Guides

User Groups X

Understand the relationship between groups, principals, and roles.

Overview

A user group is an entity that defines the access rights and permissions of a collection of licensed Intelligent Risk Platform principals. A user group may include any number of user accounts and API keys.

A principal is granted access to protected resources or permission to perform certain operations based on group membership. Access rights and role-based permissions are never assigned directly to a user account or client application. The principal inherits all access rights and permissions as a group member. Tenant administrators should therefore be extremely careful when assigning assigning access rights, roles, or principals to a user group.

.

Moody's recommends that you use distinct groups to manage both access rights and permissions.

Groups for managing access rights

User groups can be used to controls access rights to protected resources, such as managed server instances, hosted databases, exposure sets, or other securables.

In general, access to these resources is restricted to the owner of a secured resource. The owner of a securable or a Data Admin can share access to that securable on a group-by-group basis.

No roles would be assigned to this group. Any role assigned to this group would be granted to every member of the group.

Securable access rights

A securable is a logical container of data that is owned by a group or principal. The owner of a securable has exclusive access to that securable and all child data. For example, the owner of an exposure set controls access to the exposures, analysis results, and variations in that exposure set. The owner of a securable my grant access to that securable to other groups.

For example, you may want to create a group that includes all of the members of a specific organization or team so that you can ensure that the members of that group can share data amongst themselves. Such a group would be assigned access rights to the same exposure set or database.

The Admin Data API enables a Data Admin to grant or revoke access to a group using the Update Securable operation

Exposure set access rights

An exposure set is a securable that controls access to a collection of exposure, hazard, and financial information. The creator of the exposure set is the owner of that exposure set and may share access to an exposure set based on group membership.

A new exposure set is created whenever an EDM or RDM is uploaded or created. The exposure set is owned by the principal that uploaded or created the EDM or RDM. The owner of the exposure set may keep it private or share it with other groups. The owner may share the exposure set with any group that it belongs to. Members of groups with access rights to an exposure set may share that exposure set with other groups provided they have the appropriate role-based permissions.

Groups with access rights to an exposure may access and perform operations on the data in that exposure set. The exposure set includes all data in the EDM and all analysis results based on those exposures. A principal is included in an exposure set ACL if it is a member of a group that has been granted access to that exposure set.

The Risk Data API enables client applications to grant or revoke group access to exposure sets using the Update exposure set operations.

Secured database and secured server access rights

The Data Bridge API supports group-level access controls for managed server instances and hosted databases.

A managed database resource is a server instance that is hosted on the tenant's Data Bridge. The tenant may restrict access to these resources on a group-by-group basis.

Client applications are included in the managed database resource ACL based on group membership:

  • A managed database resource (server instance or database) is owned by one or more groups. A client application must be a member of a group that owns a particular resource to access that resource. The client application may perform operations granted to it based on its role.
  • By default, a managed database resource is owned by the group that initially uploaded or created that managed database resource.

A client application that may access a server instance may define logins to that server instance. A login is a SQL Server login that enables a principal to log into and manage data in a server instance in the tenant's Data Bridge cluster. To learn more, see Manage Logins.

Groups for managing permissions

User groups can be used to confer role-based permissions to the members of a particular user group.

A role is a predefined collection of permissions that may be assigned to one or more user groups. Every principal that is a member of a group is assigned all of the roles assigned to that group and may perform all of the actions (UI) and operations (API) allowed those roles. Role-based permissions determine who may view, update, create, upload, or download protected resources. To learn more, see Roles.

A permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.

Moody's recommends that you use distinct groups to manage access rights and permissions.

Administering Groups

Tenant administrators may create groups, assign roles to groups, and assign principals to groups in the Admin Center. For step-by-step instructions, see User Administration.

Tenants may also manage groups and assign principals to groups via federated SSO with an Identity Provider. For detailed information about Intelligent Risk Platform groups, roles, and federated SSO configuration, see the Intelligent Risk Platform Administrator Guide.

Updated about 2 months ago