How do I change passwords or MFA settings, or revoke access?

Providing you can remember your LUSID account password, you can change it or your MFA settings at any time.

If you are a LUSID administrator, you can revoke credentials for other users and make them choose new ones.

Changing your own credentials

To change your own LUSID account password or MFA settings:

  1. Navigate to LUSID’s identity provider, Okta, using a URL of the form:

    https://lusid-<your-domain>.okta.com/login/login.htm

    ...where <your-domain> is the name of your LUSID domain.

  2. Log in to Okta using your LUSID account credentials.

  3. Choose Settings from the account avatar menu (top right):
      

  4. Edit your account profile appropriately.

Changing the credentials of other users via the LUSID web app

Providing you are a LUSID user with sufficient privileges, you can perform standard account operations for less privileged users in your LUSID domain. 

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the following operations.

Depending on the state of the user's account, you can: 

  • Reset a user’s password and force them to choose a new one next time they sign in. 

  • Cancel a user’s current password and generate a temporary password. The user must then sign in using this temporary password and choose a new password. This is useful if the user cannot complete the standard 'Forgot password' flow because they cannot remember their memorable question, or no longer have access to the original email inbox. 

  • Reset a user’s MFA settings and force them to choose a new factor next time they sign in. 

  • Unlock a user’s account that has been locked by too many password failures. 

  • Resend an account activation email if a user has not received one. 

  • Delete a user’s account altogether. 

To perform any of these operations: 

  1. Sign in to the LUSID web app using the credentials of a LUSID administrator.

  2. From the left-hand menu, select Identity and Access > Users:
     

  3. On the Users dashboard, select a user and click the   Edit icon to choose an available operation:
     

Changing the credentials of a service user via the Identity API

You can change the password of a service user by calling the SetPassword API. Please note:

  • You can only change the password of a service user (NOT a personal user).

  • You must be able to authenticate as the service user via Okta (LUSID's identity provider) using Open ID Connect (NOT using a personal access token).

The service user must have an ACTIVE status and the new password must conform to LUSID's password policy. Note the password is not stored by FINBOURNE and instead is sent directly to Okta where it is stored securely. Neither the HTTP request nor response can be retrieved from the Insights service.

To change a service user's password:

  1. Obtain an API access token valid for the service user. You cannot use a personal access token.

  2. Call the SetPassword API, passing in the API access token and specifying the new password in the body of the request: curl -X PUT

    "https://<your-domain>.lusid.com/identity/api/me/password"
     	   -H "Authorization: Bearer <your-API-access-token>"
     	   -H "Content-Type: application/json"
     	   -d "{ 'value': 'super SEC4_RET-pas$word' }"

If the request is successful, the response confirms the date and time at which the password is updated.