Views:

Related resources:

Explanation

Tutorials

Reference

Providing you are a LUSID user with sufficient privileges, you can set up a new account for a service user. Note evey user automatically gets a unique ID.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.

We recommend setting up one service user account for each distinct application or service that needs to call the LUSID API. This is because the service user owning that application or service should only have roles granting permissions to perform the operations for which it is designed, and no more.

Using the LUSID web app 

  1. Sign in to the LUSID web app using the credentials of a LUSID administrator.
  2. From the left-hand menu, select Identity and access > Users:
  3. On the Users dashboard, click the Create user button:
     
  4. Specify an Account type of Service, enter a valid Email address for a service owner (this person must be available to complete the sign up process; it could be your email address, for example), specify a Login user name (this must look like an email address but no email will be sent to it) and optionally assign a role using the Add roles button (you can also do this later):
  5. Click the Save button to send an email to complete the sign up process.

Using the Identity API

  1. Obtain an API access token.
  2. Call the Identity POST /api/users API endpoint for your LUSID domain, passing in your API access token and specifying account characteristics. Note emailAddress must be a valid email address that is unique within your LUSID domain; login must look like an email address but no email will be sent to it. For example:
    curl -X POST "https://<your-domain>.lusid.com/identity/api/users"
   -H "Authorization: Bearer <your-access-token>"
   -H "Content-Type: application/json"
   -d '{"emailAddress":"john.doe@acme.com","firstName":"instrument-upload-service@acme.com","lastName":"--","login":"instrument-upload-service@acme.com","roles":[],"type":"Service"}}'
    The response contains an automatically-generated id that uniquely identifies the user: 
    {
   "id": "00ubs35svrtj69tei2p7",
   "emailAddress": "john.doe@acme.com",
   "login": "instrument-upload-service@acme.com",
   "firstName": "instrument-upload-service@acme.com",
   "lastName": "--",
   "roles": [],
   "type": "Service",
   "status": "PROVISIONED",
   "external": false,
   ...
}
    An email is automatically sent to emailAddress to complete the sign up process.

Completing the sign up process 

The service owner must complete the sign up process by clicking the link in the email. If they don’t receive the email, you can send it again. This person must specify a LUSID password that conforms to the following specification: 

  • At least 12 characters
  • A lowercase letter
  • An uppercase letter
  • A number
  • A symbol
  • No parts of the username.

The password does not expire and there is no multi-factor authentication (MFA).

Keywords: service account