Access Control

Identification

The Exabel Platform uses Auth0 as identity provider. End-users are identified with their email address when they log in. Users belong to a customer, which is identified through an internal customer ID. Also, each customer is provisioned with a service account user that is used for machine-to-machine integrations. The service account is not associated with any email address.

Authentication

Users log on with username and password through Auth0, which has set a password policy for minimum requirements to password characters and length.

Machine-to-machine integrations with the Exabel Platform APIs are authenticated using API keys. API keys are issued by Exabel. By default, the same API key is used to access all enabled APIs, but it is possible to get separate keys for each enabled API.

Authorization

Depending on which resource type a user is accessing, there are different mechanisms for authorizing requests.

Roles and permissions

Some features require special permissions, which are granted through roles. This includes accessing and creating special resource types, as portfolio strategies and prediction models.

Folders

Folders and their content are private when created. Accessing other folders and folder items requires that the folder is shared through user groups, read-only or read/write.

For information on how to share folder access, see sharing folders in Library.

Entitlements

Accessing time series data requires that the user has an entitlement to the time series. Entitlement may be set on time series level, raw data signal level (entitling access to all time series for the raw data signal), or namespace level (entitling access to all time series in the namespace). Users are usually entitled on the namespace level for their own namespace, while access to time series in data partner namespaces are granted through data set subscriptions.