Dynamic permissions¶
Openchain supports an implicit permission layout through P2PKH accounts (/p2pkh/<address>/
) and thrid party issuance accounts (/asset/p2pkh/<address>/
). It is also possible to dynamically define permissions by submitting transactions modifying a special record: the acl
record.
Access Control Lists¶
Permissions are applied to a specific path. To apply an access control list to a path, set the acl
record under that path. It must be a DATA
record. The value is a JSON file.
For example, when trying to set the permissions to the path /users/alice/
, the following record must be set: /users/alice/:DATA:acl
.
Schema¶
The schema of the JSON file that the record contains is the following:
[
{
"subjects": [
{
"addresses": [ "<string>" ],
"required": <integer>
}
],
"recursive": <boolean>,
"record_name": "<string>",
"record_name_matching": "<record-matching-type>",
"permissions": {
"account_negative": "<permission>",
"account_spend": "<permission>",
"account_modify": "<permission>",
"account_create": "<permission>",
"data_modify": "<permission>"
}
}
]
The contents is an array containing all the applicable permissions. When the acl
record does not exist, this is equivalent to having an empty array.
The meaning of the fields within a permission object are the following:
subjects
: An array of subjects for which this permission object applies.addresses
: An array of strings representing the addresses for which signatures are expected.required
: The number of required signatures from theaddresses
array. If theaddresses
array contains 3 addresses, andrequired
is set to 2, that means that for the permission to apply, at least 2 signatures from the 3 addresses specified must be present. This is known as a n-of-m multi-signature scheme.
recursive
: (Default: true) A boolean indicating whether the permission applies recursively to the sub accounts.Note
With recursion, lower level permissions overrule higher level permissions.
record_name
: (Default: empty string) The pattern to use for record name matching.record_name_matching
: (Default:Prefix
) The type of record name matching to use. There are two possible values:Exact
means that the record name must be exactly equal to the value of therecord_name
field for the permission to apply.Prefix
means that the record name must start with the value of therecord_name
field for the permission to apply. UsingPrefix
with an emptyrecord_name
means that the permission applies to all records.
Hint
The record name of an
ACC
record is the asset path.permissions
: Contains the permissions being applied if this permission object is a match. The meaning of the various permissions is explained in the next section. The value must be set toPermit
for the permission to be granted, orDeny
for the permission to be denied. If it is unset, the inherited value is used.
Permissions¶
account_negative
¶
This permission indicates the right to affect the balance of ACC
records, both to increase it (receive funds) and decrease it (send funds) with no restriction on the final balance. If this permission is granted, the ACC
record balance can be made negative.
This permission is typically granted to the users allowed to issue an asset.
account_spend
¶
This permission indicates the right to affect the balance of ACC
records, both to increase it (receive funds) and decrease it (send funds) with the restriction that the final balance must remain positive or zero.
account_modify
¶
This permission is required to affect the balance of ACC
records that have already been modified before (the record version is non-empty).
account_create
¶
This permission is required to affect the balance of ACC
records that have never been modified before (the record version is empty).
Note
A user can only send funds from an account if she has the account_negative
or account_spend
rights plus the account_modify
or account_create
rights. Sending to an account requires account_modify
or account_create
on the destination account.
A closed loop ledger can be created by denying account_modify
and account_create
by default, and selectively granting these for some accounts. By doing this, only approved accounts can receive funds.
data_modify
¶
This permission is required to modify a DATA
record.