π»Roles and Permissions User Guide
1. Step By Step Process
Roles and permissions allow for precise configuration of user access rights to Guardian functionality.
Permissions format: {category}_{entity}_{action}
POLICIES_POLICY_READ β Controls read access to policies
POLICIES_POLICY_EXECUTE β Controls access to running policies as a USER. When this access is given to a Guardian user, this user can assume a role within the policy and perform actions in the policy workflow.
TOKENS_TOKEN_EXECUTE β Controls access to viewing tokens (balance, associate, disassociate)
POLICIES_POLICY_MANAGE β Controls access to running policy as an OWNER.
TOKENS_TOKEN_MANAGE β Controls access to managing tokens (balance, grant-kyc, freeze, unfreeze)
1. Managing roles
1.1 Create
Standard Registry user with the corresponding permission (PERMISSIONS_ROLE_CREATE) can create new roles and populate them with the needed permissions.
Roles consist of a set of permissions which allow uses corresponding actions in the Guardian instance.
1.2. Edit
1.3 Delete
1.4 Default
Default role would be applied to all new users automatically upon their registration.
2.5 Access
Special configuration option (permission) which controls user access access to specific policies.
ACCESS_POLICY_ALL β when set, the user will have access to all policies of the SR
ACCESS_POLICY_ASSIGNED β when set, the user will only have access to policies assigned to the user
ACCESS_POLICY_PUBLISHED β when set, the user will only have access to published policies of the SR
ACCESS_POLICY_ASSIGNED_AND_PUBLISHED β when set, the user will only have access to policies assigned to the user, which are also published.
2.6 Delegate
Special permission option which enables uses to transfer their roles (i.e. to delegate, preserving their own rights as per the role as well) to other users. Any user with the permission DELEGATION_ROLE_MANAGE can enable access to all or a subset of roles and/or policies (but only for those the user has access to), for other users.
2. Assigning roles and policies
2.1 Roles
User Management page provides facilities to configure user roles
Administrator can see summary of the permissions from all roles enabled for the user:
2.2 Policies
On the policy page administrator can assign specific policies to be accessible for the user. (If ACCESS_POLICY_ASSIGNED permission is used.)
2.3 Delegate
Similarly to how SR can configure roles and policies, uses with the DELEGATION_ROLE_MANAGE permission can delegate its access to policies to other users. the list of the options however is limited by the rules and policies assigned to it by SR and/or other users.
3. Messages
When a role is created, edited, or deleted a corresponding message will be posted to the SRβs Hedera topic in the following format:
When the list of rules assigned to the user is updated, the following messages posted to the SRβs Hedera topic
The messages are accompanied by assigned VC document with the list of permissions the role contains.
2. Demo Video
Last updated