Providing you are a LUSID user with sufficient privileges, you can use a combination of the Access and Identity APIs to assign policies to roles, and roles to users, respectively.
Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.
We have separate Identity and Access APIs because identity management and access control are two different systems, working closely together. Note you can also assign policies to roles and roles to users seamlessly using the LUSID web app.
Assigning a policy to a role
Use the Access API:
- Obtain an API access token.
- Obtain the code of the role you want to assign the policy to, for example using the Access GET /api/roles API endpoint.
- Call the Access PUT /api/roles/<role-code> API endpoint for your LUSID domain, passing in your API access token. Because this is a PUT operation, make sure the request body includes any existing policies assigned to the role in addition to the new policy. For example, to add a new-policy to a test-role that already has an existing-policy, construct a JSON payload like this:
{ "description": "This is an example role", "resource": { "policyIdRoleResource": { "policies": [ { "scope": "default", "code": "existing-policy" }, { "scope": "default", "code": "new-policy" } ], "policyCollections": [] } }, "when": { "activate": "2021-08-31T18:00:00.0000000+00:00", "deactivate": "9999-12-31T18:00:00.0000000+00:00" } }An example PUT using Curl might look like this (note the JSON payload above has been obfuscated for clarity):curl -X PUT "https://<your-domain>.lusid.com/access/api/roles/<your-role-code>" -H "Authorization: Bearer <your-api-access-token>" -H "Content-Type: application/json" -d "<json-payload>"
Assigning a policy collection to a role
Use the Access API:
- Obtain an API access token.
- Obtain the scope and code of the policy collection you want to assign, for example using the Access GET /api/policycollections API endpoint.
- Obtain the scope and code of the role you want to assign to, for example using the Access GET /api/roles API endpoint.
- Call the Access POST /api/roles/<role-scope>/<role-code>/policycollections API endpoint for your LUSID domain, passing in your API access token and the scope and code of the policy collection:
curl -X PUT "https://<your-domain>.lusid.com/access/api/roles/<your-role-scope>/<your-role-code>/policycollections" -H "Authorization: Bearer <your-api-access-token>" -H "Content-Type: application/json" -d "{'policyCollections':[{'scope':'<your-polcoll-scope>','code':'<your-pollcoll-code>'}]}"
Assigning a role to a user
Use the Identity API:
- Obtain an API access token.
- Obtain the ID of the role you want to assign, for example using the Identity GET /api/roles API endpoint.
- Obtain the ID of the user you want to assign to, for example using the Identity GET /api/users API endpoint.
- Call the Identity PUT /api/roles/<role-id>/users/<user-id> API endpoint for your LUSID domain, passing in your API access token:
curl -X PUT "https://<your-domain>.lusid.com/identity/api/roles/<your-role-id>/users/<your-user-id>" -H "Authorization: Bearer <your-api-access-token>"