What are a personal user and a service user?

  • Updated on Dec 18, 2025
  • Published on Aug 22, 2024
Prev Next

A LUSID user is either a human being or an application or service with a requirement to sign in to and use LUSID.  

Each user has their own account in your LUSID domain. There are two types of user account: 

  • personal user account is intended for a human being who uses the LUSID web app. This person must choose their own complex password in the process of setting up the account, set up multi-factor authentication (MFA), and should never share their credentials. All activity can be traced back to this person. We recommend deleting the account as soon as the person leaves your organisation.

  • service user account is intended for an application or service that calls the LUSID API. We recommend setting up one service user account per distinct application or service so that it only has permissions to perform the operations for which it is designed, and no more. You choose a password for the service user account, there is no MFA, and activity does not identify a particular person. Instead, account credentials are used in conjunction with a client ID and client secret to obtain a time-limited API access token. 

Note: It is perfectly possible to use the credentials of a personal user to write scripts or programs that call the LUSID API. Just be aware if you create an automated service that the account is tied to the email address of a human being who might leave your organisation.

Both personal and service users are subject to LUSID’s access control system in the same way: each user must have at least one role, which itself must have at least one policy explicitly granting (or denying) access to a particular feature or dataset:

Without a role and a policy, a user has no access rights at all. See how to assign policies, roles and users.

User status

When you create a new user (whether personal or service), the account has a status of PROVISIONED until such time as the user completes the set up process. The status is then set to ACTIVE and the user can perform any operation in LUSID granted by access control.

It is possible to create a temporary user by setting an account expiry date. After this date, the status is set to SUSPENDED. Note the following:

  • A suspended user cannot sign in to LUSID.

  • You can reactivate their account by changing the expiry date to a date in the future.

  • If you do, the status is set to ACTIVE again and the user can continue using LUSID as before, including the same password.