Some applications in LUSID, such as the Workflow Service and Notification Service, allow you (as a personal user) to specify the ID of a service user when setting up an automated activity to run on behalf of that service user on a day-to-day basis. More information about personal and service users.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to set up automated activities on behalf of service users. See how to get the necessary permissions as a standard LUSID user.

We recommend creating schedules, subscriptions, actions in workflows and other automated activity as service users for the following reasons:

  • It allows a personal user to set up activities on behalf of a service user without needing to gain access to that service user account to do so.
  • It prevents any need to migrate the schedule, subscription, task or other activity in the event the personal user account is deleted, for example if that person leaves the company.

Automatable activities have a useAsAuth (or runAsUserId in the Workflow Service) field in their API request that, when omitted, defaults to the user ID of the personal user making that request. This field can accept the ID of a valid service user instead. 

For example, to use the Notification Service to subscribe to all portfolio creation events emitted by LUSID, call the CreateSubscription API with the ID of a service user in the useAsAuth field (highlighted in red):

curl -X POST "https://<your-domain>" 
  -H "Authorization: Bearer <your-api-access-token>"
  -d '{
  "id": {
    "scope": "PortfolioEvents",
    "code": "PortfolioCreatedEvent"
  "displayName": "PortfolioCreatedInScope",
  "description": "Subscribe to the event fired when a portfolio is created in the Finbourne-Examples scope",
  "status": "Active",
  "matchingPattern": {
    "eventType": "PortfolioCreated",
    "filter": "Body.portfolioScope eq 'Finbourne-Examples'"
  "useAsAuth": "00uji4ve5haBc1Hlf2p7"

Note: You can use the Identity ListRunnableUsers API to retrieve the IDs of valid service users in your domain.

The useAsAuth/runAsUserId field is currently available for the following APIs:

The service user is used to run the job.
Notification ServiceCreateSubscription
The service user is used to evaluate read permissions for the event subscription before sending any notifications.
Workflow ServicerunAsUserIdCreateTaskDefinition
The service user is used to perform the action, for example running a worker.

Setting up useAsAuth/runAsUserId permissions for standard LUSID users 

Non-LUSID administrator users must be given the relevant permissions in order to specify a value for the useAsAuth/runAsUserId field. To do this:

  1. Follow the steps to create a data policy via the LUSID web app as usual, selecting Identity as Application and Data as Control Scope within the Create Policy - Wizard. See how to create a data policy.
  2. Under Resources, select User as Type and UseAsAuth as Actions. Note this action controls access to both the useAsAuth and runAsUserId fields.
  3. Under Identifiers - User, provide the ID of the service user you want an activity to run on behalf of. You can enter * to provide useAsAuth/runAsUserId access to all service users. Note: Providing you have sufficient privileges, you can call the ListRunnableUsers API to retrieve the IDs of valid service users in your domain.
  4. Once you have created your policy, assign it to a role as usual, and ensure the role is assigned to the personal user making the API call containing the useAsAuth/runAsUserId field.