Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is a security model that authorizes user actions within a software system based on roles assigned to each user. Each role grants a set of permissions to a user. Users can be assigned multiple roles.
The Socotra Insurance Suite UI and API endpoints require users to possess specific permissions to perform certain actions. Most API endpoints require a tenant to be assigned to a user’s tenant scope to perform actions specific to that tenant.
Roles
Roles can be created through the UI by navigating to System Manager > Roles > Create Role
.
Only admins can create new roles.
Roles can be assigned to users through the UI by navigating to System Manager > Users
, then selecting a user and navigating to Roles > Add New
.
Refer to the User Management API documentation for more details on the user and role management API endpoints.
Permissions
Permissions have the following structure: resource.action
For example: policies.list
Each API endpoint listed in our documentation specifies the resource and action required to access the endpoint.
For example, the Create a Quote endpoint requires the quotes.write
permission.
Refer to the Comprehensive Permissions Listing for a complete overview of all available permissions.
Wildcard Formatting
Roles can be assigned all actions performed on a given resource by using the following wildcard permissions format: resource.*
For example: invoices.*
Roles can be assigned all actions performed on all resources using the following wildcard permissions format: *.*
However, roles cannot be assigned to an action performed on all resources.
For example: *.write
Note
Avoid assigning all permissions to roles in production environments unless strictly necessary. Doing so may violate the principle of least privilege.
Special Roles
Users can be assigned two special roles:
admin
- Grants all permissions and access to all tenants within the same Business Account. Allows the user to assign theadmin
role to other users.read-only
- Grantsread
permissions for all API endpoints.
Tenant Scope
Users can only perform actions on a tenant if the tenant has been assigned to the user’s tenant scope and the user possesses the required permissions.
Tenants can be assigned to users through the UI by navigating to System Manager > Users
, then selecting a user and navigating to Tenants > Add New
.
Refer to the User Management API documentation for more details on tenant assignment.
Special Tenant Values
Users can be assigned two special tenant values:
any
- Allows the user to access all API endpoints across all tenants within the same Business Account, as long as the user possesses the required permissions for an API endpoint.type:test
- Allows the user to access all API endpoints across all tenants of type “TEST” within the same Business Account, as long as the user possesses the required permissions for an API endpoint.
Note
For both any
and type:test
, if new tenants are added to the user’s Business Account later on, the user will automatically have access to those tenants as well.