Access Rights

Administer access rights and permissions to Intelligent Risk Platform™ applications and data

Overview

The Intelligent Risk Platform data access and security model enables risk management organizations to define granular access controls to protected resources and to ensure that end users and client applications that access those resources perform only authorized operations.

This data access and security model is based on three entities: roles, principals, and groups. These entities enable you to manage access rights and permissions for protected Intelligent Risk Platform resources (e.g. exposure sets, server instances, databases).

  • A role is an entity that represents a collection of permissions. A permission determines whether a principal may access and perform operations using an API resource. Multiple roles may be assigned to each group.
  • A principal is an entity (a user account or API key) that can be authenticated by the Intelligent Risk Platform. A principal must be authenticated before it can be authorized to access Platform resources. A principal may belong to multiple groups.
  • A group is an entity that represents a collection of principals. A group may represent a team of principals who share a pool of data or a collection of principals that perform the same job function (i.e. have the same role) within a project. Both access rights and permissions are defined on a group-by-group basis. Principals gain access to resources and permission to perform operations based on being members of a group with those access rights and permissions.

In summary, access rights and permissions to Intelligent Risk Platform resources are not granted directly to principals. Rather, principals are assigned to groups. In this way, both access rights and permissions are defined on a group-by-group basis. A principal gains access rights or permissions by being a member of a group.

Principals, groups, and roles may be managed by a tenant administrator in Admin Center. The following sections describe core entities in detail.

Roles

A role is a predefined collection of permissions that enable that principals to perform operations using API resources.

Risk Modeler supports five roles: Underwriter, Technical Underwriter, Risk Analyst, Portfolio Manager, Cat Modeler.

Role-based permissions determine operations that a principal may perform in the Risk Modeler application or using Risk Modeler API operations.

For a detailed discussion of Risk Modeler roles and the access rights and permissions represented by each role in the Risk Modeler application, see the Intelligent Risk Platform Administrator Guide.

Principals

A principal is an entity that can be authenticated by the Intelligent Risk Platform. Authentication is the process by which the platform verifies that an end user or application client is who it claims to be.

The Intelligent Risk Platform supports two principals: user accounts and API keys.

  • A user account is an entity that identifies an end user of the Intelligent Risk Platform. The user account defines the credentials (user name and password) that enable that end user to log into the Intelligent Risk Platform.
  • An API key is a string that identifies a client application using the Intelligent Risk Platform. Client applications must pass a valid API key in the Authrorization header of every request to an Intelligent Risk Platform API.

User accounts and API keys are authorized to access protected resources and to perform operations if they are members of a group that has been assigned the appropriate access rights and role-based permissions.

📷

Token-based authentication

The Intelligent Risk Platform supports two methods of client authentication: API keys and web tokens.

RMS recommends that tenants use API keys to identify their client applications in production environments. Token-based authentication should be used for testing and evaluation purposes only.

In token-based authentication, the application client accesses the API on behalf of a user account and utilizes the user account's credentials to identify itself. For more information, see Authentication and Authorization.

Tenant administrators may create user accounts and API keys in the Admin Center.

Groups

A group is an entity that represents a collection of principals. Groups enable you to manage the access rights and permissions assigned to those principals.

Intelligent Risk Platform access rights and permissions are granted to groups rather than to principals (user accounts or API keys). Principals gain access to protected resources and permission to perform operations as members of an authorized group.

  • Access rights specify who may access a protected resource. Access rights to exposure sets, server instances, hosted databases may be granted to groups.
  • Permissions specify who may perform operations on a protected resource. A group may be assigned one or more roles, which define the permissions granted to the members of that group. Role-based permissions determine who may view, update, create, upload, or download protected resources.

📷

Team and Role-based groups

RMS recommends that you use distinct groups to manage access rights and permissions.

  • An access rights-based group collects together principals that are members of the same team, but that have different roles and responsibilities. The group ensures the members of a team may share data amongst themselves (e.g. exposure sets).
  • An permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.

Tenant administrators may create groups, assign roles to groups, and assign principals to groups in the Admin Center. Tenants may also manage groups and assign principals to groups via federated SSO with an Identity Provider. For detailed information about Intelligent Risk Platform groups, roles, and federated SSO configuration, see the Intelligent Risk Platform Administrator Guide.

Group access to exposure sets

The Risk Modeler API supports group-level access controls for exposure sets.

An exposure set is a collection of exposure data and related analysis results data that is managed by means of an access control list (ACL). The exposure set ACL specifies the principals that may access the data in that exposure set.

A principal is included in an exposure set ACL if it is a member of a group that has been granted access to that exposure set.

  • A new exposure set is created whenever an EDM or RDM is uploaded or created. The exposure set is owned by the principal that uploaded or created the EDM or RDM.
  • The owner of the exposure set may keep it private or share it with other groups. The owner may share the exposure set with any group that it belongs to. Members of groups with access rights to an exposure set may share that exposure set with other groups provided they have the appropriate role-based permissions.
  • Groups with access rights to an exposure may access and perform operations on the data in that exposure set. The exposure set includes all data in the EDM and all analysis results based on those exposures.
  • The Risk Modeler API enables client applications to grant or revoke group access to exposure sets using the Update exposure set operations.

For detailed information on exposure sets, see the Intelligent Risk Platform Administrator Guide.