guidewire-enterprise-rbac

Implement Guidewire RBAC: API roles, user permissions, and security policies. Trigger: "guidewire enterprise rbac", "enterprise-rbac".

v1.0.0
Jeremy Longshore
MIT
claude-code
6 Tools
guidewire-pack Plugin
saas packs Category

Allowed Tools

ReadWriteEditBash(curl:*)Bash(gradle:*)Grep

Provided by Plugin

guidewire-pack

Claude Code skill pack for Guidewire InsuranceSuite (24 skills)

saas packs v1.0.0
View Plugin

Installation

This skill is included in the guidewire-pack plugin:

/plugin install guidewire-pack@claude-code-plugins-plus

Click to copy

Instructions

Guidewire Enterprise RBAC

Overview

Guidewire InsuranceSuite (PolicyCenter, ClaimCenter, BillingCenter) enforces role-based access at both the UI and Cloud API layers. Claims adjusters see only claims in their assigned regions. Underwriters access policy data scoped to their authority level. Admins manage user provisioning through Guidewire Cloud Console (GCC). Insurance regulations (NAIC, state DOI) require strict data classification tiers and audit trails on every policy and claim access. SAML assertions map AD groups to Guidewire roles for SSO.

Role Hierarchy

Role Permissions Scope
System Admin User provisioning, role config, API token management via GCC All modules
Underwriter Create/bind policies, view risk data, approve endorsements Authority-level tier
Claims Adjuster View/update claims, upload documents, set reserves Assigned region/LOB
Agent/Broker Submit applications, view own policy status, limited billing Own book of business
Auditor Read-only access to all records, export compliance reports Organization-wide

Permission Check


async function checkGuidewireAccess(userId: string, resource: string, action: 'read' | 'write'): Promise<boolean> {
  const response = await fetch(`${GW_CLOUD_API}/admin/v1/users/${userId}/permissions`, {
    headers: { Authorization: `Bearer ${GW_API_TOKEN}`, 'Content-Type': 'application/json' },
  });
  const perms = await response.json();
  const grant = perms.data.find((p: any) => p.resource === resource);
  if (!grant) return false;
  return action === 'read' ? grant.canRead : grant.canWrite;
}

Role Assignment


async function assignGuidewireRole(userId: string, role: string, region?: string): Promise<void> {
  await fetch(`${GW_CLOUD_API}/admin/v1/users/${userId}/roles`, {
    method: 'POST',
    headers: { Authorization: `Bearer ${GW_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ roleCode: role, regionFilter: region ?? 'ALL', effectiveDate: new Date().toISOString() }),
  });
}

async function revokeRole(userId: string, role: string): Promise<void> {
  await fetch(`${GW_CLOUD_API}/admin/v1/users/${userId}/roles/${role}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${GW_API_TOKEN}` },
  });
}

Audit Logging


interface GuidewireAuditEntry {
  timestamp: string; userId: string; role: string;
  action: 'policy_view' | 'claim_update' | 'reserve_set' | 'document_upload' | 'role_change';
  resource: string; region: string; policyNumber?: string; result: 'allowed' | 'denied';
}

function logAccess(entry: GuidewireAuditEntry): void {
  console.log(JSON.stringify({ ...entry, environment: process.env.GW_ENVIRONMENT }));
}

RBAC Checklist

  • [ ] SAML assertions map AD groups to Guidewire role codes
  • [ ] Claims adjusters scoped to assigned regions/lines of business
  • [ ] Underwriter authority levels enforce binding limits
  • [ ] API tokens scoped per module (PC, CC, BC), never cross-module
  • [ ] Data classification tiers applied to PII and PHI fields
  • [ ] Auditor role is strictly read-only with no write endpoints
  • [ ] Role changes logged with effective date and approver
  • [ ] Quarterly access review for regulatory compliance

Error Handling

Issue Cause Fix
403 on Cloud API endpoint API role missing required resource permission Add resource grant in GCC Identity & Access
Adjuster sees claims outside region Region filter not set on role assignment Update role with correct regionFilter value
SAML login fails Group claim not mapped in GCC SSO config Add AD group to SAML attribute mapping
Policy data not visible Data classification tier too restrictive Review tier assignment, escalate to admin
Stale permissions after transfer Role not updated when user changed teams Trigger AD sync or manually reassign in GCC

Resources

Next Steps

See guidewire-security-basics.

Ready to use guidewire-pack?

Related Skills

"cursor-advanced-composer"

Advanced Cursor Composer techniques: agent mode, parallel agents, complex refactoring, and multi-step orchestration.

ReadWriteEdit

"cursor-ai-chat"

Master Cursor AI Chat with @-mentions, inline edit, and conversation patterns.

ReadWriteEdit

"cursor-api-key-management"

Configure BYOK API keys for OpenAI, Anthropic, Google, Azure, and custom models in Cursor.

ReadWriteEdit

"cursor-codebase-indexing"

Set up and optimize Cursor codebase indexing for semantic code search and @Codebase queries.

ReadWriteEdit

"cursor-common-errors"

Troubleshoot common Cursor IDE errors: authentication, completion, indexing, API, and performance issues.

ReadWriteEdit

"cursor-compliance-audit"

Compliance and security auditing for Cursor IDE usage: SOC 2, GDPR, HIPAA assessment, evidence collection, and remediation.

ReadWriteEdit