How do I use the file manager?

This article describes features of the file manager, and how to set up policies to ensure files are appropriately permissioned

The file manager is a way for users to store and share files with other users on the same domain. Access to the file manager and its contents is controlled by LUSID's Identity access management system, and users need to assigned the appropriate roles and policies before they can perform any operations in the file manager. In this article we will cover the following:

Accessing the file manager

By default, the file manager not available on all client accounts. To request access to this feature please contact us at support@finbourne.com.

Once the appropriate licence has been granted to your respective client domain, a user with the "LUSID administrator" role will need to create a policy to make this accessible via the web application. 

Creating a policy for the web application

Please go to Identity access management (IAM) on the LUSID web application.

Drive Screen Home - Changed

Once you are in the IAM module, navigate to the "Policies" tab and click on the "Create policy" icon.

Create Policy Home - Changed

Once the "Create policy" wizard has opened, please select the "JSON" option. 

Policy Editor Home - Changed

In the JSON editor, please copy the contents of the file manager policy, which can be found below (or at this link).

{
"description": "Policy to allow viewing Drive (Files)",
"applications": [
"Website"
],
"grant": "Allow",
"selectors": [
{
"metadataSelectorDefinition": null,
"idSelectorDefinition": {
"identifier": {
"code": "drive",
"scope": "data-management"
},
"actions": [
{
"scope": "default",
"activity": "view",
"entity": "data-management"
}
],
"name": null,
"description": null
},
"matchAllSelectorDefinition": null,
"policySelectorDefinition": null
}
],
"for": null,
"if": null,
"when": {
"activate": "2020-07-15T22:00:00+00:00",
"deactivate": "9999-12-31T23:59:59.9999999+00:00"
},
"how": null
}

Once the contents are copied you can name the policy with a code of your choice (e.g. Drive viewer) and set a description for this policy.

Policy Create Home - Changed

After setting up the file manager policy, you can attach this to an existing role, or create and attach this to a new role. Roles can then be granted to users within your LUSID domain as described in this article.

When is setup is complete, the file manager can be access by clicking on "Files" under the "Data Management" section of the LUSID web application.

LUSID Home - Changed

File manager capabilities

The file manager can be used to upload / download files up to a maximum size of 500 MB. Users can upload files or create folders under the parent directory by using the corresponding actions in the top menu bar.

Drive Screen Home Headr - Changed

A user can perform other actions on files and folders by clicking on the ellipsis:

Drive Actions - Changed
  • Creating folders:  Create a folder under a non-root directory. A user can only create folders where the user has write permissions on the parent folder.
  • Uploading files: Upload a file under a non-root directory. A user must have write permissions to upload files to a folder.
  • Download file: Download a file (download folders is currently not supported. A user must be granted explicit read access on the file to download it. 
  • List contents of folder: View the content of a folder by clicking on the arrow next to folder. Please note if the folder (e.g. Test) is empty then the arrow will face downward but no contents will be shown. To view the contents of the folder a  user needs to have been granted list access.

Drive Folder Expand - Changed

Drive Folder Expand Empty - Changed

  • Renaming files / folders: Rename a file or folder. Please note the name of file and folder are only considered as metadata on the corresponding object. A user needs write permission to rename a file or folder.
  • Deleting File/Folder: Delete a file or folder. To delete a file/folder user needs to be granted explicit delete permissions (this is different from the write permissions).
  • Moving File:  Move a single file or batch of files from a source folder to a destination folder (please note moving folders is currently not supported in LUSID). To move a file from source folder to destination folder a user needs write access on both the source folder and destination folder.
  • Share files: Files can be shared with users within the same domain with the appropriate roles and policies. Clicking the copy link action will copy a URL to your clipboard which you can then send via email or any other communication channel. 

File and folder naming Convention

Names of file and folders in file manager should be:

  • Alphanumeric, dash ('-') or underscore ('_') characters
  • Be between 1 and 50 characters long. 

Setting up file manager permissions

Access to the file manager and its contents is governed by LUSID's role and policy based identity access management system. 

List of file manager operations

By default, users with the LUSID administrator role will have full permissions and can perform any operation on a file / folder including:

Files

  • Write - Ability to upload a specific file, rename, change location
  • Read - Ability to download file
  • Delete - Ability to delete a file
  • List - Ability to list a file in a folder i.e. list under parent folder

Folders

  • Read - Access a folder and view files and folders underneath it
  • Delete - Ability to delete a folder
  • Write - Ability to upload files and create subfolder under a folder
  • List - Ability to view the folder in a list i.e. under parent folder

Controlling access to the file manager

You can setup roles and policies to grant users only a subset these operations using the policy wizard. Policies can be used to restrict or grant access to both data (e.g. files and folders) and features (e.g. read and write).

Policy Editor Home - Wizard Changed

Managing data access

  • Step 1: Select the "Drive" application in the policy wizard, with the control scope "Data". 

LUSID Drive Data

  • Step 2: Enter the code and description for the policy as desired

Lusid Drive Data Policy 1

  • Step 3: Set the policy to restrict all resources, or define it at a per folder / file level. Click here to learn more about how to set permissions at the folder / file level.

Data All resources

  • Step 4: Once the policy is created, you can assign the policy to relevant roles and respective users as explained here.

Data Policy create

Managing feature Access

  • Step 1: Select the "Drive" application in the policy wizard, with the control scope "Features". 

LUSID Drive Feature Access

  • Step 2: Enter the code and description for the policy as desired

Drive Feature step 2

  • Step 3: Add features that you would like to control access to. You can do this by dragging and dropping the features from the list before clicking "Add".

Policy add feature home - Changed

 

Feature list

  • Step 4: Once all features are added, click "Next" to setup the policy. We currently recommend adding all features to the allow policy.

Feature step 2

Once both the "Data" policy and "Feature" policy have been set up, it is recommended to create a policy collection so that it is easier to assign a policy collection (covering  both policies) to the desired role.

Setting up policies for a specific file / folder

Please follow these steps to define how to set up what operations a user can perform at a file / folder level. 

  • Step 1: Choose the "Selected resource types"

LUSID Drive Selected

  • Step 2: Define the parameters that will be used to identify files that will be reference by the policy can be applied. The IAM system supports wildcard matching which supports the following features:
    • * - Match all
    • *.txt - Match files with extension txt
    • secret* - Match files that start with secret
identifier drive
  • Step 3: In this step you define parameter that will identify folder for which the policy should match. LUSID IAM supports wildcard matching so following options are supported
    • * - Match all
    • /* - Match root folder and anything under it
    • /Marketing - Match marketing folder under root
    • /Operation* - Match all folders under folder Operation that is created on the root

    Identifier folder

    • Step 4: Once the policy is created administrator can attach this to a role, which can then be assigned to a users as described in this article.

    To create more complex policies, please contact us and one of our specialists would be happy to help.