Professional Documents
Culture Documents
ORASS API Documentation
ORASS API Documentation
ORASS API Documentation
Product Description
It is expected that the consumer of this document has the ability to develop a connection to our API endpoints.
Consumers of Section 7 should be familiar with Vizor Builder components.
2 Business Process
2.1 High-Level Business Process
The following describes the process of an API based submission of a regulatory return. While individual
endpoints can be used independently, the subsequent steps describe how API endpoints are best used in an
end to end submission process of a single reporting obligation.
The filer’s machine makes a call to establish a connection, using standard Vizor credentials, i.e. username and
password.
For initial set-up, an authorised person at the filer will need to confirm that the “machine user” is associated
with their entity and is authorised. is sent an automatic email containing randomly generated password.
When the human user logs in for the first time, they are forced to change their password which they can then
apply to the machine user.
When successfully authenticated, a token is returned to the filer’s application. The expiry period is
configurable so that several subsequent calls can be made to support the process.
The default token expiry is 30 minutes.
Password expiry and update scenarios are as per human users.
The following are default request parameters which can apply across all operations:
Parameters
Field Name Type Description Examples/ Comments
page Integer Requests the specified page Number of results per response page
where multiple response is configurable (please see
records are possible ‘Configuration’)
version integer The return’s name. ‘1’ is the required value as no other
versions exist at this time
Response Parameters
Parameters
status {status} The return’s current status. The status of the last revision.
returnTypes {return-type}[] The return’s type. e.g. “COREP”, “BCAR”, “Solvency II”
entity {entity} The entity with who the
return is associated
revisions {revision}[] The return’s revisions. The revision number of the return
{status}
Name Type Description Examples/ Comments
key int The status’ ID.
{return-type}
{entity}
Name Type Description Examples/ Comments
{revision}
Name Type Description Examples/ Comments
{category}
Name Type Description Examples/ Comments
{category-option}
Name Type Description Examples/ Comments
This operation allows the client to populate and submit a return containing a single return type. The Vizor API
Service allows the return to be forwarded on for processing – virus scanning, file compatibility check and
business rule execution.
Request Parameters
Parameters
Name Type Description Examples/ Comments
Response Parameters
HTTP Response
Name Description Examples/ Comments
200 OK
This operation returns the status of the last uploaded data file for a return of an entity. This will only be
successful if no modification action has been performed to the uploaded data via Vizor Portal from the time of
upload until the time of the request.
If any data modification action has been performed, it produces no result, i.e. HTTP 204 / No Content.
The main purpose of this operation is to determine if the uploaded file has been successfully processed (e.g.
compatible file type uploaded) prior to business rule execution.
Request Parameters
Parameters
Name Type Description Examples/ Comments
Response Parameters
This operation retrieves the details of a specific requested revision of a return. This is primarily used to
retrieve the submission and validation status of a uploaded file in this process.
Request Parameters
Parameters
Name Type Description Format / Comments
{revision-id} integer The return’s revision ID. The return’s version ID.
As per the GET /v{version}/returns response parameters, however the return type node is replaced by an
object with different content in this API.
{return-type}
Name Type Description Format / Comments
id GUID The return’s type ID. The Return Type GUID.
returnTypes {return- The return’s types. e.g. “COREP”, “BCAR”, “Solvency II”
type}[]
transformType string The return’s type transform E.g.: “Excel”, “XML”
type.
submissionMode string The return’s type submission I.e.: “Online”, “Offline”
mode.
supportedExtensions string[] The return’s set of supported “.xls”, “.xlsx”, “.xml”
extensions.
Vizor enforces the usage of transmission security (SSL/TLS) for non-development scenarios. The detection of
development and non-development scenario is done at runtime using artefacts detection.
Integrity
Integrity is the ability to maintain the consistency, accuracy and trustworthiness of data. It is ensured using
SSL.
Confidentiality
Confidentiality is the ability to not disclose sensitive information to unwanted recipients. It is ensured using
SSL.
OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the
Internet.
Overview
As a general concept, the OAuth standard distinguishes between two main actors:
the authentication server(s), responsible for:
o client authentication
o authentication token production
the resource server(s), responsible for:
o client authorization based on authentication token
o resource serving
Authentication is process of proving the identity of an actor based on a set of credentials (e.g. username &
password, digital certificates, dongles, etc).
The authentication process is based on the user store currently existing in the Vizor ecosystem. Generally, the
set of credentials used to authenticate a user is their username and password. Credentials are matched
against the user store, if proven valid, the user is considered authenticated.
There are currently two types of users inside the Vizor’s ecosystem:
Vizor Portal users
Vizor Supervision Centre users
The credentials do not specify against which type of user the authentication should take place; thus the
following strategy is used: user retrieval by username first takes place against Vizor Portal user base, if no
username found, a second lookup takes place against Vizor Supervision Centre users. If no user has been
found in either users stores, the authentication process is terminated. If a user has been found, the
authentication process continues with its remaining flow.
