Views:

Related resources:

Explanation

Tutorials

Reference

Providing you are a LUSID user with sufficient privileges, you can create a data policy to restrict access to one or more entity datasets.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.

An entity in LUSID is a portfolio, quote or similar repository of LUSID data. Note not all entities support every access check LUSID is capable of making. Note also that a data policy requires an equivalent feature policy in order that appropriate API endpoints can be called to perform operations on that data.

When creating a data policy, note that in addition to nominating entity dataset(s) you also specify actions the user can perform:

Action Enables the user to...
Any Perform all the actions below.
List Retrieve entity data. Note Read must also be specified for an entity if it is available.
Read Retrieve entity data. Note List must also be specified for an entity if it is available. 
Update Update existing entity data.
Add Add new entity data.
Upsert Either update existing or add new entity data, depending whether it currently exists or not. 
Delete Delete entity data. 
ReadMetadata Retrieve access metadata specified for an entity.
WriteMetadata Update existing or add new metadata for an entity.

Once created, you should assign the data policy to a role.

Using the LUSID graphical web app 

  1. Log in to the LUSID web app using the credentials of a LUSID administrator.
  2. From the left-hand menu, select Identity and Access > Policies:
  3. On the Policies dashboard, click the Create policy button.
  4. Choose to create a policy using the Policy wizard.
  5. Choose to create a Data policy for LUSID:
  6. Specify a unique Code for the policy, a Deactivation date if necessary, and either retain the default state of Allow or slide to Deny:
  7. Click the Add scope button to nominate a Scope (data partition) to restrict the policy to. Note the default * value applies the policy to every scope in LUSID.
  8. Add Resources (corresponding to entities and actions) to the policy. For example, to allow write access to portfolios in the chosen scope:
  9. Click the Add identifier button to optionally nominate identifiers to restrict the policy to. For example, to restrict the policy to just a portfolio with the code us-equities:

    Note the default * value applies the policy to every identifier (for example, to all the portfolios in the chosen scope).
  10. Click the Create button to create the data policy:

Using the Access API

You could use the Access API to create a data policy.

The syntax of the JSON object you need to provide in the body of the request to the Access POST /api/policies API endpoint is complicated, however, and highly specific to the nature of the policy you are trying to create.

Currently, we recommend creating the policy in the LUSID web app. Once created, you can manage the policy entirely programmatically.