LUSID has a powerful role-based access control system that permits restriction at a granular level. This system allows administrators to create precise access models for their organisation, and track how it is used through fine-grained logging.
LUSID’s access control system supports users having multiple roles, explicit deny policies and administrator-defined role priority. This allows organisations to easily grant access to clients or organisational units, while also enforcing company-wide restrictions.
Access to both data (e.g. portfolios) and features (e.g. API endpoints) can be restricted by operation (e.g. read/write) and time (e.g. effective date range).
Roles, including those of administrators, can be tailored to specific requirements, using either custom access policies, or by composing useful standard system policies.
All requests to LUSID must be accompanied by a tamper-proof access token. This token identifies to the system what roles the user currently has. This list of roles is used to look up what access control policies should be applied to the user when fulfilling the request. Every meaningful check made by the access control system throughout the request causes an access log to be written, which is available (for suitably authorised users) through the Insights application.
Note that the creation of roles and policy assignment on a day-to-day basis is controlled by user(s) who have the appropriate IAM Administrator role. This role ultimately controls who in your organisation has access to features and data within LUSID, and therefore the grant of this role should be carefully controlled.
Step 1: Define roles
Define roles to represent job functions, areas of responsibility or roles within your organisation.
Step 2: Define policies
Define a set of policies describing the conditions in which data and functionality can (or explicitly cannot) be accessed.
Step 3: Assign roles to users
Assign roles to users, and thus by extension which policies apply to those users. If none of the roles assigned to a user have policies that permit access to a bit of data or functionality, they will be denied access to that resource.
Like everything in LUSID, the resource access control system can be completely maintained through our APIs. We’ve also provided a web portal to make it easy to harness the full power of Policies and create the access framework appropriate for your company. The web portal features also help to manage policies, group them into collections, or assign them to roles, and users to roles.
To demonstrate some of the capabilities and flexibility of the Policies and Roles, we’ve included some examples with every LUSID account.
Step 4: Monitor access
Allowing you to grant your team access to information is only part of an access control system’s responsibilities. Another key area is being able to identify who has actually accessed what data and when.
Every interaction with the access control system in LUSID is recorded, tracking not only the specific resource accessed and action performed, but also the policy and role that permitted (or blocked) the activity.
Support for SAML Single Sign-On
LUSID supports user Single Sign-On over SAML 2.0 which means organisations with existing identity systems can easily and consistently assign access to LUSID as well as manage how users are authenticated. When configured, a user will login through their existing corporate login and immediately be able to start using LUSID. Additionally using groups from the existing identity systems means users can be automatically assigned to roles within LUSID.
SAML offers the ability to:
- Users securely log in to LUSID without any new credentials
- Maintain authentication standards (e.g. MFA, password policies)
- Manager user access to LUSID using existing systems
- Use existing user group assignments to allocate access in LUSID
To learn more, please contact us.