VAS is allowed to act as an authorisation server not physically separated but logically separated, namely
multiple independent instances on a physical machine, each instance with independent purposes (e.g.
authorization only, resources only).
Two-Factor Authentication
The Vizor API Solution does not offer a capability for 2-Factor Authentication, as no industry standard has
been recommended.
Any additional enhancement or configuration effort to implement a client’s preference for additional
authentication can be estimated by the Vizor Professional Services team after detailed requirements
gathering.
Each VAS domain decides its security requirements. Authorization of an action execution is based on the
authentication token produced by the authentication process.
The authorization data is an authentication token previously generated by the authentication server. It is
transported as a “Bearer” token by the HTTP “Authorize” header of a HTTP request.
By default, all existing requests are required to carry authentication token information.
Tokenisation
The approach to authorize access to a resource utilises an authentication token. The token contains all related
information and access permission of a client.
Since the token is not just a random piece of information uniquely identifying a user, containing intrinsic
information about the user, the token is a Json Web Token (JWT).
The token is re-usable with subsequent calls and has a configurable expiry.
JWT
JSON Web Token is a security token which acts as a container for claims about a user. It can be transmitted
easily between the Authorization server (Token Issuer), and the Resource server (Audience). The claims in JWT
are encoded using JSON.
JSON Web Tokens can be signed following the JSON Web Signature (JWS) specifications, and it can be
encrypted following the JSON Web Encryption (JWE) specifications.
Format
The JWT is a string which consists of three parts separated by a dot (.) The JWT parts are:
header
payload
signature
Example:
<header>.<payload>.<signature>.
JWT Header
The header part is a JSON object always containing 2 nodes. It appears as the following:
The “type” node has always “JWT” value. The “alg” node contains the algorithm used to sign the token,
namely “HMAC-SHA256”.
JWT Payload
The payload part is a JSON object containing all the claims of a client.
The “signature” node of the JWT is created by taking the header and payload parts, encoded as base 64 and
concatenated by “.”. The “alg” defined in the <header> part is used to generate the signature. The result of
the signing process is byte array which is base 64 encoded and concatenated with the <header>.<payload> to
produce a complete JWT.
Virus scanning and the usual file checks are applied to files being processed by Vizor APIs, just like in Vizor
Portal.
Whitelisting
Whitelisting is not managed via the Vizor API Solution. If required, clients can manage IP whitelisting via IIS
configuration.
For audit purposes the system logs the events listed in the following table.
Replay Attacks
CORS
Cross-Origin Resource Sharing is disabled by default. At this time, no capability to configure this capability on
is surfaced.
VAS -> Config\Api.Config <add key="System.Api.Results.PageSize" value="15"/> Determines the maximum number of
results that appear in a response page.
VAS -> Config\Api.Config <add key="System.Auth.AccessTokenExpiryInMinues" Determines the expiry of the requested
value="30" /> authentication token.
VAS -> Config\Api.Config <add key="System.Auth.RegEx.Username" value="" /> Determines whether a username
requires a specific format (this
configuration setting is also available in
Vizor Portal/Vizor Supervision Centre).
VAS -> Config\Api.Config <add key="System.Auth.Jwt.X509Key.StoreLocation" Determines the isolation level of the
value="LocalMachine" /> certificates used to generate the
authentication tokens (either machine
wide or user wide).
VAS -> Config\Api.Config <add key="System.Auth.Jwt.X509Key.SearchValue" Determines the value of the key to
value="6f0000000a45ccb2ed59aa6a2300000000000a" search the certificate by.
/>
For a return to be subject to API submission, they must be configured as a return requiring offline processing.
The FormSet Custom Attribute Offline file upload should be set to True.
Only FormSets with Supervisor Only – exclude from submission validation on Vizor Portal set as True
should be mapped to the main FormSet.
The underlying Schema should be included in an Offline File Upload triggered workflow. An example
configuration follows:
Entity Users are authorised users of reporting entities who login to Vizor Portal. Entity Users may be
assigned access to one or more reporting entities/groups and each reporting entity may have one or
more Entity Users. Only Entity Users need to be considered when setting up a Machine User.
Internal Users are authorised users within the supervisory authority who log in to Vizor Supervision
Centre. Internal Users may have access to all reporting entities or access can be restricted to specific
entities or groups of entities. This user type is not relevant to the Vizor API Solution.
Vizor APIs – Submit requires an additional Entity User role per sector, which controls authentication to
retrieve the token, and authorises all actions described.
CONFIGURATION OPTIONS
There are no configuration options with user roles for Vizor Portal. Each reporting entity will receive the
following Vizor Portal user per department as part of Vizor Regulatory Returns.
