Providing you are a LUSID user with sufficient privileges, you can create a data policy to restrict access to one or more entity datasets.
Note: If you are the LUSID domain owner, you are automatically assigned the built-in
lusid-administratorrole, which has all the permissions necessary to perform the operations in this article.
An entity in LUSID is a portfolio, quote or similar repository of LUSID data. Note not all entities support every access check LUSID is capable of making. Note also that a data policy requires an equivalent feature policy in order for appropriate API endpoints to be called to perform operations on that data.
When creating a data policy, note that in addition to nominating entity dataset(s) you also specify actions the user can perform:
Action | Enables the user to... |
Any | Perform all the actions below. |
List | Retrieve entity data. Note Read must also be specified for an entity if it is available. |
Read | Retrieve entity data. Note List must also be specified for an entity if it is available. |
Update | Update existing entity data. |
Add | Add new entity data. |
Upsert | Either update existing or add new entity data, depending whether it currently exists or not. |
Delete | Delete entity data. |
ReadMetadata | Retrieve access metadata specified for an entity. |
WriteMetadata | Update existing or add new metadata for an entity. |
Once created, you should assign the policy to a role.
Using the LUSID web app
Sign in to the LUSID web app using the credentials of a LUSID administrator.
From the left-hand menu, select Identity and Access > Policies:
.png "image(189).png")
On the Policies dashboard, click the Create policy button.
.png "image(190).png")
Specify a unique Policy code, Policy validity dates if necessary, and select whether the policy should Allow or Deny access to the data specified:
.png "image(191).png")
Optionally, select any features you want the policy to cover.
Click Next to reach the Data Resources tab.
Add Actions to the policy. For example, to allow write access to portfolio data:
.png "image(193).png")
Choose a Selector type from the following options to nominate a data partition to restrict the policy to:
Identifier allows you to specify a Scope and Code pair to restrict the policy to. Note the * value applies the policy to every code within the specified scope.
MetadataExpression allows you to restrict the policy based on an access metadata expression. Read more.
Match all applies the policy to every scope in LUSID.
For example, to restrict the policy to just portfolios within the scope Finbourne-Examples:
.png "image(194).png")
Click Next to reach the Time Restrictions tab. Optionally, specify any time restrictions for your policy, such as taking effect on the first day of the month. Read more.
.png "image(195).png")
Click Next to reach the Advanced Options tab. Optionally, specify any conditions for your policy to apply at runtime for any given evaluation of access control permissions. You can specify:
Request header to apply the policy if the request has a specified header and value.
Identity claim to apply the policy if the user’s authentication token has a specified claim and value.
Identity scope to apply the policy if the user’s authentication token is issued in response to supplying a specified scope.
Select Done to review the policy, and Save to create the policy:
.png "image(196).png")
Using the Access API
You could use the Access API to create a data policy.
The syntax of the JSON object you need to provide in the body of the request to the CreatePolicy API is complicated, however, and highly specific to the nature of the policy you are trying to create.
Currently, we recommend creating the policy in the LUSID web app. Once created, you can manage the policy entirely programmatically.