Providing you are a LUSID user with sufficient privileges, you can create a data policy to restrict access to one or more entity datasets.
Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.
An entity in LUSID is a portfolio, quote or similar repository of LUSID data. Note not all entities support every access check LUSID is capable of making. Note also that a data policy requires an equivalent feature policy in order that appropriate API endpoints can be called to perform operations on that data.
When creating a data policy, note that in addition to nominating entity dataset(s) you also specify actions the user can perform:
|Action||Enables the user to...|
|Any||Perform all the actions below.|
|List||Retrieve entity data. Note Read must also be specified for an entity if it is available.|
|Read||Retrieve entity data. Note List must also be specified for an entity if it is available.|
|Update||Update existing entity data.|
|Add||Add new entity data.|
|Upsert||Either update existing or add new entity data, depending whether it currently exists or not.|
|Delete||Delete entity data.|
|ReadMetadata||Retrieve access metadata specified for an entity.|
|WriteMetadata||Update existing or add new metadata for an entity.|
Once created, you should assign the data policy to a role.
- Log in to the LUSID web app using the credentials of a LUSID administrator.
- From the left-hand menu, select Identity and Access > Policies:
- On the Policies dashboard, click the Create policy button.
- Choose to create a policy using the Policy wizard.
- Choose to create a Data policy for LUSID:
- Specify a unique Code for the policy, a Deactivation date if necessary, and either retain the default state of Allow or slide to Deny:
- Click the Add scope button to nominate a Scope (data partition) to restrict the policy to. Note the default * value applies the policy to every scope in LUSID.
- Add Resources (corresponding to entities and actions) to the policy. For example, to allow write access to portfolios in the chosen scope:
- Click the Add identifier button to optionally nominate identifiers to restrict the policy to. For example, to restrict the policy to just a portfolio with the code us-equities:
Note the default * value applies the policy to every identifier (for example, to all the portfolios in the chosen scope).
- Click the Create button to create the data policy:
You could use the Access API to create a data policy.
The syntax of the JSON object you need to provide in the body of the request to the Access POST /api/policies API endpoint is complicated, however, and highly specific to the nature of the policy you are trying to create.
Currently, we recommend creating the policy in the LUSID web app. Once created, you can manage the policy entirely programmatically.