Permissions
This section provides details about pre-configured permission tokens in Iroha 2. For more general information on permission tokens and permission groups (roles), refer to the Permissions chapter in Guide.
Permission Tokens
The following permission tokens are pre-configured in Iroha 2:
| Permission Token | Category | Operation |
|---|---|---|
[CanUnregisterDomain] | Domain | Allows to unregister a domain |
[CanSetKeyValueInDomain] | Domain | Allows to add domain's metadata key value |
[CanRemoveKeyValueInDomain] | Domain | Allows to remove domain's metadata key value |
[CanUnregisterAccount] | Account | Allows to unregister an account |
[CanMintUserPublicKeys] | Account | Allows to add a public key to an account |
[CanBurnUserPublicKeys] | Account | Allows to remove a public key from an account |
[CanMintUserSignatureCheckConditions] | Account | Allows to set check conditions for a signature |
[CanSetKeyValueInUserAccount] | Account | Allows to add user's metadata key value |
[CanRemoveKeyValueInUserAccount] | Account | Allows to remove user's metadata key value |
[CanRegisterAssetsWithDefinition] | Asset | Allows to register a new asset with this definition |
[CanUnregisterAssetsWithDefinition] | Asset | Allows to unregister a new asset with this definition |
[CanUnregisterUserAsset] | Asset | Allows to remove asset from a user |
[CanMintAssetsWithDefinition] | Asset | Allows to mint quantity of assets with this definition |
[CanBurnAssetsWithDefinition] | Asset | Allows to burn quantity of assets with this definition |
[CanTransferAssetsWithDefinition] | Asset | Allows to transfer quantity of assets with this definition |
[CanBurnUserAsset] | Asset | Allows to burn user's asset quantity |
[CanTransferUserAsset] | Asset | Allows to transfer user's asset quantity |
[CanSetKeyValueInUserAsset] | Asset | Allows to set key value to user's asset metadata |
[CanRemoveKeyValueInUserAsset] | Asset | Allows to remove key value from user's asset metadata |
[CanSetKeyValueInAssetDefinition] | Asset Definition | Allows to add key value to metadata for this asset definition |
[CanRemoveKeyValueInAssetDefinition] | Asset Definition | Allows to remove key value from metadata for this asset definition |
[CanUnregisterAssetDefinition] | Asset Definition | Allows to unregister this asset definition |
INFO
The way permissions work in Iroha 2 is subject to change. Only an owner of the subject can grant permissions for the subject.
By default, all assets and accounts defined in the genesis block configuration file are created by genesis@genesis account. This means that alice@wonderland is not the owner of rose#wonderland and cannot grant permission for rose#wonderland.
To avoid this you can:
- Edit the
genesis.jsonfile to only include the creation ofalice@wonderland, and then redeploy Iroha 2. - Create a subject (e.g., an asset definition) on behalf of
alice@wonderland, and then give another account the permission to manage this subject.
General example
With this example, the owner-account can give permission for its subject to another account. The example is based on the following pre-conditions: The subject is created by the owner-account The recipient account is created
// Define the asset definition owner
let asset_definition_owner = AccountId::from_str("alice@wonderland").unwrap();
// Define the asset definition id which was created by the owner
let asset_definition_id = AssetDefinitionId::from_str("coolAsset#wonderland").unwrap();
// Define the account which we want to give the permission
let recipient_account = AccountId::from_str("actor@wonderland").unwrap();
// Create a token that we chose. And define its structure according to `iroha_executor\smart_contract\executor\src\default.rs`
let can_mint_asset_with_definition_token = PermissionToken::new(
"CanMintAssetsWithDefinition".parse().unwrap(),
&json!({ "asset_definition_id": asset_definition_id }),
);
// Create a permission expression (Grant\Revoke)
let permission_expression = GrantExpr::new(can_mint_asset_with_definition_token, recipients_account);
// Submit the transaction with the permission expression
iroha_client.submit_blocking(permission_expression).unwrap();