A policy is a grant (or denial) of access to a particular feature or dataset within LUSID.
Each LUSID user must have at least one role, and each role must have at least one policy. For example, a user might have a policy that can be described as follows:
Grant access to list all the portfolios in a particular scope, and thus to see transactions for those portfolios that have been added after a certain date.
Or:
Deny access to see quotes from a particular market data provider for certain instruments.
A policy can be grouped in a policy collection for logical convenience, and policy collections may themselves contain policy collections. See how to assign policies, roles and users.
There are two types of policy:
- A feature policy controls access to one or more API endpoints. Note a feature policy applies even to personal users using the LUSID graphical web app, since the web app itself calls the LUSID API. See how to create a feature policy.
- A data policy controls access to one or more entity datasets, for example to all the data belonging to portfolios or to quotes, and potentially to the properties decorated onto those entities (depending on your licence). Note a data policy can further restrict access to (for example) just a specific portfolio, or to just those transactions added after a certain date. See how to create a data policy.
Note: To perform any real-world operation in LUSID, a user must have matching feature policies and data policies. This is because a data policy without an equivalent feature policy cannot perform operations, and a feature policy without an equivalent data policy yields no data.
Upon each access request, LUSID checks a user's policies in a particular order to determine whether they have sufficient permissions. Note a user may have conflicting policies:
- If the user has conflicting policies in different roles, the role with the highest precedence takes effect. See how to set role precedence.
- If a user has two policies in the same role that are identical except one allows access and the other denies it, the deny takes effect.
A default set of policies is provided with LUSID for you to adopt or adapt.