Access control for Scheduler resources

When you set up access control for Scheduler, you must give each user at least one feature policy and one data policy:

  • A feature policy controls access to Scheduler API endpoints. This is irrespective of whether a user ultimately interacts with Scheduler via the LUSID web app or by calling the API directly (since the web app itself calls the API).

  • A data policy controls access to information about jobs, images and schedules returned by API endpoints.

To perform any real-world operation in Scheduler, a user must be assigned both types of policy. This is because a feature policy without a corresponding data policy yields no data, and a data policy without a corresponding feature policy cannot perform operations.

Data policies

The following table summarises data resources you can include in a data policy for Scheduler:

Resource type

Component(s) of identifier

Available actions

Repository

repository

Read

Image

repository

tag

Read

Delete

Download

Use

Job

scope

code

Read

Create

Update

Delete

Run

GetAllJobHistory

Schedule

scope

code

Read

Create

Update

Delete

OverwriteTrigger

GetHistory

Enable

Feature policies

The following table lists API endpoints you can include in a feature policy for Scheduler. Each API endpoint makes particular data resource entitlement checks; to return data, the corresponding data policy must include the specified data resources:

API endpoint
 

Date resource checks

Notes
 

Resource type required in data policy

Action required in data policy

UploadImage

N/A

N/A

This endpoint does not interact with Scheduler but rather with Docker CLI.

ListRespositories

Repository

Read

 

ListImages

Repository

Read

 

Image

Read

DeleteImage

Image

Delete

You cannot delete an image using the Docker CLI; you must use this endpoint.

GetImage

Image

Read

 

DownloadImage

Image

Download

 

ListJobs

Job

Read

 

CreateJob

Job

Create

 

Image

Read

GetHistory


GetRunHistory


GetJobConsoleOutput

Job

GetAllJobHistory

You can allow an admin user to see history and results for a job even if they are not the user who originally executed the job. To do this, give that admin user these permissions. 

Schedule

GetHistory

UpdateJob

Job

Update

 

Image

Read

DeleteJob

Job

Delete

 

RunJob

Job

Run

 

Image

Use

GetSchedulesForAJob

Job

Read

 

Schedule

Read

ListSchedules

Schedule

Read

 

CreateSchedule

Schedule

Create

 

Job

Read

Image

Use

GetSchedule

Schedule

Read

 

UpdateSchedule

Schedule

Read

 

Schedule

Update

Job

Read

DeleteSchedule

Schedule

Read

 

Schedule

Delete

RunSchedule

Schedule

Read

 

Schedule

OverwriteTrigger

Job

Read

Image

Use

EnabledSchedule

Schedule

Read

 

Schedule

Enable