Setting up access control permissions to use Insights

To access the Insights application and its logs, you need to ensure your users have the appropriate roles and policies assigned to them. You can manage roles and policies within the LUSID web application.

First, you need to create a policy to grant access to the Insights application:

  1. Log in to the LUSID web app using the credentials of a LUSID administrator.

  2. From the left-hand menu, select Identity and Access > Policies:
     

  3. On the Policies dashboard, click the Create policy button.

  4. Choose to create a policy using the Policy wizard:
     

When the Policy Wizard opens, select the application and control scope as follows:

  • Application = Insights and

  • Control Scope = Features.

Select the features you would like to grant to the policy. The features available are as follows:

  • Access to the insights endpoints - these are the 'api-...' policies:

    • api-requestlogs-getrequestlog (Endpoint access - get a specific log record)

    • api-requestlogs-listrequestlogs (Endpoint access - list log records)

    • api-requestlogs-getrequest (Endpoint access - get a request file)

    • api-requestlogs-getresponse (Endpoint access - get a request's response file)

  • Allow a user to see all the request logs - for any user (NB: by default users can view their own request logs):

    • requestlogs-view-all (Feature - view the log records for all users)

    • requestlogsdetail-view-all (Feature - view the log request/response files for all users)

  • For the access logs, the user needs feature policies to access the relevant endpoints. This will give access to all access records for all users - there's no way to only see your own access records.

    • api-accesslogs-listaccessevaluationlogs (Endpoint access - list the log records)

    • api-accesslogs-getaccessevaluationlog (Endpoint access - get a specific log record)

    • accesslogs-view-all (Feature - view access logs for any user)

Once you have created the policy, you can assign this to any role of your choice.