Groups and Roles
Overview
The Intelligent Risk Platform data access and security model enables risk management organizations to define granular access controls to protected resources and to ensure that end users and client applications that access those resources perform only authorized operations.
This data access and security model depends on three entities:
- A principal is an entity that can be authenticated by the Intelligent Risk Platform. A principal must be authenticated before it can be authorized to access protected resources and perform operations. Principals are assigned to groups.
- A role is an entity that represents a predefined collection of permissions. A permission determines whether a principal may perform an operation. Roles are assigned to groups. To grant permissions to a principal, assign a role to a group and add the principal to that group.
- A group is an entity that represents a collection of principals. Groups enable you to define teams of principals (who share a pool of data) or to assign permissions to principals who perform the same job function. Principals and roles are assigned to groups and groups are granted access to protected resources (e.g. exposure sets, server instances, databases).
In summary, access rights and permissions to Intelligent Risk Platform resources are not granted directly to principals. Rather, principals are assigned to groups. A group may represent a team that shares a common set of data or a collection of users that perform the same job function within a project. In this way, both access rights and permissions are defined on a group-by-group basis. A principal gains access rights or permissions by being a member of a group.
Principals, groups, and roles may be managed by a tenant administrator in Admin Center. The following sections describe core entities in detail.
Principals
A principal is an entity that can be authenticated by the Intelligent Risk Platform. Authentication is the process by which the platform verifies that an end user or application client is who it claims to be.
The Intelligent Risk Platform supports two principals: user accounts and API keys.
- A user account is an entity that identifies an end user of the Intelligent Risk Platform. The user account defines the credentials (user name and password) that enable that end user to log into the Intelligent Risk Platform.
- An API key is a string that identifies a client application using the Intelligent Risk Platform. Client applications must pass a valid API key in the
Authrorization
header of every request to an Intelligent Risk Platform API.
User accounts and API keys are authorized to access protected resources and to perform operations if they are members of a group that has been assigned the appropriate access rights and role-based permissions.
Token-based authentication
The Intelligent Risk Platform supports two methods of client authentication: API keys and web tokens.
Moody's recommends that tenants use API keys to identify their client applications in production environments. Token-based authentication should be used for testing and evaluation purposes only.
In token-based authentication, the application client accesses the API on behalf of a user account and utilizes the user account's credentials to identify itself. For more information, see Authentication and Authorization.
Tenant administrators may create user accounts and API keys in the Admin Center.
Groups
A group is an entity that represents a collection of principals. Groups enable you to manage the access rights and permissions assigned to those principals.
Intelligent Risk Platform access rights and permissions are granted to groups rather than to principals (user accounts or API keys). Principals gain access to protected resources and permission to perform operations as members of an authorized group.
- Access rights specify who may access a protected resource. Access rights to exposure sets, server instances, hosted databases may be granted to groups.
- Permissions specify who may perform operations on a protected resource. A group may be assigned one or more roles, which define the permissions granted to the members of that group. Role-based permissions determine who may view, update, create, upload, or download protected resources.
Team and Role-based groups
Moody's recommends that you use distinct groups to manage access rights and permissions.
- An access rights-based group collects together principals that are members of the same team, but that have different roles and responsibilities. The group ensures the members of a team may share data amongst themselves (e.g. exposure sets).
- An permission-based group collects together principals that perform the same job role and have the same responsibilities within an organization. The group ensures that the principals are assigned the same permissions.
Tenant administrators may create groups, assign roles to groups, and assign principals to groups in the Admin Center. Tenants may also manage groups and assign principals to groups via federated SSO with an Identity Provider. For detailed information about Intelligent Risk Platform groups, roles, and federated SSO configuration, see the Intelligent Risk Platform Administrator Guide.
Group access to exposure sets
The Risk Modeler API supports group-level access controls for exposure sets.
An exposure set is a collection of exposure data and related analysis results data that is managed by means of an access control list (ACL). The exposure set ACL specifies the principals that may access the data in that exposure set.
A principal is included in an exposure set ACL if it is a member of a group that has been granted access to that exposure set.
- A new exposure set is created whenever an EDM or RDM is uploaded or created. The exposure set is owned by the principal that uploaded or created the EDM or RDM.
- The owner of the exposure set may keep it private or share it with other groups. The owner may share the exposure set with any group that it belongs to. Members of groups with access rights to an exposure set may share that exposure set with other groups provided they have the appropriate role-based permissions.
- Groups with access rights to an exposure may access and perform operations on the data in that exposure set. The exposure set includes all data in the EDM and all analysis results based on those exposures.
- The Risk Modeler API enables client applications to grant or revoke group access to exposure sets using the Update exposure set operations.
For detailed information on exposure sets, see the Intelligent Risk Platform Administrator Guide.
Roles
A role is a predefined collection of permissions that may be granted to a group. The role represents a particular job title and includes permissions that enable that role to perform operations that are the responsibility of professionals with that title in an underwriting organization.
Admin role
The Admin role is collection of permissions that enable a principal to perform administrative tasks in Admin Center and the Data Bridge API.
Administrative tasks include the creation and management of principals (user accounts and API keys) and groups.
In general, a tenant administrator may perform administrative tasks using controls in Admin Center. For detailed information about administering Intelligent Risk Platform groups and role-based privileges, see the Intelligent Risk Platform Administrator Guide.
Updated 7 months ago