Views:

The file manager is a way for users to store and share files with other users on the same domain. Access to the file manager and its contents is controlled by LUSID's Identity access management system, and users need to assigned the appropriate roles and policies before they can perform any operations in the file manager. In this article we will cover the following:

Accessing the file manager

By default, the file manager is available on all client accounts for the administrator role. 

To give access to non admin users, administrator will need to create a Role with a policy that allows access to Drive features. Below steps explain how to create this.
 

Creating a policy for the web application

Please go to Identity access management (IAM) on the LUSID web application.


 

Once you are in the IAM module, navigate to the "Policies" tab and click on the "Create policy" icon.


 

Once the "Create policy" wizard has opened, please select the "JSON" option. 


 

In the JSON editor, please copy the contents of the file manager policy, which can be found below.

{
    "description": "Policy to allow viewing Drive (Files)",
    "applications": [
        "Website"
    ],
    "grant": "Allow",
    "selectors": [
        {
            "metadataSelectorDefinition": null,
            "idSelectorDefinition": {
                "identifier": {
                    "code": "drive",
                    "scope": "data-management"
                },
                "actions": [
                    {
                        "scope": "default",
                        "activity": "view",
                        "entity": "data-management"
                    }
                ],
                "name": null,
                "description": null
            },
            "matchAllSelectorDefinition": null,
            "policySelectorDefinition": null
        }
    ],
    "for": null,
    "if": null,
    "when": {
        "activate": "2020-07-15T22:00:00+00:00",
        "deactivate": "9999-12-31T23:59:59.9999999+00:00"
    },
    "how": null
}


Once the contents are copied you can name the policy with a code of your choice (e.g. Drive viewer) and set a description for this policy.


 

After setting up the file manager policy, you can attach this to an existing role, or create and attach this to a new role. Roles can then be granted to users within your LUSID domain as described in this article.

When is setup is complete, the file manager can be access by clicking on "Files" under the "Data Management" section of the LUSID web application.




Setting up file manager permissions

Access to the file manager and its contents is governed by LUSID's role and policy based identity access management system. 

List of file manager operations

By default, users with the LUSID administrator role will have full permissions and can perform any operation on a file / folder including:

Files

  • Write - Ability to upload a specific file, rename, change location
  • Read - Ability to download file
  • Delete - Ability to delete a file
  • List - Ability to list a file in a folder i.e. list under parent folder

 

Folders

  • Read - Access a folder and view files and folders underneath it
  • Delete - Ability to delete a folder
  • Write - Ability to upload files and create subfolder under a folder
  • List - Ability to view the folder in a list i.e. under parent folder

 

Controlling access to the file manager

You can setup roles and policies to grant users only a subset these operations using the policy wizard. Policies can be used to restrict or grant access to both data (e.g. files and folders) and features (e.g. read and write).


 

Managing data access

  • Step 1: Select the "Drive" application in the policy wizard, with the control scope "Data". 


 

  • Step 2: Enter the code and description for the policy as desired


 

  • Step 3: Set the policy to restrict all resources, or define it at a per folder / file level. Click here to learn more about how to set permissions at the folder / file level.


 

  • Step 4: Once the policy is created, you can assign the policy to relevant roles and respective users as explained here.


 

Managing feature Access

  • Step 1: Select the "Drive" application in the policy wizard, with the control scope "Features". 


 

  • Step 2: Enter the code and description for the policy as desired


 

  • Step 3: Add features that you would like to control access to. You can do this by dragging and dropping the features from the list before clicking "Add".


 

 


 

  • Step 4: Once all features are added, click "Next" to setup the policy. We currently recommend adding all features to the allow policy.


 

Once both the "Data" policy and "Feature" policy have been set up, it is recommended to create a policy collection so that it is easier to assign a policy collection (covering  both policies) to the desired role.
 

Setting up policies for a specific file / folder

Please follow these steps to define how to set up what operations a user can perform at a file / folder level. 

  • Step 1: Choose the "Selected resource types"


 

  • Step 2: Define the parameters that will be used to identify files that will be reference by the policy can be applied. The IAM system supports wildcard matching which supports the following features:
    • * - Match all
    • *.txt - Match files with extension txt
    • secret* - Match files that start with secret


 

  • Step 3: In this step you define parameter that will identify folder for which the policy should match. LUSID IAM supports wildcard matching so following options are supported
    • * - Match all
    • /* - Match root folder and anything under it
    • /Marketing - Match marketing folder under root
    • /Operation* - Match all folders under folder Operation that is created on the root


 

  • Step 4: Once the policy is created administrator can attach this to a role, which can then be assigned to a users as described in this article.

To create more complex policies, please contact us and one of our specialists would be happy to help.

File and folder naming Convention

Names of file and folders in file manager should be:

  • Alphanumeric, dash ('-') or underscore ('_') characters
  • Be between 1 and 50 characters long. 

Filtering and Searching Files

Drive supports functionality that enables users to filter and search files stored in File Manager. Currently this is supported only via Drive API 

Filtering

The filter parameter on the List Root Folder, List Folder and Search API endpoint can be used to filter list of contents within a folder using the same syntax as described here

Searching

Search endpoint accepts the path and the exact name of the file/folder to be searched. If no path is supplied, file with the given name is searched recursively from the root folder.  Upon successful finding of the file(s) all the metadata required to interact with the file is returned in the API response.