Implement comprehensive access control with role-based permissions
Description
Context: Different users (merchants, subscribers, auditors, system admins) need different levels of access to subscription operations.
Current Limitation: Access control is minimal with only basic authorization checks, lacking granular permission management.
Expected Outcome: Implement a comprehensive role-based access control (RBAC) system with customizable roles, permissions, and permission inheritance.
Acceptance Criteria
Technical Scope
Files Likely Affected:
contracts/access_control/src/lib.rs - New access control modulecontracts/access_control/src/roles.rs - Role definitionscontracts/subscription/src/lib.rs - Updated authorization
APIs/Contracts Involved:
grant_role(user: Address, role: Role)revoke_role(user: Address, role: Role)has_permission(user: Address, permission: Permission) -> booldelegate_permission(user: Address, permission: Permission, delegate: Address, duration: u64)
Edge Cases to Consider:
- Role revocation while delegation is active
- Circular role dependencies
- Emergency access (kill switch)
- Role assignment during contract upgrade
Implement comprehensive access control with role-based permissions
Description
Context: Different users (merchants, subscribers, auditors, system admins) need different levels of access to subscription operations.
Current Limitation: Access control is minimal with only basic authorization checks, lacking granular permission management.
Expected Outcome: Implement a comprehensive role-based access control (RBAC) system with customizable roles, permissions, and permission inheritance.
Acceptance Criteria
Technical Scope
Files Likely Affected:
contracts/access_control/src/lib.rs- New access control modulecontracts/access_control/src/roles.rs- Role definitionscontracts/subscription/src/lib.rs- Updated authorizationAPIs/Contracts Involved:
grant_role(user: Address, role: Role)revoke_role(user: Address, role: Role)has_permission(user: Address, permission: Permission) -> booldelegate_permission(user: Address, permission: Permission, delegate: Address, duration: u64)Edge Cases to Consider: