A LUSID user is either a human being or an application or service with a requirement to sign in to and use LUSID.
Each user has their own account in your LUSID domain. There are two types of user account:
A personal user account is intended for a human being who uses the LUSID web app. This person must choose their own complex password in the process of setting up the account, set up multi-factor authentication (MFA), and should never share their credentials. All activity can be traced back to this person. We recommend deleting the account as soon as the person leaves your organisation.
A service user account is intended for an application or service that calls the LUSID API. We recommend setting up one service user account per distinct application or service so that it only has permissions to perform the operations for which it is designed, and no more. You choose a password for the service user account, there is no MFA, and activity does not identify a particular person. Instead, account credentials are used in conjunction with a client ID and client secret to obtain a time-limited API access token.
Note: It is perfectly possible to use the credentials of a personal user to write scripts or programs that call the LUSID API. Just be aware if you create an automated service that the account is tied to the email address of a human being who might leave your organisation.
Both personal and service users are subject to LUSID’s access control system in the same way: each user must have at least one role, which itself must have at least one policy explicitly granting (or denying) access to a particular feature or dataset:
Without a role and a policy, a user has no access rights at all. See how to assign policies, roles and users.