How do I create a policy from a policy template?

Providing you are a LUSID user with sufficient privileges, you can generate a list of selectors from one or more policy templates. You can then create or update a policy by inputting the selectors, for example to create a new policy using two policy templates that grants a user access to read portfolios and instruments within a particular scope.

Using the Access REST API

Currently, you can generate one policy from one or more policy templates per API call.

  1. Obtain an API access token.

  2. Call the GeneratePolicyFromTemplate API for your LUSID domain, passing in your API access token and an array of policy templates to generate a policy from, with each item containing:

    • A scope value of default.

    • A policy template code.

    • Optionally, selectorTags to filter selectors by Data or Feature. For example, if a policy template contains selectors for both data and feature policies, you could specify a value of Data to only return the selectors tagged as Data.

The following example generates a policy for granting access to read portfolios and instrument data within the Finbourne-Examples scope using two different policy templates: 

curl -X POST "https://<your-domain>.lusid.com/access/api/policytemplates/$generatepolicy"
  -H "Authorization: Bearer <your-API-access-token>"
  -d "{
  "templateSelection": [
    {
      "scope": "default",
      "code": "read-portfolio-scope",
      "selectorTags": [
        "Data"
      ]
    },
    {
      "scope": "default",
      "code": "read-instrument-scope",
      "selectorTags": [
        "Data"
      ]
    }
  ]
}"

The response is as follows:

{
  "applications": [
    "LUSID"
  ],
  "templateMetadata": {
    "templateSelection": [
      {
        "scope": "default",
        "code": "read-portfolio-scope",
        "selectorTags": [
          "Data"
        ]
      },
      {
        "scope": "default",
        "code": "read-instrument-scope",
        "selectorTags": [
          "Data"
        ]
      }
    ],
    "buildAsAt": "2024-09-25T15:57:09.5794409+00:00"
  },
  "selectors": [
    {
      "idSelectorDefinition": {
        "identifier": {
          "scope": "Finbourne-Examples"
        },
        "actions": [
          {
            "scope": "default",
            "activity": "Read",
            "entity": "Portfolio"
          }
        ],
        "name": "access-Finbourne-Examples-scope",
        "description": "Allow readonly access to the Finbourne-Examples portfolio scope"
      }
    },
    {
      "idSelectorDefinition": {
        "identifier": {
          "scope": "Finbourne-Examples"
        },
        "actions": [
          {
            "scope": "default",
            "activity": "Read",
            "entity": "Instrument"
          }
        ],
        "name": "access-Finbourne-Examples-scope",
        "description": "Allow readonly access to the Finbourne-Examples portfolio scope"
      }
    }
  ]
}

Note the templateMetadata and buildAsAt fields, which you can use when creating or updating a policy to mark if a template is used and which version. You can then track if a policy created from a template is out of date.

You can now use the selectors value from the response, along with the templateMetadata, to create a policy using the CreatePolicy API:

 curl -X POST "https://<your-domain>.lusid.com/access/api/policies"
  -H "Authorization: Bearer <your-API-access-token>"
  -d "{
  "code": "read-Finbourne-Examples-scope",
  "description": "Gives read access to Finbourne-Example scope for portfolios and instruments data",
  "applications": [
    "LUSID"
  ],
  "grant": "Allow",
  "selectors": [
    {
      "idSelectorDefinition": {
        "identifier": {
          "scope": "Finbourne-Examples"
        },
        "actions": [
          {
            "scope": "default",
            "activity": "Read",
            "entity": "Portfolio"
          }
        ],
        "name": "access-Finbourne-Examples-scope",
        "description": "Allow readonly access to the Finbourne-Examples portfolio scope"
      }
    },
    {
      "idSelectorDefinition": {
        "identifier": {
          "scope": "Finbourne-Examples"
        },
        "actions": [
          {
            "scope": "default",
            "activity": "Read",
            "entity": "Instrument"
          }
        ],
        "name": "access-Finbourne-Examples-scope",
        "description": "Allow readonly access to the Finbourne-Examples portfolio scope"
      }
    }
  ],
  "when": {
    "activate": "2024-09-25T12:00:00.0000000+00:00",
    "deactivate": "2026-09-25T12:00:00.0000000+00:00"
  },
  "templateMetadata": {
    "templateSelection": [ 
      {
        "scope": "default",
        "code": "read-portfolio-scope",
        "selectorTags": [
          "Data"
        ]
      },
      {
        "scope": "default",
        "code": "read-portfolio-scope",
        "selectorTags": [
          "Data"
        ]
      }
    ] 
  } }"

Part of a successful response is as follows:

 {
  "id": {
    "scope": "default",
    "code": "read-Finbourne-Examples-scope"
  },
  "description": "Gives read access to Finbourne-Example scope for portfolios and instruments data",
  "applications": [
    "LUSID"
  ],
  "grant": "Allow",
  "selectors": [
 ...
  ],
  "when": {
    "activate": "2024-09-25T12:00:00.0000000+00:00",
    "deactivate": "2026-09-25T12:00:00.0000000+00:00"
  },
  "templateMetadata": {
    ...
    ],
    "buildAsAt": "0001-01-01T00:00:00.0000000+00:00"
  },
  "links": [
    {
      "relation": "RequestLogs",
      "href": "https://<your-domain>.lusid.com/app/insights/logs/0HN6TFMFGD1SM:0000000D",
      "description": "A link to the LUSID Insights website showing all logs related to this request",
      "method": "GET"
    }
  ]
}

Using the LUSID web app

Coming soon