The Intelligent Risk Platform data access and security model enables risk management organizations to define granular access controls to protected resources and to ensure that end users and client applications that access those resources perform only authorized operations.
This data access and security model depends on three entities:
- A principal is an entity that can be authenticated by the Intelligent Risk Platform. A principal must be authenticated before it can be authorized to access protected resources and perform operations. Principals are assigned to groups.
- A role is an entity that represents a predefined collection of permissions. A permission determines whether a principal may perform an operation. Roles are assigned to groups. To grant permissions to a principal, assign a role to a group and add the principal to that group.
- A group is an entity that represents a collection of principals. Groups enable you to define teams of principals (who share a pool of data) or to assign permissions to principals who perform the same job function. Principals and roles are assigned to groups and groups are granted access to protected resources (e.g. exposure sets, server instances, databases).
In summary, access rights and permissions to Intelligent Risk Platform resources are not granted directly to principals. Rather, principals are assigned to groups. A group may represent a team that shares a common set of data or a collection of users that perform the same job function within a project. In this way, both access rights and permissions are defined on a group-by-group basis. A principal gains access rights or permissions by being a member of a group.
Principals, groups, and roles may be managed by a tenant administrator in Admin Center. The following sections describe core entities in detail.
A principal is an entity that can be authenticated by the Intelligent Risk Platform. Authentication is the process by which the platform verifies that an end user or application client is who it claims to be.
The Intelligent Risk Platform supports two principals: user accounts and API keys.
- A user account is an entity that identifies an end user of the Intelligent Risk Platform. The user account defines the credentials (user name and password) that enable that end user to log into the Intelligent Risk Platform.
- An API key is a string that identifies a client application using the Intelligent Risk Platform. Client applications must pass a valid API key in the
Authrorizationheader of every request to an Intelligent Risk Platform API.
User accounts and API keys are authorized to access protected resources and to perform operations if they are members of a group that has been assigned the appropriate access rights and role-based permissions.
The Intelligent Risk Platform supports two methods of client authentication: API keys and web tokens.
RMS recommends that tenants use API keys to identify their client applications in production environments. Token-based authentication should be used for testing and evaluation purposes only.
In token-based authentication, the application client accesses the API on behalf of a user account and utilizes the user account's credentials to identify itself. For more information, see Authentication and Authorization.
Tenant administrators may create user accounts and API keys in the Admin Center.
A group is an entity that represents a collection of principals. Groups enable you to manage the access rights and permissions assigned to those principals.
Intelligent Risk Platform access rights and permissions are granted to groups rather than to principals (user accounts or API keys). Principals gain access to protected resources and permission to perform operations as members of an authorized group.
- Access rights specify who may access a protected resource. Access rights to exposure sets, server instances, hosted databases may be granted to groups.
- Permissions specify who may perform operations on a protected resource. A group may be assigned one or more roles, which define the permissions granted to the members of that group. Role-based permissions determine who may view, update, create, upload, or download protected resources.
Team and Role-based groups
RMS recommends that you use distinct groups to manage access rights and permissions.
- An access rights-based group collects together principals that are members of the same team, but that have different roles and responsibilities. The group ensures the members of a team may share data amongst themselves (e.g. exposure sets).
- An permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.
Tenant administrators may create groups, assign roles to groups, and assign principals to groups in the Admin Center. Tenants may also manage groups and assign principals to groups via federated SSO with an Identity Provider. For detailed information about Intelligent Risk Platform groups, roles, and federated SSO configuration, see the Intelligent Risk Platform Administrator Guide.
The Risk Modeler API supports group-level access controls for exposure sets.
An exposure set is a collection of exposure data and related analysis results data that is managed by means of an access control list (ACL). The exposure set ACL specifies the principals that may access the data in that exposure set.
A principal is included in an exposure set ACL if it is a member of a group that has been granted access to that exposure set.
- A new exposure set is created whenever an EDM or RDM is uploaded or created. The exposure set is owned by the principal that uploaded or created the EDM or RDM.
- The owner of the exposure set may keep it private or share it with other groups. The owner may share the exposure set with any group that it belongs to. Members of groups with access rights to an exposure set may share that exposure set with other groups provided they have the appropriate role-based permissions.
