HomeForumWebsite
GitHub Icon
API Reference

AccessControl

AnthropicOpen in Claude

This page provides the full AccessControl module API.

Roles are referred to by their Bytes<32> identifier. These should be exposed in the top-level contract and be unique. The best way to achieve this is by using export sealed ledger hash digests that are initialized in the top-level contract:

import CompactStandardLibrary;
import "AccessControl" prefix AccessControl_;

export sealed ledger MY_ROLE: Bytes<32>;

constructor()
  MY_ROLE = persistentHash<Bytes<32>>(pad(32, "MY_ROLE"));

To restrict access to a circuit, use assertOnlyRole:

circuit foo(): []
  assertOnlyRole(MY_ROLE);
  ...

Roles can be granted and revoked dynamically via the grantRole and revokeRole functions. Each role has an associated admin role, and only accounts that have a role’s admin role can call grantRole and revokeRole.

By default, the admin role for all roles is DEFAULT_ADMIN_ROLE, which means that only accounts with this role will be able to grant or revoke other roles. More complex role relationships can be created by using _setRoleAdmin. To set a custom DEFAULT_ADMIN_ROLE, implement the Initializable module and set DEFAULT_ADMIN_ROLE in the initialize() function.

The DEFAULT_ADMIN_ROLE is also its own admin: it has permission to grant and revoke this role. Extra precautions should be taken to secure accounts that have been granted it.

For an overview of the module, read the accessControl-guide.

Core

import "./node_modules/@openzeppelin-compact/access-control/src/AccessControl" prefix AccessControl_;

AccessControl

View on GitHub

Circuits

hasRole

hasRole(roleId: Bytes<32>, account: Either<ZswapCoinPublicKey, ContractAddress>) → Boolean

Returns true if account has been granted roleId.

Constraints:

  • k=10, rows=487

assertOnlyRole

assertOnlyRole(roleId: Bytes<32>) → []

Reverts if caller is missing roleId.

Requirements:

  • The caller must have roleId.
  • The caller must not be a ContractAddress.

Constraints:

  • k=10, rows=345

_checkRole

_checkRole(roleId: Bytes<32>, account: Either<ZswapCoinPublicKey, ContractAddress>) → []

Reverts if account is missing roleId.

Requirements:

  • account must have roleId.

Constraints:

  • k=10, rows=467

getRoleAdmin

getRoleAdmin(roleId: Bytes<32>) → Bytes<32>

Returns the admin role that controls roleId or a byte array with all zero bytes if roleId doesn’t exist. See grantRole and revokeRole.

To change a role's admin use _setRoleAdmin.

Constraints:

  • k=10, rows=207

grantRole

grantRole(roleId: Bytes<32>, account: Either<ZswapCoinPublicKey, ContractAddress>) → []

Grants roleId to account.

Granting roles to contract addresses is currently disallowed until contract-to-contract interactions are supported in Compact.

This restriction prevents permanently disabling access to a circuit.

Requirements:

  • account must not be a ContractAddress.
  • The caller must have ``roleId`’s admin role.

Constraints:

  • k=10, rows=994

revokeRole

revokeRole(roleId: Bytes<32>, account: Either<ZswapCoinPublicKey, ContractAddress>) → []

Revokes roleId from account.

Requirements:

  • The caller must have ``roleId`’s admin role.

Constraints:

  • k=10, rows=827

renounceRole

renounceRole(roleId: Bytes<32>, callerConfirmation: Either<ZswapCoinPublicKey, ContractAddress>) → []

Revokes roleId from the calling account.

Roles are often managed via grantRole and revokeRole: this circuit’s purpose is to provide a mechanism for accounts to lose their privileges if they are compromised (such as when a trusted device is misplaced).

We do not provide functionality for smart contracts to renounce roles because self-executing transactions are not supported on Midnight at this time. We may revisit this in future if this feature is made available in Compact.

Requirements:

  • The caller must be callerConfirmation.
  • The caller must not be a ContractAddress.

Constraints:

  • k=10, rows=640

_setRoleAdmin

_setRoleAdmin(roleId: Bytes<32>, adminRole: Bytes<32>) → []

Sets adminRole as ``roleId`’s admin role.

Constraints:

  • k=10, rows=209

_grantRole

_grantRole(roleId: Bytes<32>, account: Either<ZswapCoinPublicKey, ContractAddress>) → Boolean

Attempts to grant roleId to account and returns a boolean indicating if roleId was granted.

Internal circuit without access restriction.

Granting roles to contract addresses is currently disallowed in this circuit until contract-to-contract interactions are supported in Compact.

This restriction prevents permanently disabling access to a circuit.

Requirements:

  • account must not be a ContractAddress.

Constraints:

  • k=10, rows=734

_unsafeGrantRole

_unsafeGrantRole(roleId: Bytes<32>, account: Either<ZswapCoinPublicKey, ContractAddress>) → Boolean

Unsafe variant of _grantRole.

Granting roles to contract addresses is considered unsafe because contract-to-contract calls are not currently supported.

Granting a role to a smart contract may render a circuit permanently inaccessible. Once contract-to-contract calls are supported, this circuit may be deprecated.

Constraints:

  • k=10, rows=733

_revokeRole

_revokeRole(roleId: Bytes<32>, account: Either<ZswapCoinPublicKey, ContractAddress>) → Boolean

Attempts to revoke roleId from account and returns a boolean indicating if roleId was revoked.

Internal circuit without access restriction.

Constraints:

  • k=10, rows=563

On this page

CoreAccessControlhasRoleassertOnlyRole_checkRolegetRoleAdmingrantRolerevokeRolerenounceRole_setRoleAdmin_grantRole_unsafeGrantRole_revokeRole