We now know that PKI offers verifiable identities to participants. However, how can these participants represent themselves as trusted participants from a participating organization on a blockchain network? Every organization manages its participants under a single MSP. However, organizations can have multiple MSPs if they want to manage a participant's different organization units (OU), such as financial and legal units. If you check the certificate issued to a subject from a CA, it will include OU information. This allows further control of the access to channels based on OUs.

The membership service manages a participant's identity and is used for the validation of participants and their authentication. Specific privileges on system resources (a network, channel, or suchlike) are controlled in the access control list of the blockchain network. The membership service code is executed on peers and orderers. It is responsible for authenticating, authorizing identities, and managing those identities on the HLF blockchain network. The participants of the HLF blockchain network have identities where the PKI generates certificates that are linked to the participants (such as network components, organizations, dApps and client applications). This facilitates the creation of an access control rule for participants at the network level, as well as at the channel level, where a channel is a subset of a blockchain network where participants conduct private transactions. Access controls and channels in a blockchain network together address confidentiality and privacy challenges:

• Authentication: HLF uses PKI to verify the identities of users and devices.
• Authorization: HLF uses role-based access control (RBAC) to control access to an entity example controlling an identity's read and write access to an entity (for example, a ledger). Access control to identities for given resources is based on RBAC, where identities are assigned to roles, authorization policies are defined for resources, and rules are defined that determine which roles are authorized to access what on that resource.