Some applications in LUSID, such as the Workflow Service and Notification Service, allow you (as a personal user) to specify the ID of a service user when setting up an automated activity to run on behalf of that service user on a day-to-day basis. More information about personal and service users.
Note: If you are the LUSID domain owner, you are automatically assigned the built-in
lusid-administrator
role, which has all the permissions necessary to set up automated activities on behalf of service users. See how to get the necessary permissions as a standard LUSID user.
We recommend creating schedules, subscriptions, actions in workflows and other automated activity as service users for the following reasons:
It allows a personal user to set up activities on behalf of a service user without needing to gain access to that service user account to do so.
It prevents any need to migrate the schedule, subscription, task or other activity in the event the personal user account is deleted, for example if that person leaves the company.
Automatable activities have a useAsAuth
(or runAsUserId
in the Workflow Service) field in their API request that, when omitted, defaults to the user ID of the personal user making that request. This field can accept the ID of a valid service user instead.
For example, to use the Notification Service to subscribe to all portfolio creation events emitted by LUSID, call the CreateSubscription
API with the ID of a service user in the useAsAuth
field:
curl -X POST "https://<your-domain>.lusid.com/notification/api/subscriptions"
-H "Authorization: Bearer <your-api-access-token>"
-d '{
"id": {
"scope": "PortfolioEvents",
"code": "PortfolioCreatedEvent"
},
"displayName": "PortfolioCreatedInScope",
"description": "Subscribe to the event fired when a portfolio is created in the Finbourne-Examples scope",
"status": "Active",
"matchingPattern": {
"eventType": "PortfolioCreated",
"filter": "Body.portfolioScope eq 'Finbourne-Examples'"
},
"useAsAuth": "00uji4ve5haBc1Hlf2p7"
}'
Note: You can use the ListRunnableUsers API to retrieve the IDs of valid service users in your domain.
The useAsAuth
/runAsUserId
field is currently available for the following APIs:
Application | Field | API | Explanation |
|
| The service user is used to run the job. | |
| The service user is used to evaluate read permissions for the event subscription before sending any notifications. | ||
|
| The service user is used to perform the action, for example running a worker. |
Setting up permissions for standard LUSID users
Non-LUSID administrator users must be given the relevant permissions in order to specify a value for the useAsAuth
/runAsUserId
field. To do this:
Follow the steps to create a data policy via the LUSID web app as usual, selecting Identity as Application and Data as Control Scope within the Create Policy - Wizard. See how to create a data policy.
Under Resources, select User as Type and UseAsAuth as Actions. Note this action controls access to both the
useAsAuth
andrunAsUserId
fields.
Under Identifiers - User, provide the ID of the service user you want an activity to run on behalf of. You can enter
*
to provideuseAsAuth
/runAsUserId
access to all service users. Note: Providing you have sufficient privileges, you can call the ListRunnableUsers API to retrieve the IDs of valid service users in your domain.
Once you have created your policy, assign it to a role as usual, and ensure the role is assigned to the personal user making the API call containing the
useAsAuth
/runAsUserId
field.