Permissions
This section provides details about pre-configured permission tokens in Iroha 2. For more general information on permission tokens and permission groups (roles), refer to the Permissions chapter in Guide.
Permission Tokens
Note
A permission token can only grant a user's account the ability to perform an operation in relation to the Subject that the token is registered with.
e.g., ???
| Permission Token | Subject | Operation |
|---|---|---|
[CanUnregisterDomain] | Domain | Allows the user to unregister the Domain. |
[CanSetKeyValueInDomain] | Domain | Allows the user to add metadata key-values to the Domain. |
[CanRemoveKeyValueInDomain] | Domain | Allows the user to remove metadata key-values from the Domain. |
[CanUnregisterAccount] | Account | Allows the user to unregister the Account. |
[CanMintUserPublicKeys] | Account | Allows the user to add a public key to the Account. |
[CanBurnUserPublicKeys] | Account | Allows the user to remove a public key from the Account. |
[CanMintUserSignatureCheckConditions] | Account | Allows the user to set check conditions for a signature |
[CanSetKeyValueInUserAccount] | Account | Allows to add user's metadata key value |
[CanRemoveKeyValueInUserAccount] | Account | Allows to remove user's metadata key value |
[CanRegisterAssetsWithDefinition] | Asset | Allows to register a new asset with this definition |
[CanUnregisterAssetsWithDefinition] | Asset | Allows to unregister a new asset with this definition |
[CanUnregisterUserAsset] | Asset | Allows to remove asset from a user |
[CanMintAssetsWithDefinition] | Asset | Allows to mint quantity of assets with this definition |
[CanBurnAssetsWithDefinition] | Asset | Allows to burn quantity of assets with this definition |
[CanTransferAssetsWithDefinition] | Asset | Allows to transfer quantity of assets with this definition |
[CanBurnUserAsset] | Asset | Allows to burn user's asset quantity |
[CanTransferUserAsset] | Asset | Allows to transfer user's asset quantity |
[CanSetKeyValueInUserAsset] | Asset | Allows to set key value to user's asset metadata |
[CanRemoveKeyValueInUserAsset] | Asset | Allows to remove key value from user's asset metadata |
[CanSetKeyValueInAssetDefinition] | Asset Definition | Allows to add key value to metadata for this asset definition |
[CanRemoveKeyValueInAssetDefinition] | Asset Definition | Allows to remove key value from metadata for this asset definition |
[CanUnregisterAssetDefinition] | Asset Definition | Allows to unregister this asset definition |
INFO
The way permissions work in Iroha 2 is subject to change. Only the owner of a subject can grant users permissions to perform operations with that subject.
By default, all assets and accounts defined in the genesis block configuration file are created by genesis@genesis account. This means that alice@wonderland is not the owner of rose#wonderland and cannot grant permission for rose#wonderland.
To avoid this, you can do one of the following:
- Edit the
genesis.jsonfile so that it only includes the creation ofalice@wonderland, then redeploy Iroha 2. - Create a subject (e.g., an asset definition) on behalf of
alice@wonderland, and then give another account the permission to manage this subject.
Granting Permission Tokens
With this example, the owner-account can give permission for its subject to another account.
The example is based on the following preconditions:
- The subject is created by the owner-account.
- The recipient account is created.
// Define the asset definition owner
let asset_definition_owner = AccountId::from_str("alice@wonderland").unwrap();
// Define the asset definition id which was created by the owner
let asset_definition_id = AssetDefinitionId::from_str("coolAsset#wonderland").unwrap();
// Define the account which we want to give the permission
let recipient_account = AccountId::from_str("actor@wonderland").unwrap();
// Create a token that we chose. And define its structure according to `iroha_executor\smart_contract\executor\src\default.rs`
let can_mint_asset_with_definition_token = PermissionToken::new(
"CanMintAssetsWithDefinition".parse().unwrap(),
&json!({ "asset_definition_id": asset_definition_id }),
);
// Create a permission expression (Grant\Revoke)
let permission_expression = GrantExpr::new(can_mint_asset_with_definition_token, recipients_account);
// Submit the transaction with the permission expression
iroha_client.submit_blocking(permission_expression).unwrap();