LUSID performs entitlement checks before any user can call any API endpoint and interact with the data resources returned.
For much more information, read our IAM documentation. In summary, each LUSID user must have (at least one) feature policy and data policy:
A feature policy controls access to API endpoints. This is irrespective of whether a user interacts with LUSID by calling the REST API directly, or indirectly via a proxy such as the SDK, the LUSID web app or Luminesce (since all proxies themselves call the REST API).
A data policy controls access to data resources (such as entities and properties) returned by API endpoints.
To perform any real-world operation in LUSID, a user must be assigned both types of policy. This is because a feature policy without a corresponding data policy yields no data, and a data policy without a corresponding feature policy cannot perform operations. Work through a tutorial.
The attached file lists the data resource entitlement checks that LUSID performs for each API endpoint.
For example, consider a feature policy granting a user the right to call the ListAllocations API endpoint. In the corresponding data policy, you should include:
The
Allocationresource with theReadaction to returnAllocationentities.The
PropertyDefinitionandPropertyValueresources, both with theReadaction, to return properties added to those entities.
.png)