Some applications in LUSID, such as the Notification Service and Scheduler, allow you (as a personal user) to specify the ID of a service user when setting up an automated activity to run on behalf of that service user on a day-to-day basis. More information about personal and service users.
Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to set up automated activities on behalf of service users. See how to get the necessary permissions as a standard LUSID user.
We recommend creating schedules, subscriptions and other automated activity as service users for the following reasons:
- It allows a personal user to set up activities on behalf of a service user without needing to gain access to that service user account to do so.
- It prevents any need to migrate the schedule, subscription or other activity in the event the personal user account is deleted, for example if that person leaves the company.
Automatable activities have a useAsAuth field in their API request that, when omitted, defaults to the user ID of the personal user making that request. This field can accept the ID of a valid service user instead.
For example, to use the Notification Service to subscribe to all portfolio creation events emitted by LUSID, call the CreateSubscription API with the ID of a service user in the UseAsAuth field (highlighted in red):
curl -X POST "https://<your-domain>.lusid.com/notification/api/subscriptions"
-H "Authorization: Bearer <your-api-access-token>"
-d '{
"id": {
"scope": "PortfolioEvents",
"code": "PortfolioCreatedEvent"
},
"displayName": "PortfolioCreatedInScope",
"description": "Subscribe to the event fired when a portfolio is created in the Finbourne-Examples scope",
"status": "Active",
"matchingPattern": {
"eventType": "PortfolioCreated",
"filter": "Body.portfolioScope eq 'Finbourne-Examples'"
},
"useAsAuth": "00uji4ve5haBc1Hlf2p7"
}'
Note: You can use the Identity ListRunnableUsers API to retrieve the IDs of valid service users in your domain.
The useAsAuth field is currently available for the following APIs:
| Application | API | Explanation |
| Scheduler | CreateScheduleUpdateScheduleRunJob | The service user is used to run the job. |
| Notification Service | CreateSubscriptionUpdateSubscription | The service user is used to evaluate read permissions for the event subscription before sending any notifications. |
| Workflow Service (coming soon) |
Setting up useAsAuth permissions for standard LUSID users
Non-LUSID administrator users must be given the relevant permissions in order to specify a value for the useAsAuth field. To do this:
- Follow the steps to create a data policy via the LUSID web app as usual, selecting Identity as Application and Data as Control Scope within the Create Policy - Wizard. See how to create a data policy.
- Under Resources, select User as Type and UseAsAuth as Actions.
- Under Identifiers - User, provide the ID of the service user you want an activity to run on behalf of. You can enter
*to provideuseAsAuthaccess to all service users. Note: Providing you have sufficient privileges, you can call the ListRunnableUsers API to retrieve the IDs of valid service users in your domain. - Once you have created your policy, assign it to a role as usual, and ensure the role is assigned to the personal user making the API call containing the
useAsAuthfield.