In this tutorial we'll see how to set up access control for different LUSID users so they can operate Scheduler.
The goal is to give them exactly the permissions they need to perform their professional responsibilities, and no more.
Note
To complete this tutorial, you must yourself have suitable permissions. This can most easily be achieved by assigning your LUSID user the built-in
lusid-administratorrole. This should already be the case if you are the domain owner.
The users are:
An Administrator who needs to upload images, create jobs and schedule them to run automatically at regular times.
An Operator who just needs to run existing jobs on an ad hoc basis and see the results.
This tutorial assumes these users already exist in LUSID. See how to onboard users.
Note
Once permissioned, users can interact with Scheduler either via the LUSID web app or by calling the API directly; the access control system makes no distinction between these two workflows.
Step 1: Understanding access control in LUSID
LUSID's powerful role-based access management system consists of users, roles, policies and policy collections. In summary:
Note that an individual policy manages access to features and/or data:
A feature policy controls access to Scheduler API endpoints. This is irrespective of whether a user ultimately interacts with Scheduler via the LUSID web app or by calling the API directly (since the web app itself calls the API).
A data policy controls access to information about jobs, images and schedules.
To perform any real-world operation in Scheduler, a user must be assigned both types of policy. This is because a data policy without an equivalent feature policy cannot perform operations, and a feature policy without an equivalent data policy yields no data.
For much more on identity and access management (IAM) in the LUSID platform, see our IAM documentation.
Step 2: Defining the roles and policies we want to create
For our users, we need the following:
User | Role | Policies |
Administrator |
|
|
Operator |
|
|
Step 3: Creating a policy for the Operator
Let's start with the Operator and the scheduler-features-data-jobs-run feature policy.
Note
We'll create this policy using the LUSID web app, but it could equally be created by calling the Access API.
The Operator requires access to Scheduler API endpoints that list jobs and run them (features), as well as read-only access to information about jobs (data). They don't need access to API endpoints that create or update jobs, nor upload images, nor manage automation schedules:
Sign in to the LUSID web app using the credentials of a LUSID administrator.
From the left-hand menu, select Identity and access > Policies:
.png "image(226).png")
On the Policies dashboard, click the Create policy button.
.png "image(227).png")
Specify a unique Code for the policy:
.png "image(228).png")
On the Features tab, select the appropriate API endpoints:
.png "image(229).png")
Selecting precisely which API endpoints is subjective, but to enable the Operator to list jobs, run them, and see the results, you might choose:
GetJobConsoleOutput,ListJobs,RunJob,GetHistory,GetRunHistoryNote
For the Administrator, it would be reasonable to select all API endpoints.
API endpoints are identified in the left-hand column by their operation ID. Examine the API reference for more information on the API itself, for example the GetJobConsoleOutput API.
.png "image(230).png")
Click Next to reach the Data Resources tab. For the API endpoints, or features, in the policy, you must select appropriate corresponding data resources in the data policy. In this case, we want just the Job resource to prevent the Operator from managing schedules, and the Read, Run and GetAllJobHistory actions to prevent the Operator creating, editing or deleting jobs:
.png "image(231).png")
Note
For the Administrator, it would be reasonable to select both Job and Schedule, and the Any action for each.
Choose Identifier as the Selector and specify a Scope and Code value of
*to grant access to every job in all LUSID scopes and codes within those scopes. If you wanted, you could restrict access to just the job(s) defined in a particular scope or code:.png "image(232).png")
Create the policy.
.png "image(233).png")
The Operator now has a feature and data policy, ready to assign to their role.
Exercise
Can you create the policy for the Administrator?
Step 4: Creating a role for the Operator
Now we need to create a suitable role, since policies are assigned to roles rather than directly to users. A role should represent an aspect of that user's professional responsibilities; you can divide these responsibilities into one or many roles, depending on your needs.
We'll create a single scheduler-operator role for this user, encompassing their entire responsibilities:
Navigate to the Roles dashboard.
.png "image(234).png")
Click the Create role button (top right).
Specify a unique Code for the role, and then assign the appropriate policies from the Policies > Choose dropdown:
.png "image(235).png")
Create the role.
Note that roles have a precedence, so if you do assign two roles to a person and those roles contain conflicting policies, the role with the highest precedence takes effect.
Exercise
Can you create a role for the Administrator?
Step 5: Assigning the role to the Operator user
The last step is to assign the scheduler-operator role to the LUSID user representing this person. To do this:
Navigate to the Users dashboard, find the appropriate user row, and click the Edit icon:
.png "image(236).png")
Click the Add roles button to assign the appropriate role to the user:
.png "image(237).png")
Helping users get started
The Operator can now interact with the LUSID web app straight away. Tell this person to navigate to your LUSID domain (for example https://acme.lusid.com/app) and sign in using their own account credentials.
The Operator should be able to navigate to the Jobs & Scheduling > Jobs dashboard, see a list of jobs, and run them. Other operations will not be available:
.png "image(238).png")
To interact with Scheduler programmatically:
Using the Scheduler REST API, tell the Operator to first follow these instructions to obtain an API access token. Note the API reference hosts a pre-authenticated sandbox where they can try out any FINBOURNE API.
Using an appropriate version of the Scheduler SDK, tell the Operator to first follow these instructions to assemble credentials and authenticate securely.