Access control definition

It's possible, optionally, to define an access control list (ACL) to set the permissions of the business network. The rules in the ACL can determine which user (roles) are permitted to create, read, update, or delete the business network domain model elements. There are two types of ACL rules: simple and conditional.

Simple ACL rules are used to control the resources that participants can access, for example:

rule ExampleSimpleRule {
    description: "Example Description of Simple Rule"
    participant: "org.example.SampleParticipant"
    operation: ALL
    resource: "org.example.SampleAsset"
    action: ALLOW
}

The preceding simple rule, shows that the participant SampleParticipant can perform all operations on the resources of the org.example.SampleAsset asset.

Conditional rules can specify the rules to apply depending on variable conditions. If the transaction is defined in ACL rules, when a participant submits a transaction, the ACL rule applies and only allows the participant to access the resources defined by the conditions:

rule ExampleConditionalRuleWithTransaction {
    description: "Description of the Condition Rule With Transaction"
    participant(u): "org.example.SampleParticipant"
    operation: READ, CREATE, UPDATE
    resource(m): "org.example.SampleAsset"
    transaction(tx): "org.example.TransactionExample"
    condition: (m.owner.getIdentifier() == u.getIdentifier())
    action: ALLOW
}

The preceding example shows that a participant user can perform all operations on the resource of the org.example.SampleAsset asset if the participant is the owner of the asset and he submitted a transaction called org.example.TransactionExample to perform the operation.

In our case, for the sake of simplicity, we opened the permissions for all participants, but, in a real-world project, you should define a detailed ACL rule to limit participant access to the resources and transactions:

/**
  * Access control rules for lc-network
  */
 rule Default {
     description: "Allow all participants access to all resources"
     participant: "ANY"
     operation: ALL
     resource: "org.example.lc.*"
     action: ALLOW
 }

 rule SystemACL {
   description: "System ACL to permit all access"
   participant: "ANY"
   operation: ALL
   resource: "org.hyperledger.composer.system.**"
   action: ALLOW
 }

We just developed a minimalistic Hyperledger Composer business network model, Chaincode, and permissions ACL.

As you now have an idea about how we can model a business network, let's extend this model to implement our letter of credit use case. We first need to keep the same ACL file and you can also optionally clean up the other files (logic.js and model.cto)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset