๐Ÿ’ปRoles and Permissions User Guide

1. Step By Step Process

Roles and permissions allow for precise configuration of user access rights to Guardian functionality.

  1. Permissions format: {category}_{entity}_{action}

  • POLICIES_POLICY_READ โ€“ Controls read access to policies

  • POLICIES_POLICY_EXECUTE โ€“ Controls access to running policies as a USER. When this access is given to a Guardian user, this user can assume a role within the policy and perform actions in the policy workflow.

  • TOKENS_TOKEN_EXECUTE โ€“ Controls access to viewing tokens (balance, associate, disassociate)

  • POLICIES_POLICY_MANAGE โ€“ Controls access to running policy as an OWNER.

  • TOKENS_TOKEN_MANAGE โ€“ Controls access to managing tokens (balance, grant-kyc, freeze, unfreeze)

1. Managing roles

1.1 Create

Standard Registry user with the corresponding permission (PERMISSIONS_ROLE_CREATE) can create new roles and populate them with the needed permissions.

Roles consist of a set of permissions which allow uses corresponding actions in the Guardian instance.

1.2. Edit

1.3 Delete

1.4 Default

Default role would be applied to all new users automatically upon their registration.

2.5 Access

Special configuration option (permission) which controls user access access to specific policies.

  • ACCESS_POLICY_ALL โ€“ when set, the user will have access to all policies of the SR

  • ACCESS_POLICY_ASSIGNED โ€“ when set, the user will only have access to policies assigned to the user

  • ACCESS_POLICY_PUBLISHED โ€“ when set, the user will only have access to published policies of the SR

  • ACCESS_POLICY_ASSIGNED_AND_PUBLISHED โ€“ when set, the user will only have access to policies assigned to the user, which are also published.

2.6 Delegate

Special permission option which enables uses to transfer their roles (i.e. to delegate, preserving their own rights as per the role as well) to other users. Any user with the permission DELEGATION_ROLE_MANAGE can enable access to all or a subset of roles and/or policies (but only for those the user has access to), for other users.

2. Assigning roles and policies

2.1 Roles

User Management page provides facilities to configure user roles

Administrator can see summary of the permissions from all roles enabled for the user:

2.2 Policies

On the policy page administrator can assign specific policies to be accessible for the user. (If ACCESS_POLICY_ASSIGNED permission is used.)

2.3 Delegate

Similarly to how SR can configure roles and policies, uses with the DELEGATION_ROLE_MANAGE permission can delegate its access to policies to other users. the list of the options however is limited by the rules and policies assigned to it by SR and/or other users.

3. Messages

When a role is created, edited, or deleted a corresponding message will be posted to the SRโ€™s Hedera topic in the following format:

"id": "b5aee339-860f-4702-a916-4d4dca93a885",
"status": "ISSUE",
"type": "Guardian-Role-Document",
"action": "create-role",
"lang": "en-US",
"issuer": "did:hedera:testnet:BJDCUTd8gFSaFwW4w7Tw8dbx7DfnkfLjJ14s2dquesS9_0.0.3579393",
"encodedData": false,
"cid": "QmUCXmE3KAe16xHEc9sr8vnPaNESKpzDGH8yKCf6jaDevp",
"uri": "ipfs://QmUCXmE3KAe16xHEc9sr8vnPaNESKpzDGH8yKCf6jaDevp",
"uuid": "6c0c8a7a-afef-40e2-900b-560a60945bfe",
"name": "Role name",
"description": "Role name"

When the list of rules assigned to the user is updated, the following messages posted to the SRโ€™s Hedera topic

"id": "88865f04-b599-4189-abb0-499de1de2c7d",
"status": "ISSUE",
"type": "User-Permissions",
"action": "set-role",
"lang": "en-US",
"issuer": "did:hedera:testnet:BJDCUTd8gFSaFwW4w7Tw8dbx7DfnkfLjJ14s2dquesS9_0.0.3579393",
"encodedData": false,
"cid": "QmfNFrWcPuoiSqMjGqogqTXRDRMEY6s68wsxU6fXTRLsAF",
"uri": "ipfs://QmfNFrWcPuoiSqMjGqogqTXRDRMEY6s68wsxU6fXTRLsAF",
"user": "did:hedera:testnet:EEGXZeZvcYmWj4e7cyPoDUi7rcRzkGbLBmziRrd7yrQm_0.0.3579393"

The messages are accompanied by assigned VC document with the list of permissions the role contains.

2. Demo Video


Last updated