Principals

Understand user accounts and client applications.

Overview

A principal is an entity that is an authorized to access tenant data and perform operations on that data. The Intelligent Risk Platform supports two types of principals: user accounts and client applications (API keys):

  • A user account is an entity that identifies an end user of an Intelligent Risk Platform application. End users can log into applications using their credentials (user name and password).
  • A client application is a tool or application that leverages an API to access and update tenant data on the Intelligent Risk Platform. Client applications can access API resources using an API key or access token.

User accounts and client applications are only authorized to access protected resources and to perform operations if they are members of a group that has been assigned the appropriate access rights and role-based permissions.

User accounts

A user account is an entity that identifies a single end user of an Intelligent Risk Platform application.

The user account defines the credentials (user name and password) that enable an end user to log into an Intelligent Risk Platform application, e.g. ExposureIQ, Risk Modeler, TreatyIQ, or UnderwriteIQ.

Every user account can be assigned to one or more groups. The user account inherits access rights to protected resources and permissions to perform operations based on group membership. To learn more, see User Groups.

Tenant administrators can create and manage user accounts using controls in Admin Center. For step-by-step instructions, see User Administration.

Client applications

A client application is a tool or application that leverages an Intelligent Risk Platform API to access and update tenant data.

A client application must pass valid security credentials in every request it makes to the API. These credentials enable the platform to authenticate the identity of the client application and confirm that the client application is authorized to access and leverage the requested resources. For more information, see Authentication and Authorization.

The Intelligent Risk Platform supports two methods of client authentication: API keys and access tokens.

API keys

An API key is an encrypted string that identifies a project or client application, which enables the platform to authenticate the client and authorize requests to API resources. The client applications must pass a valid API key in the Authorization header of all requests. The API key provides the client with long-term access to API resources.

Moody's recommends that tenants use API keys for authentication of client applications in production environments.

Every API key can be assigned to one or more groups. The API key inherits access rights to protected resources and permissions to perform operations based on group membership. Tenant administrators can create and manage API keys using controls in Admin Center. For step-by-step instructions, see Developer Administration.

Access tokens

The access token is a credential that allows an application to access an API or other protected resources on behalf of a user account that is entitled to call the API. Access tokens are generated on a per-session basis providing the client with temporary access to API resources.

Token-based authentication should be used for testing and evaluation purposes only.