Hyperledger Iroha uses a role-based access control system to limit actions of its users. This system greatly helps to implement use cases involving user groups having different access levels — ranging from the weak users, who can't even receive asset transfer to the super-users. The beauty of our permission system is that you don't have to have a super-user in your Iroha setup or use all the possible permissions: you can create segregated and lightweight roles.
Maintenance of the system involves setting up roles and permissions, that are included in the roles. This might be done at the initial step of system deployment — in genesis block, or later when Iroha network is up and running, roles can be changed (if there is a role that can do that :)
This section will help you to understand permissions and give you an idea of how to create roles including certain permissions. Each permission is provided with an example written in Python that demonstrates the way of transaction or query creation, which require specific permission. Every example uses commons.py module, which listing is available at Supplementary Sources section.
Permission Name | Category | Type |
---|---|---|
can_create_account | Account | Command |
can_set_detail | Account | Command |
can_set_my_account_detail grantable |
Account | Command |
can_create_asset | Asset | Command |
can_receive | Asset | Command |
can_transfer | Asset | Command |
can_transfer_my_assets grantable |
Asset | Command |
can_add_asset_qty | Asset Quantity | Command |
can_subtract_asset_qty | Asset Quantity | Command |
can_add_domain_asset_qty | Asset Quantity | Command |
can_subtract_domain_asset_qty | Asset Quantity | Command |
can_create_domain | Domain | Command |
can_grant_can_add_my_signatory | Grant | Command |
can_grant_can_remove_my_signatory | Grant | Command |
can_grant_can_set_my_account_detail | Grant | Command |
can_grant_can_set_my_quorum | Grant | Command |
can_grant_can_transfer_my_assets | Grant | Command |
can_add_peer | Peer | Command |
can_remove_peer | Peer | Command |
can_append_role | Role | Command |
can_create_role | Role | Command |
can_detach_role | Role | Command |
can_add_my_signatory grantable |
Signatory | Command |
can_add_signatory | Signatory | Command |
can_remove_my_signatory grantable |
Signatory | Command |
can_remove_signatory | Signatory | Command |
can_set_my_quorum grantable |
Signatory | Command |
can_set_quorum | Signatory | Command |
can_get_all_acc_detail | Account | Query |
can_get_all_accounts | Account | Query |
can_get_domain_acc_detail | Account | Query |
can_get_domain_accounts | Account | Query |
can_get_my_acc_detail | Account | Query |
can_get_my_account | Account | Query |
can_get_all_acc_ast | Account Asset | Query |
can_get_domain_acc_ast | Account Asset | Query |
can_get_my_acc_ast | Account Asset | Query |
can_get_all_acc_ast_txs | Account Asset Transaction | Query |
can_get_domain_acc_ast_txs | Account Asset Transaction | Query |
can_get_my_acc_ast_txs | Account Asset Transaction | Query |
can_get_all_acc_txs | Account Transaction | Query |
can_get_domain_acc_txs | Account Transaction | Query |
can_get_my_acc_txs | Account Transaction | Query |
can_read_assets | Asset | Query |
can_get_blocks | Block Stream | Query |
can_get_roles | Role | Query |
can_get_all_signatories | Signatory | Query |
can_get_domain_signatories | Signatory | Query |
can_get_my_signatories | Signatory | Query |
can_get_all_txs | Transaction | Query |
can_get_my_txs | Transaction | Query |
can_get_peers | Peer | Query |
Allows creating new accounts.
Example
.. literalinclude:: ../../../example/python/permissions/can_create_account.py :language: python :linenos: :lines: 10-31
Allows setting account detail.
The permission allows setting details to other accounts. Another way to set detail without can_set_detail permission is to grant can_set_my_account_detail permission to someone. In order to grant, transaction creator should have can_grant_can_set_my_account_detail permission.
Note
Transaction creator can always set detail for own account even without that permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_set_detail.py :language: python :linenos: :lines: 10-30
Hint
This is a grantable permission.
Permission that allows a specified account to set details for the another specified account.
Note
To grant the permission an account should already have a role with can_grant_can_set_my_account_detail permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_set_my_account_detail.py :language: python :linenos: :lines: 10-44
Allows creating new assets.
Example
.. literalinclude:: ../../../example/python/permissions/can_create_asset.py :language: python :linenos: :lines: 10-30
Allows account receive assets.
Example
.. literalinclude:: ../../../example/python/permissions/can_receive.py :language: python :linenos: :lines: 10-48
Allows sending assets from an account of transaction creator.
