Overview

A group is an entity that represents a collection of principals. Groups enable you to manage the access rights and permissions assigned to those principals.

Intelligent Risk Platform access rights and permissions are granted to groups rather than to principals (user accounts or API keys). Principals gain access to protected resources and permission to perform operations as members of an authorized group.

Moody's recommends that you use distinct groups to manage access rights and permissions.

• An access rights-based group collects together principals that are members of the same team, but that have different roles and responsibilities. The group ensures the members of a team may share data amongst themselves (e.g. exposure sets).
• An permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.

Tenant administrators may create groups, assign roles to groups, and assign principals to groups in the Admin Center. Tenants may also manage groups and assign principals to groups via federated SSO with an Identity Provider. For detailed information about Intelligent Risk Platform groups, roles, and federated SSO configuration, see the Intelligent Risk Platform Administrator Guide.

Access rights-based groups

An access rights-based group collects together principals that are members of the same team, but that have different roles and responsibilities. The group ensures the members of a team may share data amongst themselves (e.g. exposure sets).

Exposure set access rights

An exposure set is a collection of exposure data and related analysis results data that is managed by means of an access control list (ACL). The exposure set ACL specifies the principals that may access the data in that exposure set.

A principal is included in an exposure set ACL if it is a member of a group that has been granted access to that exposure set.

• A new exposure set is created whenever an EDM or RDM is uploaded or created. The exposure set is owned by the principal that uploaded or created the EDM or RDM.
• The owner of the exposure set may keep it private or share it with other groups. The owner may share the exposure set with any group that it belongs to. Members of groups with access rights to an exposure set may share that exposure set with other groups provided they have the appropriate role-based permissions.
• Groups with access rights to an exposure may access and perform operations on the data in that exposure set. The exposure set includes all data in the EDM and all analysis results based on those exposures.
• The Risk Modeler API enables client applications to grant or revoke group access to exposure sets using the Update exposure set operations.

For detailed information on exposure sets, see the Intelligent Risk Platform Administrator Guide.

Database resource access rights

The Data Bridge API supports group-level access controls for managed server instances and hosted databases.

A managed database resource is a server instance that is hosted on the tenant's Data Bridge. The tenant may restrict access to these resources on a group-by-group basis.

Client applications are included in the managed database resource ACL based on group membership:

• A managed database resource (server instance or database) is owned by one or more groups. A client application must be a member of a group that owns a particular resource to access that resource. The client application may perform operations granted to it based on its role.
• By default, a managed database resource is owned by the group that initially uploaded or created that managed database resource.

A client application that may access a server instance may define logins to that server instance. A login is a SQL Server login that enables a principal to log into and manage data in a server instance in the tenant's Data Bridge cluster. To learn more, see Manage Logins.

Permission-based groups

Moody's recommends that you use distinct groups to manage access rights and permissions.

An permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.