LUSID’s role-based access management system (RBAC) is designed to give you precise control over who can do what in your LUSID domain. It consists of two separate but interrelated systems:
- The identity management system controls how users authenticate (that is, sign in) to LUSID
- The access control system controls which LUSID datasets and features users are permitted to access once authenticated.
The best place to start is with our white paper explaining how these systems work together.
Note: You can transition LUSID to a user-based access management system (UBAC) if you do not need to model professional responsibilities as roles. More information.
Your ability to administer these systems is subject to access control permissions itself, but assuming you have sufficient privileges you can use the Identity and Access menu in the LUSID web app:
Alternatively, you can interact with these systems programmatically using a variety of API and SDK resources.
Explanation: Understand the big picture
- Understanding how LUSID’s identity management and access control systems work
- RBAC vs UBAC: Setting up user-based access control for LUSID
- Understanding access metadata (AMD)
Tutorials: Get started by doing something tangible
Reference: Understand concepts and implications
- What are a personal user and a service user?
- What is a role?
- What are a policy and a policy collection?
- When do changes to a user's permissions take effect?
- What are an API access token and a client secret?
- What is a personal access token?
- What default roles and policies are provided with LUSID?
- What API and SDK resources are available for IAM?
- Using SSO with LUSID
- Provisioning LUSID using Okta and SCIM
How-to guides: Get something done
- How do I set up a personal user account?
- How do I set up MFA?
- How do I reset my password if I've forgotten it?
- How do I change passwords or MFA settings, or revoke access?
- How do I set up a service user account?
- How do I generate and reveal a client secret?
- How do I obtain and use a short-lived API access token from Okta?
- How do I create or revoke a long-lived personal access token?
- How do I use an API access token with the SDKs?
- How do I create a role?
- How do I create a feature policy?
- How do I create a data policy?
- How do I create a data policy to control access to properties?
- How do I create a policy from a JSON document?
- How do I specify an expiry date or a rolling validity date for a policy?
- How do I create a policy collection?
- How do I assign policies, roles and users to each other using the API?
- How do I grant secure access to my LUSID domain for support?