You can transfer an asset from one domain to another, even if the other domain does not have an asset with the same name.
Note
Destination account should have can_receive permission.
.. literalinclude:: ../../../example/python/permissions/can_transfer.py :language: python :linenos: :lines: 1-10
Hint
This is a grantable permission.
Permission that allows a specified account to transfer assets of another specified account.
See the example (to be done) for the usage details.
Example
.. literalinclude:: ../../../example/python/permissions/can_transfer_my_assets.py :language: python :linenos: :lines: 10-61
Allows issuing assets.
The corresponding command can be executed only for an account of transaction creator and only if that account has a role with the permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_add_asset_qty.py :language: python :linenos: :lines: 10-32
Allows burning assets.
The corresponding command can be executed only for an account of transaction creator and only if that account has a role with the permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_subtract_asset_qty.py :language: python :linenos: :lines: 10-40
Allows issuing assets only in own domain.
The corresponding command can be executed only for an account of transaction creator and only if that account has a role with the permission and only for assets in creator’s domain.
.. literalinclude:: ../../../example/python/permissions/can_add_domain_asset_qty.py :language: python :linenos: :lines: 1-10
Allows burning assets only in own domain.
The corresponding command can be executed only for an account of transaction creator and only if that account has a role with the permission and only for assets in creator’s domain.
.. literalinclude:: ../../../example/python/permissions/can_subtract_domain_asset_qty.py :language: python :linenos: :lines: 1-10
Allows creating new domains within the system.
Example
.. literalinclude:: ../../../example/python/permissions/can_create_domain.py :language: python :linenos: :lines: 10-31
Allows role owners grant can_add_my_signatory permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_grant_can_add_my_signatory.py :language: python :linenos: :lines: 10-43
Allows role owners grant can_remove_my_signatory permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_grant_can_remove_my_signatory.py :language: python :linenos: :lines: 10-43
Allows role owners grant can_set_my_account_detail permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_grant_can_set_my_account_detail.py :language: python :linenos: :lines: 10-43
Allows role owners grant can_set_my_quorum permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_grant_can_set_my_quorum.py :language: python :linenos: :lines: 10-44
Allows role owners grant can_transfer_my_assets permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_grant_can_transfer_my_assets.py :language: python :linenos: :lines: 10-56
Allows adding peers to the network.
A new peer will be a valid participant in the next consensus round after an agreement on transaction containing "addPeer" command.
Example
.. literalinclude:: ../../../example/python/permissions/can_add_peer.py :language: python :linenos: :lines: 10-34
Allows removing peers from the network.
Removed peer will not participate in the next consensus round after an agreement on transaction containing "removePeer" command.
Example
.. literalinclude:: ../../../example/python/permissions/can_remove_peer.py :language: python :linenos: :lines: 10-37
Allows appending roles to another account.
You can append only that role that has lesser or the same set of privileges as transaction creator.
Example
.. literalinclude:: ../../../example/python/permissions/can_append_role.py :language: python :linenos: :lines: 10-40
Allows creating a new role within a system.
Possible set of permissions for a new role is limited to those permissions that transaction creator has.
Example
.. literalinclude:: ../../../example/python/permissions/can_create_role.py :language: python :linenos: :lines: 10-33
Allows revoking a role from a user.
Note
Due to a known issue the permission allows to detach any role without limitations https://soramitsu.atlassian.net/browse/IR-1468
Example
.. literalinclude:: ../../../example/python/permissions/can_detach_role.py :language: python :linenos: :lines: 10-30
Hint
This is a grantable permission.
Permission that allows a specified account to add an extra public key to the another specified account.
Example
.. literalinclude:: ../../../example/python/permissions/can_add_my_signatory.py :language: python :linenos: :lines: 10-45
Allows linking additional public keys to account.
The corresponding command can be executed only for an account of transaction creator and only if that account has a role with the permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_add_signatory.py :language: python :linenos: :lines: 10-32
Hint
This is a grantable permission.
Permission that allows a specified account remove public key from the another specified account.
See the example (to be done) for the usage details.
Example
.. literalinclude:: ../../../example/python/permissions/can_remove_my_signatory.py :language: python :linenos: :lines: 10-51
Allows unlinking additional public keys from an account.
The corresponding command can be executed only for an account of transaction creator and only if that account has a role with the permission.
Example
.. literalinclude:: ../../../example/python/permissions/can_remove_signatory.py :language: python :linenos: :lines: 10-36
Hint
This is a grantable permission.
Permission that allows a specified account to set quorum for the another specified account.
