Roles
A Role is a core element of the DRM permissions system. Roles group together a set of permissions on resources into a single object. For example:
- a Role called
bank-adminthat allows a user to create accounts and read data from accounts. - a Role called
supportthat enables users to only read account information.
Roles must be "bound" to users (public keys) using a Role Bindings for them to come in effect.
Rules
A Role is made up of one or more Rules. A rule contains three parameters:
- collection - the type of resource
- verb - the action to perform on a collection
- instance - [optional] the particular instance of the collection
Collection
The collection is the type of object to which you are granting permissions. The current supported collections are:
- Accounts
- AccountSets
- AccountMetadata
- Banks
- Roles
- RoleBindings
Verb
The verb is the action that can be performed on a collection.
The following verbs are supported for all of the collection types:
READ- Read dataCREATE- Create dataUPDATE- Update dataDELETE- Delete data
The following verbs are only used for Accounts collections:
TRANSACT- Perform transactions (INITIATE+COMMIT).INITIATE- Initiate transactions. In a pending state until committed.COMMIT- Commit the transaction. Finalize the transaction and release the pending state.
Instance
Optionally, each rule can apply to only a certain part of the collection, which can be specified by:
instance- apply to only a particular instanceinstance_keys- apply to only a particular instance keyexcluded_instance- apply to all instances of the collection except a particular instanceexcluded_instance_keys- apply to all instance keys of the collection except a particular instance key
For example, to give a user access to their account only, you create a rule on the collection Accounts with the desired verbs and accountId for the user's account listed in instance_keys.
The format of the instance or instance_keys depends on the collection it applies to.
| Collection | instance / instance_key |
|---|---|
| Accounts | Account_Id |
| AccountMetadata | AccountMetadata_Id |
| AccountSets | AccountSet_Id |
| Banks | Bank_Id |
| Roles | Role_Id |
| RoleBindings | RoleBinding_Id |
For example, to create a role with a rule on the collection Roles that gives the subject Read, Update, and Delete capabilities, you would use:
--rules "rule -c roles -v Read -v Update -v Delete roles -v Read -v Update -v Delete -i <RoleId>"
Model
The data model for the DRM Roles is defined in rbac.proto:
API Requests
Create
To create a role on the DRM platform.
- Rust
- TypeScript
- Dart
- CLI
Update
To update a role.
When updating roles, the new rule(s) is appended at the end. The last rule for a collection in the list is the active rule.
- Rust
- TypeScript
- Dart
- CLI
Delete
To delete a role.
- Rust
- TypeScript
- Dart
- CLI
List (Find)
To list roles or filter by role name.
- Rust
- TypeScript
- Dart
- CLI
Get
To get role details.
- Rust
- TypeScript
- Dart
- CLI
Output
The response from the get role command should be something like this:
(
id: "6aa51062-452b-482a-aff0-3e7df1a1aae9",
owner: "ACMKVkeIt+L5z39xk5YHujjcN7bLhnq+UIkLBlymNM4=",
name: "bank-admin",
rules: [(
collection: "accounts",
instance_keys: [00800005000000000000000000000002],
verbs: [Read, Update],
), (
collection: "banks",
instance_keys: [bc3b532d-6be0-45e1-b98c-5ddc6e8e239a],
verbs: [Read],
), (
collection: "ledger-accounts",
instance_keys: [00800005000000000000000000000002],
verbs: [Create],
)],
)
To submit requests over HTTP/1 instead of HTTP/2 with the SDKs, use the http option.