FINBOURNE offers single and multi-tenant hosting options, both of which use an Okta implementation as the identity provider. By default, all evaluation LUSID accounts are hosted using a shared multi-tenant LUSID environment. To discuss how to set a single tenant LUSID environment, please contact Technical Support.
Access to client data by FINBOURNE personnel in either single or multi-tenant models is governed by the FINBOURNE Role Access Policy, which operates on the principal of least privileged access. This policy mandates that by default there is no standing access to production client data for FINBOURNE personnel, and that any break-glass access needs to be approved by the nominated control role and audited appropriately.
Single tenant
In the single tenant hosting option, each client has its own LUSID environment and corresponding Okta tenant. Users are imported into the FINBOURNE Okta tenant from the client source and use federated authentication against Okta using OpenID Connect.
Multi-tenant
In the multi-tenant hosting option clients share a LUSID environment (with appropriate access controls restricting access to data) and an Okta tenant. Authentication can be federated against a client provider or managed by FINBOURNE.
Please note, all data is partitioned using a client identifier to ensure there is no cross contamination of client data within a multi-tenant LUSID environment. The client identifier is set at a client organisation level for all users and the client has no ability to change or submit alternate identifiers as part of any request. Only authorised users at FINBOURNE (in accordance with the FINBOURNE Role Access Policy) have the ability to change client identifiers. All significant changes that may impact this are reviewed in accordance with the FINBOURNE Application Security Policy and FINBOURNE SDLC