User groups
Understand the relationship between groups, principals, and roles.
Overview
A user group is an entity that defines the access rights and role-based permissions of a collection of licensed Intelligent Risk Platform principals (user accounts and API keys).
A principal is granted access to securables or permission to perform certain operations based on group membership. Access rights and role-based permissions are never assigned directly to a principal. The principal inherits all access rights and permissions as a group member. Tenant administrators should therefore be careful when assigning assigning access rights, roles, or principals to a user group.
Moody's recommends that you use distinct groups to manage access rights and role-based permissions:
- An access rights-based group collects together principals that are members of the same team, but that have different roles and responsibilities. The user group ensures the members of a team may share data amongst themselves (e.g. exposure sets and other securables).
- An permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The user group ensures that the its are permitted to perform the same operations.
User groups for managing access rights
User groups can be used to controls access rights to protected resources, such as managed server instances, hosted databases, exposure sets, or other securables.
In general, access to these resources is restricted to the owner of a secured resource. The owner of a securable or a Data Admin can share access to that securable on a group-by-group basis.
No roles would be assigned to this group. Any role assigned to this group would be granted to every member of the group.
Securable access rights
A securable is a logical container of data that is owned by a group or principal. The owner of a securable has exclusive access to that securable and all child data.
For example, an exposure set is a securable that controls access to a collection of exposure, hazard, and financial information as well as analyses based on that data. The exposure set owner can grant access to all of the data in an exposure set to a user group using the Update Exposure Set operation. The members of that group can access the exposures, exposure variations, and exposure analysis in the exposure set.
Securables include business hierarchy sets, exposure sets, program sets, and share sets.
| Securable | Child Data | Operation |
|---|---|---|
| business hierarchy set | business hierarchy, business hierarchy variation, business hierarchy analysis | Update Business Hierarchy Set |
| exposure set | exposure, exposure variation, exposure analysis | Update Exposure Set |
| program set | program, program variation, program analysis | Update Program Set |
| share set | treaty share, program treaty analysis | Update Share Set |
Access to securables may be granted to a user groups by the owner of each securable using various securable-specific operations. Alternatively, a Data Admin may grant or revoke access to any type of securable using the Update Securable operation.
Secured database and secured server access rights
The Data Bridge API supports group-level access controls for managed server instances and hosted databases.
A managed database resource is a server instance that is hosted on the tenant's Data Bridge. The tenant may restrict access to these resources on a group-by-group basis.
Client applications are included in the managed database resource ACL based on group membership:
- A managed database resource (server instance or database) is owned by one or more groups. A client application must be a member of a group that owns a particular resource to access that resource. The client application may perform operations granted to it based on its role.
- By default, a managed database resource is owned by the group that initially uploaded or created that managed database resource.
A client application that may access a server instance may define logins to that server instance. A login is a SQL Server login that enables a principal to log into and manage data in a server instance in the tenant's Data Bridge cluster. To learn more, see Manage Logins.
User groups for managing permissions
User groups can be used to confer role-based permissions to the members of a particular user group.
A role is a predefined collection of permissions that may be assigned to one or more user groups. Every principal that is a member of a group is assigned all of the roles assigned to that group and may perform all of the actions (UI) and operations (API) allowed those roles. Role-based permissions determine who may view, update, create, upload, or download protected resources. To learn more, see Roles.
A permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.
Moody's recommends that you use distinct groups to manage access rights and permissions.
Administering user groups
Tenant administrators may create groups, assign roles to groups, and assign principals to groups in the Admin Center. For step-by-step instructions, see User Administration.
Tenants may also manage groups and assign principals to groups via federated SSO with an Identity Provider. For detailed information about Intelligent Risk Platform groups, roles, and federated SSO configuration, see the Intelligent Risk Platform Administrator Guide.
A managed database resource is a server instance that is hosted on the tenant's Data Bridge. The tenant may restrict access to these resources on a group-by-group basis. <!--Access to each database resource is managed by means of an access control list (ACL) that identifies the client applications that may access that database resource.
Client applications are included in the managed database resource ACL based on group membership:
- A managed database resource (server instance or database) is owned by one or more groups. A client application must be a member of a group that owns a particular resource to access that resource. The client application may perform operations granted to it based on its role.
- By default, a managed database resource is owned by the group that initially uploaded or created that managed database resource.
A client application that may access a server instance may define logins to that server instance. A login is a SQL Server login that enables a principal to log into and manage data in a server instance in the tenant's Data Bridge cluster. To learn more, see Manage Logins.
Updated 1 day ago