instances and hosted databases.
A managed database resource is a server instance that is hosted on the tenant's Data Bridge. The tenant may restrict access to these resources on a group-by-group basis.
Client applications are included in the managed database resource ACL based on group membership:
- A managed database resource (server instance or database) is owned by one or more groups. A client application must be a member of a group that owns a particular resource to access that resource. The client application may perform operations granted to it based on its role.
- By default, a managed database resource is owned by the group that initially uploaded or created that managed database resource.
- The Data Bridge API enables tenant administrators to grant or revoke group access to managed database resources using the Manage access to server instance and Manage access to database operations.
A client application that may access a server instance may define logins to that server instance. A login is a SQL Server login that enables a principal to log into and manage data in a server instance in the tenant's Data Bridge cluster. To learn more, see Manage Logins.
Roles
A role is a predefined collection of permissions that may be granted to a group. The role represents a particular job title and includes permissions that enable that role to perform operations that are the responsibility of professionals with that title in an underwriting organization.
Administrative roles
The Intelligent Risk Platform supports three administrative roles: Admin role, Data Admin role, and Data Bridge Admin role.
- The Admin role is collection of permissions that enable a principal to perform administrative tasks in Admin Center. Administrative tasks include the creation and management of principals (user accounts and API keys) and groups. In general, a tenant administrator may perform administrative tasks using controls in Admin Center. For detailed information about administering Intelligent Risk Platform groups and role-based privileges, see the Intelligent Risk Platform Administrator Guide.
- The Data Admin is a role that may define access controls for platform securables (exposure sets, program sets, business hierarchy sets, and share sets). See Securables. Data Admins can monitor and configure access to data assets.
- The Data Bridge Admin role may define access controls for managed SQL Server instances on Data Bridge. Data bridge admin is granted full read/write access to data and can control access to those assets.
Risk Data API roles
Risk Data API roles define access for Risk Data API resources. Intelligent Risk Platform supports five roles: Underwriter, Technical Underwriter, Risk Analyst, Portfolio Manager, Cat Modeler.
- The Underwriter role can edit account-level exposure data, run models, and view analysis results data, but cannot update model settings.
- The Technical Underwriter role can edit more exposure data than the Underwriter role. They can commit bound accounts to booked portfolios, run models, and analyze results but cannot update model settings.
- The Risk Analyst role can upload, prepare, edit, and analyze all data that contributes to model losses but cannot edit model settings or reference data.
- The Portfolio Manager role can upload, prepare, and analyze all data that contributes to model losses, including reference data and output profiles. They cannot edit model sensitivity or model settings.
- The Cat Modeler role have access to all features and data. They implement model assumptions to align with company standards and implement model settings to be used by other roles.
- The Treaty Underwriter role may price treaties for their employer and select treaties to quote for based on pricing assessments. They have full access to the pricing workflow.
Role-based permissions determine operations that a principal may perform in the Risk Modeler application or using Risk Modeler API operations.
Grouping API roles
Grouping API roles define access for Grouping API resources. Intelligent Risk Platform supports one Grouping API role:
The Group Exposure Manager may plan and run accumulation jobs against the business hierarchy.
For a detailed discussion of Risk Modeler roles and the access rights and permissions represented by each role in the Risk Modeler application, see the Intelligent Risk Platform Administrator Guide.
Updated 5 months ago