London Market Implementation of ACORD DRI Messages and Data
Generic ACL requirements
The ACL for a document is set by the <owner> publisher of the document, usually, but not always, a broker.
Access control is operated at the organisational level and not at the individual level.
Individuals within organisations will be granted access by virtue of their membership of an organisation. It is the responsibility of each organisation to manage their own allocation of individuals to their own work groups and where necessary, the creation of their own work groups as identifiable parties for messaging purposes.
The ACL for a document may be amended by the publisher of the document at different points in time. For the London Market, the ability to remove a party from an ACL using ACORD DRI ChangeAttribute messages will be invalid.
Where a party has been erroneously included in an ACL or other valid business process rules for its removal applies, the removal from the ACL will be handled out of band between the document owner and the repository operator. Note: It is the consumer’s responsibility to prevent their own access to documents already received (i.e. the equivalent to a paper shredding process).
The publisher has implied access rights to a document. This has two implications:
Not all documents will have an ACL attached.
Consumers must treat the publisher as if they were a party on to the ACL with <AccessRightCd> = "change" for subsequent DRI messages.
London Market Implementation of ACORD DRI Messages v1.doc
Page 22 of 48