Setting up access control for different Scheduler users

In this tutorial we'll see how to set up access control for different LUSID users so they can operate Scheduler.

The goal is to give them exactly the permissions they need to perform their professional responsibilities, and no more.

Note: To complete this tutorial, you must yourself have suitable permissions. This can most easily be achieved by assigning your LUSID user the built-in lusid-administrator role. This should already be the case if you are the domain owner.

The users are:

  • An Administrator who needs to upload images, create jobs and schedule them to run automatically at regular times.

  • An Operator who just needs to run existing jobs on an ad hoc basis and see the results.

This tutorial assumes these users already exist in LUSID. See how to onboard users.

Note: Once permissioned, users can interact with Scheduler either via the LUSID web app or by calling the API directly; the access control system makes no distinction between these two workflows.

Step 1: Understanding access control in LUSID

LUSID's powerful role-based access management system consists of users, roles, policies and policy collections. In summary:

Note that an individual policy manages access to either features or data:

  • A feature policy controls access to Scheduler API endpoints. This is irrespective of whether a user ultimately interacts with Scheduler via the LUSID web app or by calling the API directly (since the web app itself calls the API).

  • A data policy controls access to information about jobs, images and schedules.

To perform any real-world operation in Scheduler, a user must be assigned both types of policy. This is because a data policy without an equivalent feature policy cannot perform operations, and a feature policy without an equivalent data policy yields no data.

For much more on identity and access management (IAM) in the LUSID platform, see our IAM documentation.

Step 2: Defining the roles and policies we want to create

For our users, we need the following:

User

Role

Policies

Administrator

scheduler-admin

scheduler-features-all

scheduler-data-all

Operator

scheduler-operator

scheduler-features-jobs-run

scheduler-data-jobs-run

Step 3: Creating a feature policy for the Operator

Let's start with the Operator and the scheduler-features-jobs-run feature policy.

Note: We'll create this policy using the LUSID web app, but it could equally be created by calling the Access API.

The operator requires access to Scheduler API endpoints that list jobs and run them. They don't need access to API endpoints that create or update jobs, nor upload images, nor manage automation schedules:

  1. Sign in to the LUSID web app using the credentials of a LUSID administrator.

  2. From the left-hand menu, select Identity and access > Policies:
     

  3. On the Policies dashboard, click the Create policy button (top right).

  4. Choose to create a policy using the Policy wizard:

  5. Choose to create a Features policy for the Scheduler application:

  6. Specify a unique Code for the policy:

  7. Click the Add feature button to open the Choose features wizard and select appropriate API endpoints by moving them from the left-hand to the right-hand column:

    Selecting precisely which API endpoints is subjective, but to enable the Operator to list jobs, run them, and see the results, you might choose: GetJobConsoleOutput, ListJobs, RunJob, GetHistory, GetRunHistory

    Note: For the Administrator, it would be reasonable to select all API endpoints.

    API endpoints are identified in the left-hand column by their operation ID. Examine the API reference for more information on the API itself, for example the GetJobConsoleOutput API.

  8. Create the policy:

Exercise: Can you create the feature policy for the Administrator?

Step 4: Creating a data policy for the Operator

We now need to create an equivalent scheduler-data-jobs-run data policy that grants the Operator read-only access to information about jobs:

  1. On the Policies dashboard, click the Create policy button (top right).

  2. Choose to create a policy using the Policy wizard.

  3. This time, choose to create a Data policy for the Scheduler application.

  4. Specify a unique Code for the policy:

  5. Click the Add scope button and accept the default Scope value of * to grant access to every job in all LUSID scopes (data partitions). If you wanted, you could restrict access to just the job(s) defined in a particular scope:

  6. For the API endpoints in the feature policy, you must select appropriate corresponding data resources in the data policy. In this case, we want just the Job resource to prevent the Operator from managing schedules, and just the Read and Run actions to prevent the Operator creating, editing or deleting jobs:

    Note: For the Administrator, it would be reasonable to select both Job and Schedule, and retain the default Any action for each.

  7. Click the Add identifier button and accept the default Code value of * to grant access to any job in the scope specified earlier (that is, all of them). If you wanted, you could restrict access to just a particular job by specifying its code:

  8. Create the policy:

The Operator now has matching feature and data policies, ready to assign to their role:

Exercise: Can you create the data policy for the Administrator?

Step 5: Creating a role for the Operator

Now we need to create a suitable role, since policies are assigned to roles rather than directly to users. A role should represent an aspect of that user's professional responsibilities; you can divide these responsibilities into one or many roles, depending on your needs.

We'll create a single scheduler-operator role for this user, encompassing their entire responsibilities:

  1. Navigate to the Roles dashboard.

  2. Click the Create role button (top right).

  3. Specify a unique Code for the role, and then assign the appropriate policies from the Policies > Choose dropdown:

  4. Create the role:
     

Note that roles have a precedence, so if you do assign two roles to a person and those roles contain conflicting policies, the role with the highest precedence takes effect.

Exercise: Can you create a role for the Administrator?

Step 6: Assigning the role to the Operator user

The last step is to assign the scheduler-operator role to the LUSID user representing this person. To do this:

  1. Navigate to the Users dashboard, find the appropriate user row, and click its   Edit icon:
     

  2. Click the Add roles button to assign the appropriate role to the user:
     

Helping users get started

The Operator can now interact with the LUSID web app straight away. Tell this person to navigate to your LUSID domain (for example https://acme.lusid.com/app) and sign in using their own account credentials.

The Operator should be able to navigate to the Jobs & Scheduling > Jobs dashboard, see a list of jobs, and run them. Other operations will not be available:

To interact with Scheduler programmatically: