Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a security model that authorizes user actions within a software system based on roles assigned to each user. Each role grants a set of permissions to a user. Users can be assigned multiple roles.

The Socotra Insurance Suite UI and API endpoints require users to possess specific permissions to perform certain actions. Most API endpoints require a tenant to be assigned to a user’s tenant scope to perform actions specific to that tenant.

Roles

Roles can be created through the UI by navigating to System Manager > Roles > Create Role. Only admins can create new roles.

Roles can be assigned to users through the UI by navigating to System Manager > Users, then selecting a user and navigating to Roles > Add New.

Refer to the User Management API documentation for more details on the user and role management API endpoints.

Permissions

Permissions have the following structure: resource.action

For example: policies.list

Each API endpoint listed in our documentation specifies the resource and action required to access the endpoint.

For example, the Create a Quote endpoint requires the quotes.write permission.

Refer to the Comprehensive Permissions Listing for a complete overview of all available permissions.

Wildcard Formatting

Roles can be assigned all actions performed on a given resource by using the following wildcard permissions format: resource.*

For example: invoices.*

Roles can be assigned all actions performed on all resources using the following wildcard permissions format: *.*

However, roles cannot be assigned to an action performed on all resources.

For example: *.write

Note

Avoid assigning all permissions to roles in production environments unless strictly necessary. Doing so may violate the principle of least privilege.

Special Roles

Users can be assigned two special roles:

  • admin - Grants all permissions and access to all tenants within the same Business Account. Allows the user to assign the admin role to other users.

  • read-only - Grants read permissions for all API endpoints.

Tenant Scope

Users can only perform actions on a tenant if the tenant has been assigned to the user’s tenant scope and the user possesses the required permissions.

Tenants can be assigned to users through the UI by navigating to System Manager > Users, then selecting a user and navigating to Tenants > Add New.

Refer to the User Management API documentation for more details on tenant assignment.

Special Tenant Values

Users can be assigned two special tenant values:

  • any - Allows the user to access all API endpoints across all tenants within the same Business Account, as long as the user possesses the required permissions for an API endpoint.

  • type:test - Allows the user to access all API endpoints across all tenants of type “TEST” within the same Business Account, as long as the user possesses the required permissions for an API endpoint.

Note

For both any and type:test, if new tenants are added to the user’s Business Account later on, the user will automatically have access to those tenants as well.

Next Steps

See Also