How are roles used to permission users in LUSID?

An introduction to roles in the LUSID Identity and Access Management (IAM) system, and how they interact with policies and users.

Access to data and functionality in LUSID is role based. A user is assigned a role or set of roles that reflects their professional duties. Each role contains a policy or set of policies that grants or denies access to systems and features in keeping with these professional duties. These policies can be set at role creation or added subsequently.

For instance, one would expect that a primary administrator role would contain policies granting full access to all data and functionality within the organisation. A portfolio manager (PM) role by contrast, would more likely contain policies granting permission to certain portfolios, and specifying read-write access and effective periods. A research role may have similar access to the PM, but perhaps read-only.

If the researcher moved to a PM role, write access could be granted via a policy change, but then all roles containing that policy would be affected. Adding or swapping in the PM role to the identity would be more consistent.

Each role created within LUSID has a name, a description and importantly, a precedence (or rank). As any user can have multiple roles assigned to them at any given time, if any two roles have policies attached to them with conflicting specifications, the policy from a role with the highest precedence will be used.

An example set of roles and policies is included in your account by default.