A machine user is a role assigned to enable authentication of the machine carrying out the submission process
The following Vizor Portal Role permissions are applied to allow support of the business process.
Once created, the entity user is sent an automatic email containing randomly generated password. When the
human user logs in for the first time, they are forced to change their password which they can then apply to
the machine user.
7 Limitations
Please consider the following limitations at this time:
API Submission is supported for returns containing a single return type only
Note: This limitation does not apply to mapped Supervisor-Only sections
The IIS file size limit is 2 GB
Unstructured data is not supported
Offline processing is the only return processing type supported currently
8 Glossary
Term Definition
API Connector Task A workflow task that supports API-based integration
initiated by the Vizor Platform. Both ‘Push’ and ‘Pull’
Application Log A SQL Server database that retains a complete audit log
of all events that take place in Vizor Portal, Vizor
Supervision Centre and the Vizor API service.
Competent Authority A body responsible for the supervision of entities or
collection of data from entities e.g. Central Bank,
Financial Supervisor, Tax Authority etc.
Competent Authority User A user with access to login to Vizor Supervision Centre.
Compliance Officer/Corporate Service A User who has been granted permission to file data on
Provider/Authorised Third Party behalf of one or more Reporting Entities. They need
only provide their credentials once to begin working
across multiple Reporting Entities in Vizor Portal.
Configuration A change which can be made to metadata or system
configuration settings which can be made by a trained
business user.
Custom Tags (Categories) Additional, configurable attributes which can be
associated with a Return enabling more granular
organisation of submissions. A tag can persist
throughout a Return's life-cycle (e.g. 'audited data' or
'unaudited data') or transition based on workflow
processes (e.g. 'awaiting distribution' or 'distributed')
Data Entry Field A single cell on a Form which can capture either
structured or unstructured data. Multiple custom data
types can be defined to enforce data entry field level
validation – numeric, text, dates, drop-downs, check-
boxes, radio-buttons, attachments, etc. Mapped to a
Schema Item.
Data Model All metadata defined in Vizor Builder.
Data Type Data Types describe the type of data to be collected by
data entry fields and any restrictions to be applied to
the data.
Due Date The submission deadline for a Return, if applicable.
Affects the behaviour of submission deadline
notifications and late return penalty calculations.
Entity Profile A Form associated with each Reporting Entity describing
organizational structure, trading names, related parties,
licenses, etc. for a Reporting Entity as defined by the
Entity Profile component in Vizor Builder
Entity Profile Component A solution component that allows a single FormSet to be
defined to store Entity Profile information e.g.
organization structure, trading names, contacts etc.
Form A single data entry screen which contains both data
entry fields and displays text/graphics. Also referred to
as a Screen.
FormSet Mapped to a Schema, this design time object contains a
set of child Forms, Folders, and Repeatable Folders. This
represents the visual representation (template) of a
Return.
FormSet Component A Solution Component used to manage FormSets
Group A child element of a Vizor Schema used to structure the
collection of data. A Group represents a logical
collection of other elements, such as the Items collected
by a single Form.
Initial Value A data entry field which is automatically populated by
the system when a Return is created. The value may be
overwritten.
Item A child element of a Vizor Schema used to collect a
single data value. Corresponds to a data entry field
rendered in a Form.
List A child element of a Vizor Schema used to represent
complex dimensional structures. A List is a collection of
other elements. Multiple data values will be collected
for each Item in a List.
Management Information (Ad Hoc Query) Reports A tabular report which displays data from the Vizor
Operational Database. Results can be grouped, sorted
and filtered and exported to various formats.
Metadata The data model configured in Vizor Builder which is
stored in an XML file format and includes data types,
schemas, rules, forms, entity profile, reports, user roles
and workflows
Principal User A Reporting Entity User who has permissions to create
and manage other Reporting Entity Users.
Probability Risk Rating A numeric rating (1-4) which indicates the probability a
risk will crystallise.
Regulatory Return A type of Return, typically used to collect quantitative
data, submitted by Reporting Entities on a periodic
basis.
Release A collection of changes to Metadata representing a
single version of the Competent Authority’s data model.
These changes are packaged together so that they can
be easily deployed to test and production environments.
Repeat Options Form A Form within Repeatable Form(s) which captures a
dimensional attribute(s) that uniquely identifies a
record of Repeatable Form(s).
Repeatable Folder A folder inside a FormSet that allows multiple instances
of its contents to be added in runtime. This type of
folder is used to collect Dimensional Data.
Repeatable Form(s) A Form or group of Forms which are used to collect
multiple records of information (open z-axis
dimensional data) as the number of records will vary per
Reporting Entity (e.g. data per branch, data per director,
etc.)
Reporting Entity / Entity Institutions, companies, firms etc. required to report to
the Competent Authority.
Reporting Entity User / Entity User A user with access to log in to Vizor Portal on behalf of
one or more Reporting Entities.