Step 1: Define roles
To begin managing access is LUSID you first need to define some Roles, which are intended to represent job functions, areas of responsibility or roles within your organisation.
Step 2: Define policies
The next step is to define a set of Policies that describe the conditions in which data and functionality can (or explicitly cannot) be accessed.
Step 3: Assign roles to users
Finally specify which users should be assigned to which roles, and thus by extension which policies apply to those users. If none of the roles assigned to a user have policies that permit access to a bit of data or functionality, they will be denied access to that resource.
Like everything in LUSID, the resource access control system can be completely maintained through our APIs. We’ve also provided a web portal to make it easy to harness the full power of Policies and create the access framework appropriate for your company. The web portal features also help to manage policies, group them into collections, or assign them to roles, and users to roles.
To demonstrate some of the capabilities and flexibility of the Policies and Roles, we’ve included some examples with every LUSID account.
Step 4: Monitoring Access
Allowing you to grant your team access to information is only part of an access control system’s responsibilities. Another key area is being able to identify who has actually accessed what data and when.
Every interaction with the access control system in LUSID is recorded, tracking not only the specific resource accessed and action performed, but also the policy and role that permitted (or blocked) the activity.
Support for SAML Single Sign-On
LUSID supports user Single Sign-On over SAML 2.0 which means organisations with existing identity systems can easily and consistently assign access to LUSID as well as manage how users are authenticated. When configured, a user will login through their existing corporate login and immediately be able to start using LUSID. Additionally using groups from the existing identity systems means users can be automatically assigned to roles within LUSID.
SAML offers the ability to:
- Users securely log in to LUSID without any new credentials
- Maintain authentication standards (e.g. MFA, password policies)
- Manager user access to LUSID using existing systems
- Use existing user group assignments to allocate access in LUSID
To learn more, please contact us.