How do I create a policy to control access to workspaces?

  • Updated on Jan 27, 2026
  • Published on Jun 24, 2025
Prev Next

Providing you are a LUSID user with sufficient privileges, you can create a policy to grant or restrict access to one or more workspaces in LUSID.

Note: If you are the LUSID domain owner, you are automatically assigned the built-in lusid-administrator role, which has all the permissions necessary to perform the operations in this article.

Once created, you should assign the policy to a role.

Administrative access to workspaces

To create a policy that grants access to create, edit, and delete a workspace, and create and delete items within that workspace:

  1. Navigate to Identity and Access > Policies and click the Create policy button.

  2. Specify the following:

    • A unique Policy code

    • A friendly Description for the policy

    • Whether this policy will Allow or Deny access to the specified features and data

  3. Go to the Data Resources tab, locate LUSID > Workspace and select Any.

  4. Save your policy.

  5. Assign the policy to a role.

  6. Assign the role to the user you want to grant administrative workspace access to.

Read-only access to workspaces

To create a policy that grants read-only access to a workspace:

  1. Navigate to Identity and Access > Policies and click the Create policy button.

  2. Specify the following:

    • A unique Policy code

    • A friendly Description for the policy

    • Whether this policy should Allow or Deny access to the specified features and data

  3. Go to the Data Resources tab and locate LUSID > Workspace.

  4. Select the Read and ReadItem actions and specify the following for each workspace you want to control access to:

    • Selector: Identifier

    • Visibility: shared

    • Name: The name of the workspace

    Note

    It’s important you select both the Read and ReadItem actions. The Read action controls access to see the workspace, while the ReadItem action controls access to see items within the workspace, including dashboards and dashboard sets.

  5. Save your policy.

  6. Assign the policy to a role.

  7. Assign the role to the user you wish to grant read-only workspace access to.

Note

  • Workspace permissions govern access to everything within a workspace, including the dashboards and data they display (ReadItem activity).

  • You may only grant ReadItem access for an entire workspace; you cannot restrict access to particular items within a workspace.

  • If a dashboard set references a dashboard in another workspace, users must have read access to both workspaces.

Read more on workspaces and dashboard sets.