How do I assign policies, roles and users to each other using the API?

Providing you are a LUSID user with sufficient privileges, you can use a combination of the Access and Identity APIs to assign policies to roles, and roles to users, respectively.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article. 

We have separate Identity and Access APIs because identity management and access control are two different systems, working closely together. Note you can also assign policies to roles and roles to users seamlessly using the LUSID web app.

Assigning a policy to a role

Use the Access API:

1. Obtain an API access token.

2. Obtain the code of the role you want to assign the policy to, for example using the GetRole API.

3. Call the UpdateRole API, passing in your API access token. Because this is a PUT operation, make sure the request body includes any existing policies assigned to the role in addition to the new policy. For example, to add a new-policy to a test-role that already has an existing-policy, construct a JSON payload like this:

   {
     "description": "This is an example role",
     "resource": {
       "policyIdRoleResource": {
         "policies": [
           {
             "scope": "default",
             "code": "existing-policy"
           },
           {
             "scope": "default",
             "code": "new-policy"
           }
         ],
         "policyCollections": []
       }
     },
     "when": {
       "activate": "2021-08-31T18:00:00.0000000+00:00",
       "deactivate": "9999-12-31T18:00:00.0000000+00:00"
     }
   }
   

   An example PUT using Curl might look like this (note the JSON payload above has been obfuscated for clarity):  

   curl -X PUT "https://<your-domain>.lusid.com/access/api/roles/<your-role-code>"
     -H "Authorization: Bearer <your-api-access-token>"
     -H "Content-Type: application/json"
     -d "<json-payload>"

Assigning a policy collection to a role

Use the Access API:

1. Obtain an API access token.

2. Obtain the scope and code of the policy collection you want to assign, for example using the ListPolicyCollections API.

3. Obtain the scope and code of the role you want to assign to, for example using the ListRoles API.

4. Call the AddPolicyCollectionToRole API, passing in your API access token and the scope and code of the policy collection:

   curl -X PUT "https://<your-domain>.lusid.com/access/api/roles/<your-role-scope>/<your-role-code>/policycollections"
   -H "Authorization: Bearer <your-api-access-token>"
     -H "Content-Type: application/json"
     -d "{'policyCollections':[{'scope':'<your-polcoll-scope>','code':'<your-pollcoll-code>'}]}"

Assigning a role to a user

Use the Identity API:

1. Obtain an API access token.

2. Obtain the ID of the role you want to assign, for example using the ListRoles API.

3. Obtain the ID of the user you want to assign to, for example using the ListUsers API.

4. Call the AddUserToRole API, passing in your API access token:

curl -X PUT "https://<your-domain>.lusid.com/identity/api/roles/<your-role-id>/users/<your-user-id>"
  -H "Authorization: Bearer <your-api-access-token>"