Providing you are a LUSID user with sufficient privileges, you can create a feature policy to restrict access to one or more LUSID API endpoints.
Note: If you are the LUSID domain owner, you are automatically assigned the built-in
lusid-administratorrole, which has all the permissions necessary to perform the operations in this article.
Note a feature policy applies even to a personal user using the LUSID web app, since the web app itself calls the API. Note also that a feature policy requires an equivalent data policy in order to yield any data.
Once created, you should assign the policy to a role.
Using the LUSID web app
Log in to the LUSID web app using the credentials of a LUSID administrator.
From the left-hand menu, select Identity and Access > Policies:
.png "image(197).png")
On the Policies dashboard, click the Create policy button.
.png "image(190).png")
Specify a unique Policy code, Policy validity dates if necessary, and select whether the policy should Allow or Deny access to the features specified:
.png "image(201).png")
Select the checkbox of each feature (corresponding to API endpoints) to add to the policy:
.png "image(199).png")
Selecting which API endpoints is subjective, but to grant read-only access to the instrument master for example, you might choose: GetInstrument,GetInstruments,ListInstruments,GetInstrumentIdentifierTypes,GetInstrumentProperties,ListInstrumentProperties.
API endpoints are identified by their operation ID. Examine the API reference for more information on each endpoint; the operation ID is printed under the URL:.png "image(116).png")
Select Next to reach the Data Resources tab. Optionally, select any data resources you want to add to the policy.
Click Next to reach the Time Restrictions tab. Optionally, specify any time restrictions for your policy, such as taking effect on the first day of the month. Read more.
.png "image(195).png")
Click Next to reach the Advanced Options tab. Optionally, specify any conditions for your policy to apply at runtime for any given evaluation of access control permissions. You can specify:
Request header to apply the policy if the request has a specified header and value.
Identity claim to apply the policy if the user’s authentication token has a specified claim and value.
Identity scope to apply the policy if the user’s authentication token is issued in response to supplying a specified scope.
Select Done to review the policy, and Save to create the policy:
.png "image(202).png")
Using the Access API
You could use the Access API to create a feature policy.
The syntax of the JSON object you need to provide in the body of the request to the CreatePolicy API is complicated, however, and highly specific to the nature of the policy you are trying to create.
Currently, we recommend creating the policy in the LUSID web app. Once created, you can manage the policy entirely programmatically.