Account should have greater or equal amount of keys than quorum.
Example
.. literalinclude:: ../../../example/python/permissions/can_set_my_quorum.py :language: python :linenos: :lines: 10-50
Allows setting quorum.
At least the same number (or more) of public keys should be already linked to an account.
Example
.. literalinclude:: ../../../example/python/permissions/can_set_quorum.py :language: python :linenos: :lines: 10-36
Allows getting all the details set to any account within the system.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_all_acc_detail.py :language: python :linenos: :lines: 10-28
Allows getting account information: quorum and all the details related to the account.
With this permission, query creator can get information about any account within a system.
All the details (set by the account owner or owners of other accounts) will be returned.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_all_accounts.py :language: python :linenos: :lines: 10-28
Allows getting all the details set to any account within the same domain as a domain of query creator account.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_domain_acc_detail.py :language: python :linenos: :lines: 10-28
Allows getting account information: quorum and all the details related to the account.
With this permission, query creator can get information only about accounts from the same domain.
All the details (set by the account owner or owners of other accounts) will be returned.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_domain_accounts.py :language: python :linenos: :lines: 10-28
Allows getting all the details set to the account of query creator.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_my_acc_detail.py :language: python :linenos: :lines: 10-28
Allows getting account information: quorum and all the details related to the account.
With this permission, query creator can get information only about own account.
All the details (set by the account owner or owners of other accounts) will be returned.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_my_account.py :language: python :linenos: :lines: 10-28
Allows getting a balance of assets on any account within the system.
Query response will contain information about all the assets that ever been assigned to an account.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_all_acc_ast.py :language: python :linenos: :lines: 10-28
Allows getting a balance of specified asset on any account within the same domain as a domain of query creator account.
Query response will contain information about all the assets that ever been assigned to an account.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_domain_acc_ast.py :language: python :linenos: :lines: 10-28
Allows getting a balance of specified asset on account of query creator.
Query response will contain information about all the assets that ever been assigned to an account.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_my_acc_ast.py :language: python :linenos: :lines: 10-28
Allows getting transactions associated with a specified asset and any account within the system.
Note
Incoming asset transfers will also appear in the query response.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_all_acc_ast_txs.py :language: python :linenos: :lines: 10-43
Allows getting transactions associated with a specified asset and an account from the same domain as query creator.
Note
Incoming asset transfers will also appear in the query response.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_domain_acc_ast_txs.py :language: python :linenos: :lines: 10-39
Allows getting transactions associated with the account of query creator and specified asset.
Note
Incoming asset transfers will also appear in the query response.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_my_acc_ast_txs.py :language: python :linenos: :lines: 10-39
Allows getting all transactions issued by any account within the system.
Note
Incoming asset transfer inside a transaction would NOT lead to an appearance of the transaction in the command output.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_all_acc_txs.py :language: python :linenos: :lines: 10-28
Allows getting all transactions issued by any account from the same domain as query creator.
Note
Incoming asset transfer inside a transaction would NOT lead to an appearance of the transaction in the command output.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_domain_acc_txs.py :language: python :linenos: :lines: 10-28
Allows getting all transactions issued by an account of query creator.
Note
Incoming asset transfer inside a transaction would NOT lead to an appearance of the transaction in the command output.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_my_acc_txs.py :language: python :linenos: :lines: 10-28
Allows getting information about asset precision.
Example
.. literalinclude:: ../../../example/python/permissions/can_read_assets.py :language: python :linenos: :lines: 10-31
Allows subscription to the stream of accepted blocks.
Allows getting a list of roles within the system. Allows getting a list of permissions associated with a role.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_roles.py :language: python :linenos: :lines: 10-35
Allows getting a list of public keys linked to an account within the system.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_all_signatories.py :language: python :linenos: :lines: 10-28
Allows getting a list of public keys of any account within the same domain as the domain of query creator account.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_domain_signatories.py :language: python :linenos: :lines: 10-28
Allows getting a list of public keys of query creator account.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_my_signatories.py :language: python :linenos: :lines: 10-28
Allows getting any transaction by hash.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_all_txs.py :language: python :linenos: :lines: 11-58
Allows getting transaction (that was issued by query creator) by hash.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_my_txs.py :language: python :linenos: :lines: 11-62
Allows to request the list of peers in the Iroha network.
Example
.. literalinclude:: ../../../example/python/permissions/can_get_peers.py :language: python :linenos: :lines: 10-28
.. literalinclude:: ../../../example/python/permissions/commons.py :language: python :linenos: :caption: commons.py