Views:

Related resources:

Explanation

Tutorials

How-to guides

When you set up access control for Scheduler, you must give each user at least one feature policy and one data policy:

  • A feature policy controls access to Scheduler API endpoints. This is irrespective of whether a user ultimately interacts with Scheduler via the LUSID web app or by calling the API directly (since the web app itself calls the API).
  • A data policy controls access to information about jobs, images and schedules returned by API endpoints.

To perform any real-world operation in Scheduler, a user must be assigned both types of policy. This is because a feature policy without a corresponding data policy yields no data, and a data policy without a corresponding feature policy cannot perform operations.

Data policies

The following table summarises data resources you can include in a data policy for Scheduler:

Resource typeComponent(s) of identifierAvailable actions
RepositoryrepositoryRead
Imagerepository
tag
Read
Delete
Download
Use
Jobscope
code
Read
Create
Update
Delete
Run
GetAllJobHistory
Schedulescope
code
Read
Create
Update
Delete
OverwriteTrigger
GetHistory
Enable

Feature policies

The following table lists API endpoints you can include in a feature policy for Scheduler. Each API endpoint makes particular data resource entitlement checks; to return data, the corresponding data policy must include the specified data resources:

API endpoint
 
Date resource checksNotes
 
Resource type required in data policyAction required in data policy
UploadImageN/AN/AThis endpoint does not interact with Scheduler but rather with Docker CLI.
ListRespositoriesRepositoryRead 
ListImagesRepositoryRead 
ImageRead
DeleteImageImageDeleteYou cannot delete an image using the Docker CLI; you must use this endpoint.
GetImageImageRead 
DownloadImageImageDownload 
ListJobsJobRead 
CreateJobJobCreate 
ImageRead
GetHistory
GetRunHistory
GetJobConsoleOutput
JobGetAllJobHistoryYou can allow an admin user to see history and results for a job even if they are not the user who originally executed the job. To do this, give that admin user these permissions. 
ScheduleGetHistory
UpdateJobJobUpdate 
ImageRead
DeleteJobJobDelete 
RunJobJobRun 
ImageUse
GetSchedulesForAJobJobRead 
ScheduleRead
ListSchedulesScheduleRead 
CreateScheduleScheduleCreate 
JobRead
ImageUse
GetScheduleScheduleRead 
UpdateScheduleScheduleRead 
ScheduleUpdate
JobRead
DeleteScheduleScheduleRead 
ScheduleDelete
RunScheduleScheduleRead 
ScheduleOverwriteTrigger
JobRead
ImageUse
EnabledScheduleScheduleRead 
ScheduleEnable