Providing you are a LUSID user with sufficient privileges, you can create a data policy to restrict access to one or more entity datasets.
Note
If you are the LUSID domain owner, you are automatically assigned the built-in
lusid-administratorrole, which has all the permissions necessary to perform the operations in this article.
An entity in LUSID is a portfolio, quote or similar repository of LUSID data. Note not all entities support every access check LUSID is capable of making. Note also that a data policy requires an equivalent feature policy in order for appropriate API endpoints to be called to perform operations on that data.
When creating a data policy, note that in addition to nominating entity dataset(s) you also specify actions the user can perform:
Action | Enables the user to... |
Any | Perform all the actions below. |
List | Retrieve entity data. Note Read must also be specified for an entity if it is available. |
Read | Retrieve entity data. Note List must also be specified for an entity if it is available. |
Update | Update existing entity data. |
Add | Add new entity data. |
Upsert | Either update existing or add new entity data, depending whether it currently exists or not. |
Delete | Delete entity data. |
ReadMetadata | Retrieve access metadata specified for an entity. |
WriteMetadata | Update existing or add new metadata for an entity. |
Note
The table above does not list every available action a user can perform across all the applications in the FINBOURNE platform. The easiest way to explore all the available actions for a particular entity is through the Data Resources tab when creating a policy in the LUSID web app.
Once created, you should assign the policy to a role.
Using the LUSID web app
Sign in to the LUSID web app using the credentials of a LUSID administrator.
From the left-hand menu, select Identity and Access > Policies:
.png "image(189).png")
On the Policies dashboard, click the Create policy button.
.png "image(190).png")
Specify a unique Policy code, Policy validity dates if necessary, and select whether the policy should Allow or Deny access to the data specified:
.png "image(191).png")
Optionally, select any features you want the policy to cover.
Click Next to reach the Data Resources tab.
Add Actions to the policy. For example, to allow write access to portfolio data:
.png "image(193).png")
Choose a Selector type from the following options to nominate a data partition to restrict the policy to:
Identifier allows you to specify a Scope and Code pair to restrict the policy to. Note the * value applies the policy to every code within the specified scope.
MetadataExpression allows you to restrict the policy based on an access metadata expression. Read more.
Match all applies the policy to every scope in LUSID.
For example, to restrict the policy to just portfolios within the scope Finbourne-Examples:
.png "image(194).png")
Click Next to reach the Time Restrictions tab. Optionally, specify any time restrictions for your policy, such as taking effect on the first day of the month. Read more.
.png "image(195).png")
Click Next to reach the Advanced Options tab. Optionally, specify any conditions for your policy to apply at runtime for any given evaluation of access control permissions. You can specify:
Request header to apply the policy if the request has a specified header and value.
Identity claim to apply the policy if the user’s authentication token has a specified claim and value.
Identity scope to apply the policy if the user’s authentication token is issued in response to supplying a specified scope.
Select Done to review the policy, and Save to create the policy:
.png "image(196).png")
Using the Access API
The syntax of the JSON object you need to provide in the body of the request to the CreatePolicy API is complicated and highly specific to the nature of the policy you are trying to create.
Currently, we recommend creating the policy in the LUSID web app. Once created, you can manage the policy entirely programmatically.
If you do need to create a policy using the CreatePolicy API, you can create one policy per API call.
Call the CreatePolicy API for your LUSID domain, passing in your API access token and:
A
codethat uniquely identifies the policy.A friendly
description.The applications the data resources are within, for example
LUSID,DriveorWorkflow.Whether the policy
grantshouldAlloworDenyaccess to the specified data resources.A date from
whenthe policy shouldactivate, and optionallydeactivate.An array of
selectors, that is, data resources to control access to. If you have generated selectors from a policy template, you can use them here. Each selector should contain:One of:
idSelectorDefinitionto specify anidentifierto restrict the policy to. The shape of this parameter varies depending on the entity type; for most data resources, the identifier is ascopeandcodepair. You can specify a*value to apply the policy to all identifiers of a particular identifier type.metadataSelectorDefinitionto restrict the policy based on access metadata (AMD)expressionsfor the AMD associated with an identifier. Each expression should specify:A
metadataKey, for exampleFundGroup.An
operator, for exampleEqualsorIn.A
textValueto match on, for exampleFundGroup1.
Tip
matchAllSelectorDefinitionto apply the policy to every scope for the entity in LUSID.
An array of
actionsthe policy should allow or deny access to. Each action should specify:A
scopevalue ofdefault.The
activitythe policy should allow or deny access to (as listed in the table at the start of this article), for exampleReadorList.The
entitythe policy relates to, for examplePortfolio.
Optionally, a friendly
nameanddescriptionfor the selector.
Values
forwhen the policy should be applied, out ofasAtRangeForSpec,asAtRelative,effectiveDateHasQuality,effectiveDateRelativeandeffectiveRange.ifvalues for when the policy should be applied, out of:ifRequestHeaderExpressionto apply the policy if the request has a specified header and value.ifIdentityClaimExpressionto apply the policy if the user’s authentication token has a specified claim and value.ifIdentityScopeExpressionto apply the policy if the user’s authentication token is issued in response to supplying a specified scope.
If you used a policy template to generate the policy
selectors, specify thetemplateMetadatato track the policy when changes are made to the template used. Read more on policy templates.
Tip
You can examine the CreatePolicy API Reference documentation to see the allowed values for each option.
.png "image(321).png")
For example, to create a policy that allows full data access to portfolios within the Finbourne-Examples scope:
curl -X POST "https://<your-domain>.lusid.com/access/api/policies"
-H "Authorization: Bearer <your-API-access-token>"
-d "{
"code": "data-policy-allow-write-portfolio-data",
"description": "A policy that allows write access to portfolio data",
"applications": [ "LUSID" ],
"grant": "Allow",
"selectors": [
{
"idSelectorDefinition": {
"identifier": {
"code": "*",
"scope": "Finbourne-Examples"
},
"actions": [
{
"scope": "default",
"activity": "Read",
"entity": "Portfolio"
},{
"scope": "default",
"activity": "Add",
"entity": "Portfolio"
},{
"scope": "default",
"activity": "Delete",
"entity": "Portfolio"
},{
"scope": "default",
"activity": "Update",
"entity": "Portfolio"
},{
"scope": "default",
"activity": "List",
"entity": "Portfolio"
},{
"scope": "default",
"activity": "Any",
"entity": "Portfolio"
},{
"scope": "default",
"activity": "ReadMetadata",
"entity": "Portfolio"
},{
"scope": "default",
"activity": "UpdateMetadata",
"entity": "Portfolio"
}
] } } ],
"for": [
{ "effectiveDateHasQuality": {
"quality": "IsFirstDayOfAnyMonth"
} } ],
"when": {
"activate": "2024-10-15T18:00:00.0000000+00:00",
"deactivate": "2027-01-01T18:00:00.0000000+00:00"
}
}"