Skip to content

Permissions

This section provides details about pre-configured permission tokens in Iroha 2. For more general information on permission tokens and permission groups (roles), refer to the Permissions chapter in Guide.

Permission Tokens

The following permission tokens are pre-configured in Iroha 2:

Permission TokenCategoryOperation
[CanUnregisterDomain]DomainAllows to unregister a domain
[CanSetKeyValueInDomain]DomainAllows to add domain's metadata key value
[CanRemoveKeyValueInDomain]DomainAllows to remove domain's metadata key value
[CanUnregisterAccount]AccountAllows to unregister an account
[CanMintUserPublicKeys]AccountAllows to add a public key to an account
[CanBurnUserPublicKeys]AccountAllows to remove a public key from an account
[CanMintUserSignatureCheckConditions]AccountAllows to set check conditions for a signature
[CanSetKeyValueInUserAccount]AccountAllows to add user's metadata key value
[CanRemoveKeyValueInUserAccount]AccountAllows to remove user's metadata key value
[CanRegisterAssetsWithDefinition]AssetAllows to register a new asset with this definition
[CanUnregisterAssetsWithDefinition]AssetAllows to unregister a new asset with this definition
[CanUnregisterUserAsset]AssetAllows to remove asset from a user
[CanMintAssetsWithDefinition]AssetAllows to mint quantity of assets with this definition
[CanBurnAssetsWithDefinition]AssetAllows to burn quantity of assets with this definition
[CanTransferAssetsWithDefinition]AssetAllows to transfer quantity of assets with this definition
[CanBurnUserAsset]AssetAllows to burn user's asset quantity
[CanTransferUserAsset]AssetAllows to transfer user's asset quantity
[CanSetKeyValueInUserAsset]AssetAllows to set key value to user's asset metadata
[CanRemoveKeyValueInUserAsset]AssetAllows to remove key value from user's asset metadata
[CanSetKeyValueInAssetDefinition]Asset DefinitionAllows to add key value to metadata for this asset definition
[CanRemoveKeyValueInAssetDefinition]Asset DefinitionAllows to remove key value from metadata for this asset definition
[CanUnregisterAssetDefinition]Asset DefinitionAllows to unregister this asset definition

INFO

The way permissions work in Iroha 2 is subject to change. Only an owner of the subject can grant permissions for the subject.

By default, all assets and accounts defined in the genesis block configuration file are created by genesis@genesis account. This means that alice@wonderland is not the owner of rose#wonderland and cannot grant permission for rose#wonderland.

To avoid this you can:

  1. Edit the genesis.json file to only include the creation of alice@wonderland, and then redeploy Iroha 2.
  2. Create a subject (e.g., an asset definition) on behalf of alice@wonderland, and then give another account the permission to manage this subject.

General example

With this example, the owner-account can give permission for its subject to another account. The example is based on the following pre-conditions: The subject is created by the owner-account The recipient account is created

rust
// Define the asset definition owner
let asset_definition_owner = AccountId::from_str("alice@wonderland").unwrap();
// Define the asset definition id which was created by the owner
let asset_definition_id = AssetDefinitionId::from_str("coolAsset#wonderland").unwrap();
// Define the account which we want to give the permission
let recipient_account = AccountId::from_str("actor@wonderland").unwrap();
// Create a token that we chose. And define its structure according to `iroha_executor\smart_contract\executor\src\default.rs`
let can_mint_asset_with_definition_token = PermissionToken::new(
"CanMintAssetsWithDefinition".parse().unwrap(),
&json!({ "asset_definition_id": asset_definition_id }),
);
// Create a permission expression (Grant\Revoke)
let permission_expression = GrantExpr::new(can_mint_asset_with_definition_token, recipients_account);
// Submit the transaction with the permission expression
iroha_client.submit_blocking(permission_expression).unwrap();