- Groups with access rights to an exposure may access and perform operations on the data in that exposure set. The exposure set includes all data in the EDM and all analysis results based on those exposures.
- The Risk Modeler API enables client applications to grant or revoke group access to exposure sets using the Update exposure set operations.
For detailed information on exposure sets, see the Intelligent Risk Platform Administrator Guide.
The Data Bridge API supports group-level access controls for managed server instances and hosted databases.
A managed database resource is a server instance that is hosted on the tenant's Data Bridge. The tenant may restrict access to these resources on a group-by-group basis.
Client applications are included in the managed database resource ACL based on group membership:
- A managed database resource (server instance or database) is owned by one or more groups. A client application must be a member of a group that owns a particular resource to access that resource. The client application may perform operations granted to it based on its role.
- By default, a managed database resource is owned by the group that initially uploaded or created that managed database resource.
- The Data Bridge API enables tenant administrators to grant or revoke group access to managed database resources using the Manage access to server instance and Manage access to database operations.
A client application that may access a server instance may define logins to that server instance. A login is a SQL Server login that enables a principal to log into and manage data in a server instance in the tenant's Data Bridge cluster. To learn more, see Manage Logins.
A role is a predefined collection of permissions that may be granted to a group. The role represents a particular job title and includes permissions that enable that role to perform operations that are the responsibility of professionals with that title in an underwriting organization.
The Admin role is collection of permissions that enable a principal to perform administrative tasks in Admin Center and the Data Bridge API.
Administrative tasks include the creation and management of principals (user accounts and API keys) and groups.
In general, a tenant administrator may perform administrative tasks using controls in Admin Center. For detailed information about administering Intelligent Risk Platform groups and role-based privileges, see the Intelligent Risk Platform Administrator Guide.
Risk Modeler supports five roles: Underwriter, Technical Underwriter, Risk Analyst, Portfolio Manager, Cat Modeler.
Role-based permissions determine operations that a principal may perform in the Risk Modeler application or using Risk Modeler API operations.
For a detailed discussion of Risk Modeler roles and the access rights and permissions represented by each role in the Risk Modeler application, see the Intelligent Risk Platform Administrator Guide.
Intelligent Risk Platform supports two Data Bridge roles: the Consumer role and the Contributor role.
- The Consumer role is a collection of permissions that enable a principal to view but not update managed server instances and databases. Consumers cannot upload or export EDMs or custom databases to Data Bridge or modify data in hosted databases.
- The Contributor role is a collection of permissions that enable a principal view and update server instances and databases. Contributors may import or export databases, import or export data, and modify data in hosted databases.
The Data Bridge API provides broad support for administrative operations. Tenant administrators may manage Data Bridge ACLs, group access to server instances and databases, and server instance logins using Data Bridge API operations.
Role-based permissions control the following Data Bridge operations:
|Get Data Bridge ACL||NO||NO||YES|
|Get ACL entries||NO||NO||YES|
|Overwrite Data Bridge ACL||NO||NO||YES|
|Delete IP address||NO||NO||YES|
|Delete range of IP addresses||NO||NO||YES|
|Set TLS protocol version||NO||NO||YES|
|Get databases by instance||YES||YES||NO|
|Get database by instance||YES||YES||NO|
|Import database from flat file||NO||YES||NO|
|Export database to URI||NO||YES||NO|
|Get upload directory URI||NO||YES||NO|
|Initiate multipart upload||NO||YES||NO|
|Get pre-signed URL for multipart upload||NO||YES||NO|
|Upload data part by number||NO||YES||NO|
|Complete multipart upload||NO||YES||NO|
|Get job status||YES||YES||NO|
|Get job details||YES||YES||NO|
|Get jobs by server instance||YES||YES||YES|
|Get job by server instance||YES||YES||YES|
|Get logins by instance||YES||YES||YES|
|Update login password||YES||YES||YES|
|Delete instance login||YES||YES||YES|
|Get groups by instance||YES||YES||NO|
|Update group access by instance||NO||NO||YES|
Updated about 2 months ago