How do I create a role? · Customer Self-Service

Views:

Related resources:

Providing you are a LUSID user with sufficient privileges, you can create a role to model a real-world job function or responsibility.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.

Once created, you should assign one or more policies to the role, and then assign the role to one or more users.

Method 1: Using the LUSID graphical web app
Method 2: Using the Identity and then the Access API
Setting precedence for a role

Using the LUSID graphical web app

Sign in to the LUSID web app using the credentials of a LUSID administrator.
From the left-hand menu, select Identity and Access > Roles:
On the Roles dashboard, click the Create role button:
Specify a unique Code for the role, and optionally assign suitable policies from the Policies > Choose dropdown (you can also do this later):
Click the Create button to create the role.

Using the Identity API and then the Access API

You can create a role using the Identity API and then the Access API (or vice versa). We have different APIs for identity management and access control to securely separate these concerns; roles are the link between the two systems.

You must create the role in both systems; it does not matter which you do first.

Note: If you want to delete a role, you must also do so in both systems.

Obtain an API access token.

Call the Identity POST /api/roles API endpoint for your LUSID domain, passing in your access token and a name and description. For example:

curl -X POST "https://<your-domain>.lusid.com/identity/api/roles"
   -H "Authorization: Bearer <your-access-token>"
   -H "Content-Type: application/json"
   -d "{'name':'portfolio-manager-role','description':'A role representing the manager of a portfolio'}"

The response contains an automatically-generated scope and code that together uniquely identify the role:

{
   "id": "00gbpzy5scH1crv8I2p7",
   "roleId": {
      "scope": "default",
      "code": "portfolio-manager-role"
    },
   "name": "portfolio-manager-role",
   "description": "A role representing the manager of a portfolio"
}

Call the Access POST /api/roles API endpoint for your LUSID domain, passing in the access token and the code for the role. For example:

curl -X POST "https://<your-domain>.lusid.com/access/api/roles"
   -H "Authorization: Bearer <your-access-token>"
   -H "Content-Type: application/json"
   -d "{'code':'portfolio-manager-role','resource':{'policyIdRoleResource':{'policies':[],'policyCollections':[]}},'when':{}}"

The role now exists in both systems. You can:

Assign the role to one or more users using the Identity API.
Assign one or more policies to the role using the Access API. See how to perform these operations.

Setting precedence for a role

A role has a precedence that determines which policies take effect in the event of a conflict.

For example, if a user is assigned two roles, and they are ranked with respect to one another as follows:

portfolio-manager-us
data-controller

...then the policies in portfolio-manager-us take precedence over the policies in data-controller should they conflict.

To set precedence, use the icon to move the table row for a role up or down in the Roles dashboard:

Note it’s not possible to reset the precedence of the lusid-administrator role (which is always ranked #1).

Keywords: role, permission, access control