RBAC vs UBAC: Setting up user-based access control for LUSID

By default, LUSID has a role-based access management system (RBAC), whereby:

• A user represents a person or service.
• A role represents a professional responsibility.
• A policy represents a grant (or denial) of permission.

You can assign a user many roles, and a role many policies. Roles have a relative precedence that determines which take effect if a user has conflicting policies.

You can transition LUSID to a user-based access management system (UBAC) instead if you prefer, or combine elements of the two. This might be quicker and simpler if you do not need to model professional responsibilities. In this system:

• A user-role represents a person or service (a user can only have one user-role, and that user-role only be assigned to that one user).
• A policy represents a grant (or denial) of permission, as before.

Note: You can combine the two systems and assign a user a role and a user-role. If they contain conflicting policies, the role takes precedence.

Setting up user-based access control

You must first create users and policies in the standard way. Instead of creating a role, however, you use the Access API to create a user-role, nominating the user to whom it belongs.

Note: If your users have already signed in to LUSID, an empty user role is automatically created for them. You can call the Access UpdateUserRole API to assign policies and/or policy collections.

To create a user-role in advance of a user signing in:

1. Obtain an API access token.
2. Call the Identity ListUsers API for your LUSID domain to retrieve the ID of the responsible user, for example 00ubhkabcdW3DqjVG2p.
3. Call the Access CreateUserRole API, specifying:
   • The ID of the responsible user
   • A list of policy scopes and codes (one or more)
   • Optionally, a list of policy collection scopes and codes.

For example:

The response confirms that the user-role represents a direct connection between a user and their policies: