Skip to content

Latest commit

 

History

History
755 lines (712 loc) · 22.2 KB

auth_rules.md

File metadata and controls

755 lines (712 loc) · 22.2 KB

Default AUTH_MAP Rules

Transaction type Action Field Previous value New value Who can Description
NYM ADD role * TRUSTEE 1 TRUSTEE Adding a new TRUSTEE
NYM ADD role * STEWARD 1 TRUSTEE Adding a new STEWARD
NYM ADD role * ENDORSER 1 TRUSTEE OR 1 STEWARD Adding a new ENDORSER
NYM ADD role * NETWORK_MONITOR 1 TRUSTEE OR 1 STEWARD Adding a new NETWORK_MONITOR
NYM ADD role * <None> 1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER Adding a new Identity Owner
NYM EDIT role TRUSTEE STEWARD 1 TRUSTEE Changing Trustee to Steward
NYM EDIT role TRUSTEE ENDORSER 1 TRUSTEE Changing Trustee to Endorser
NYM EDIT role TRUSTEE NETWORK_MONITOR 1 TRUSTEE Changing Trustee to Network Monitor
NYM EDIT role TRUSTEE <None> 1 TRUSTEE Demoting a Trustee
NYM EDIT role STEWARD TRUSTEE 1 TRUSTEE Changing Steward to Trustee
NYM EDIT role STEWARD ENDORSER 1 TRUSTEE Changing Steward to Endorser
NYM EDIT role STEWARD NETWORK_MONITOR 1 TRUSTEE Changing Steward to Network Monitor
NYM EDIT role STEWARD <None> 1 TRUSTEE Demoting a Steward
NYM EDIT role ENDORSER TRUSTEE 1 TRUSTEE Changing Endorser to Trustee
NYM EDIT role ENDORSER STEWARD 1 TRUSTEE Changing Endorser to Steward
NYM EDIT role ENDORSER NETWORK_MONITOR 1 TRUSTEE Changing Endorser to Network Monitor
NYM EDIT role ENDORSER <None> 1 TRUSTEE Demoting a Endorser
NYM EDIT role NETWORK_MONITOR TRUSTEE 1 TRUSTEE Changing Network Monitor to Trustee
NYM EDIT role NETWORK_MONITOR STEWARD 1 TRUSTEE Changing Network Monitor to Steward
NYM EDIT role NETWORK_MONITOR ENDORSER 1 TRUSTEE OR 1 STEWARD Changing Network Monitor to Endorser
NYM EDIT role NETWORK_MONITOR <None> 1 TRUSTEE OR 1 STEWARD Demoting a Network Monitor
NYM EDIT role <None> TRUSTEE 1 TRUSTEE Promoting Identity Owner to Trustee
NYM EDIT role <None> STEWARD 1 TRUSTEE Promoting Identity Owner to Steward
NYM EDIT role <None> ENDORSER 1 TRUSTEE OR 1 STEWARD Promoting Identity Owner to Endorser
NYM EDIT role <None> NETWORK_MONITOR 1 TRUSTEE OR 1 STEWARD Promoting Identity Owner to Network Monitor
NYM EDIT verkey * * 1 any (*) role owner Rotation the key or assigning a key to a DID under guardianship
ATTRIB ADD * * * 1 any (*) role owner of the corresponding NYM Adding a new ATTRIB for the NYM
ATTRIB EDIT * * * 1 any (*) role owner of the corresponding NYM Editing an ATTRIB for the NYM
SCHEMA ADD * * * 1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER Adding a new Schema
SCHEMA EDIT * * * No one can edit existing Schema Editing a Schema
SET_CONTEXT ADD * * * 1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER Adding a new Context
SET_CONTEXT EDIT * * * No one can edit existing Context Editing a Context
SET_RICH_SCHEMA ADD * * * 1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER Adding a new Rich Schema
SET_RICH_SCHEMA EDIT * * * No one can edit existing Context Editing a Rich Schema
CLAIM_DEF ADD * * * 1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER Adding a new CLAIM_DEF
CLAIM_DEF EDIT * * * 1 owner TRUSTEE OR 1 owner STEWARD OR 1 owner ENDORSER Editing a CLAIM_DEF: INDY-2078 - can not be configured by auth rule; ADD CLAIM_DEF rule is currently used for editing where owner is always true as it's part of the primary key
REVOC_REG_DEF ADD * * * 1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER Adding a new REVOC_REG_DEF
REVOC_REG_DEF EDIT * * * 1 any (*) role owner Editing a REVOC_REG_DEF
REVOC_REG_ENTRY ADD * * * 1 any (*) role owner of the corresponding REVOC_REG_DEF Adding a new REVOC_REG_ENTRY
REVOC_REG_ENTRY EDIT * * * 1 any (*) role owner Editing a REVOC_REG_ENTRY
NODE ADD services * ['VALIDATOR'] 1 STEWARD (if it doesn't own NODE transaction yet) Adding a new node to the pool in the active (Validator) state
NODE ADD services * [] 1 STEWARD if it doesn't own NODE transaction yet Adding a new node to the pool in inactive state
NODE EDIT services ['VALIDATOR'] [] 1 TRUSTEE OR 1 owner STEWARD Demoting a node
NODE EDIT services [] ['VALIDATOR'] 1 TRUSTEE or 1 owner STEWARD Promoting a node
NODE EDIT node_ip * * 1 owner STEWARD Changing Node's ip address
NODE EDIT node_port * * 1 owner STEWARD Changing Node's port
NODE EDIT client_ip * * 1 owner STEWARD Changing Client's ip address
NODE EDIT client_port * * 1 owner STEWARD Changing Client's port
NODE EDIT blskey * * 1 owner STEWARD Changing Node's blskey
POOL_UPGRADE ADD action * start 1 TRUSTEE Starting upgrade procedure
POOL_UPGRADE EDIT action start cancel 1 TRUSTEE Canceling upgrade procedure
POOL_RESTART ADD action * * 1 TRUSTEE Restarting the whole pool
POOL_CONFIG EDIT action * * 1 TRUSTEE Changing Pool config (for example, putting the pool into read only state)
AUTH_RULE EDIT * * * 1 TRUSTEE Changing an authentification rule
AUTH_RULES EDIT * * * 1 TRUSTEE Changing a number of authentification rules
TRANSACTION_AUTHOR_AGREEMENT ADD * * * 1 TRUSTEE Adding a new Transaction Author Agreement
TRANSACTION_AUTHOR_AGREEMENT_AML ADD * * * 1 TRUSTEE Adding a new Transaction Author Agreement Mechanism List
VALIDATOR_INFO ADD * * * 1 TRUSTEE OR 1 STEWARD OR 1 NETWORK_MONITOR Getting validator_info from pool
LEDGERS_FREEZE EDIT * * * 3 TRUSTEE Freeze specific ledgers

Who Is Owner

Transaction Type Action Who is Owner
NYM ADD N/A
NYM EDIT The DID defined by the NYM txn (`dest` field) if `verkey` is set; otherwise the submitter of the NYM txn (`identifier` field)
ATTRIB ADD The owner of the DID (`dest` field) the ATTRIB is created for (see NYM's owner description)
ATTRIB EDIT The owner of the DID (`dest` field) the ATTRIB is created for (see NYM's owner description)
SCHEMA ADD N/A
SCHEMA EDIT The DID used to create the SCHEMA
SET_CONTEXT ADD N/A
SET_CONTEXT EDIT The DID used to create the CONTEXT
SET_RICH_SCHEMA ADD N/A
SET_RICH_SCHEMA EDIT The DID used to create the RICH_SCHEMA
CLAIM_DEF ADD N/A
CLAIM_DEF EDIT The DID used to create the CLAIM_DEF
REVOC_REG_DEF ADD N/A
REVOC_REG_DEF EDIT The DID used to create the REVOC_REG_DEF
REVOC_REG_ENTRY ADD The DID used to create the corresponding REVOC_REG_DEF
REVOC_REG_ENTRY EDIT The DID used to create the REVOC_REG_ENTRY
NODE ADD N/A
NODE EDIT The Steward's DID used to create the NODE
POOL_UPGRADE ADD N/A
POOL_UPGRADE EDIT N/A
POOL_RESTART ADD N/A
POOL_RESTART EDIT N/A
POOL_CONFIG ADD N/A
POOL_CONFIG EDIT N/A
GET_VALIDATOR_INFO ADD N/A
GET_VALIDATOR_INFO EDIT N/A
AUTH_RULE ADD N/A
AUTH_RULE EDIT N/A
TRANSACTION_AUTHOR_AGREEMENT ADD N/A
TRANSACTION_AUTHOR_AGREEMENT_AML ADD N/A
LEDGERS_FREEZE EDIT N/A

Endorser using

  • Endorser is required only when the transaction is endorsed, that is signed by someone else besides the author.
  • If transaction is endorsed, Endorser must sign the transaction.
  • If author of txn has role ENDORSER, then no multi-sig is required, since he's already signed the txn.
  • Endorser is required for unprivileged roles only.
  • Unprivileged users cannot submit any transaction (including administrative transactions like pool upgrade or restart) without a signature from a DID with the endorser role that is specified in the endorser field.