How do I create a policy to control access to workspaces?

Prev Next

Providing you are a LUSID user with sufficient privileges, you can create a policy to grant or restrict access to one or more workspaces in LUSID.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.

Once created, you should assign the policy to a role.

To create a policy that grants access to create, edit, and delete a workspace, and create and delete items within that workspace:

  1. Navigate to Identity and Access > Policies and click the Create policy button.

  2. Select JSON and supply a policy in the following format, setting <workspace-name> to your workspace:

    {
        "code": "WorkspaceDataPolicy",
        "description": "A data policy that grants Any permissions to the <workspace-name> shared workspace",
        "grant": "Allow",
        "selectors": [ {
          "idSelectorDefinition": {
            "identifier": {
              "name": "<workspace-name>",
              "visibility": "shared"
            },
            "actions": [
              {
                "scope": "default",
                "activity": "Any",
                "entity": "Workspace"
              }
            ],
            "name": "Workspace-Any"
          }
        }
        ],
        "when": {
            "activate": "2025-06-23T23:00:00.000Z",
            "deactivate": null
        },
        "applications": ["Lusid"]
    }
    JSON
  3. Save your policy.

  4. Assign the policy to a role.

  5. Assign the role to the user you wish to grant administrative workspace access to.

To create a policy that grants read-only access to a workspace:

  1. Navigate to Identity and Access > Policies and click the Create policy button.

  2. Select JSON and supply a policy in the following format, setting <workspace-name> to your workspace:

    {
        "code": "WorkspaceReadOnlyPolicy",
        "description": "A data policy that grants read-only permissions to the <workspace-name> shared workspace",
        "grant": "Allow",
        "selectors": [ {
          "idSelectorDefinition": {
            "identifier": {
              "name": "<workspace-name>",
              "visibility": "shared"
            },
            "actions": [
              {
                "scope": "default",
                "activity": "Read",
                "entity": "Workspace"
              },
              {
                "scope": "default",
                "activity": "ReadItem",
                "entity": "Workspace"
              }
            ],
            "name": "WorkspaceReadOnly"
          }
        }
        ],
        "when": {
            "activate": "2025-06-23T23:00:00.000Z",
            "deactivate": null
        },
        "applications": ["Lusid"]
    }
    JSON
  3. Save your policy.

  4. Assign the policy to a role.

  5. Assign the role to the user you wish to grant read-only workspace access to.

Note

  • Workspace permissions govern access to everything within a workspace, including the dashboards (Read activity) and data they display (ReadItem activity).

  • You may only grant ReadItem access for an entire workspace; you cannot restrict access to particular items within a workspace.

  • If a dashboard set references a dashboard in another workspace, users must have read access to both workspaces.

Read more on workspaces and dashboard sets.