How do I create a policy to control access to workspaces?

  • Updated on Jun 25, 2025
  • Published on Jun 24, 2025
Prev Next

Providing you are a LUSID user with sufficient privileges, you can create a policy to grant or restrict access to one or more workspaces in LUSID.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.

Once created, you should assign the policy to a role.

To create a policy that grants access to create, edit, and delete a workspace, and create and delete items within that workspace:

  1. Navigate to Identity and Access > Policies and click the Create policy button.

  2. Select JSON and supply a policy in the following format, setting <workspace-name> to your workspace:

    {
    "code": "WorkspaceDataPolicy",
    "description": "A data policy that grants Any permissions to the <workspace-name> shared workspace",
    "grant": "Allow",
    "selectors": [ {
      "idSelectorDefinition": {
        "identifier": {
          "name": "<workspace-name>",
          "visibility": "shared"
        },
        "actions": [
          {
            "scope": "default",
            "activity": "Any",
            "entity": "Workspace"
          }
        ],
        "name": "Workspace-Any"
      }
    }
    ],
    "when": {
        "activate": "2025-06-23T23:00:00.000Z",
        "deactivate": null
    },
    "applications": ["Lusid"]
}
    JSON

  3. Save your policy.

  4. Assign the policy to a role.

  5. Assign the role to the user you wish to grant administrative workspace access to.

To create a policy that grants read-only access to a workspace:

  1. Navigate to Identity and Access > Policies and click the Create policy button.

  2. Select JSON and supply a policy in the following format, setting <workspace-name> to your workspace:

    {
    "code": "WorkspaceReadOnlyPolicy",
    "description": "A data policy that grants read-only permissions to the <workspace-name> shared workspace",
    "grant": "Allow",
    "selectors": [ {
      "idSelectorDefinition": {
        "identifier": {
          "name": "<workspace-name>",
          "visibility": "shared"
        },
        "actions": [
          {
            "scope": "default",
            "activity": "Read",
            "entity": "Workspace"
          },
          {
            "scope": "default",
            "activity": "ReadItem",
            "entity": "Workspace"
          }
        ],
        "name": "WorkspaceReadOnly"
      }
    }
    ],
    "when": {
        "activate": "2025-06-23T23:00:00.000Z",
        "deactivate": null
    },
    "applications": ["Lusid"]
}
    JSON

  3. Save your policy.

  4. Assign the policy to a role.

  5. Assign the role to the user you wish to grant read-only workspace access to.

Note

  • Workspace permissions govern access to everything within a workspace, including the dashboards (Read activity) and data they display (ReadItem activity).

  • You may only grant ReadItem access for an entire workspace; you cannot restrict access to particular items within a workspace.

  • If a dashboard set references a dashboard in another workspace, users must have read access to both workspaces.

Read more on workspaces and dashboard sets.