Managing Roles and Permissions
By default, when a cluster A complete set of worker processes. Clusters require a fully functioning virtual node infrastructure. starts, the “super admin” REST user identity A login to the REST endpoint. Each login is associated with customizable permissions on the cluster and virtual nodes. is created, which has unrestricted access permissions. While this account can be used to perform any action, there is room for error if not used carefully. RBAC Role-based access control. Also known as role-based security. A permission system to restrict system access based on assigned permissions. permission templates enable you to create fine-grained roles for specific actions such as:
- A dedicated role which can create users, roles, and permissions and drive all the associations between them.
- A dedicated role with a set of all the necessary permissions to create a virtual node The combination of the context of a user and the ephemeral compute instances created to progress a transaction on that identity's behalf. (including CPI Corda Package Installer. A signed ZIP/JAR combination of a CPB and a Group Policy File that defines not only the application code that a virtual node will run, but also the details of the MGM with which to register, and the details of network PKI requirements. upload).
- A dedicated role which allows flows to run on this virtual node.
Role | Description |
|---|---|
UserAdminRole | Creates roles and permissions and controls all associations between the user roles, and permissions. This role is created at cluster bootstrap by the admin user. This role is created via a REST call enabling to have complete audit trail of the operation performed. |
VNodeCreatorRole | Sets all the necessary permissions to create a virtual node, including CPI upload and CPI update. Create this role at cluster bootstrapping time. |
CordaDeveloperRole | Enables the use of virtual node reset and virtual node status update. This role should be provisioned at cluster bootstrap time and should re-use previously created permissions for other roles. |
FlowExecutorRole | Permits the creation of a role for a given virtual node to start flows and enquire the status of the running flows once the virtual node is created. |
For information about creating these roles manually, see the Manual Bootstrapping section.
Querying Permissions via REST
To retrieve permissions matching certain query criteria, use the get_permission API call.
Checking Permissions When Starting Flows
Currently, Corda checks if a user can execute startFlow REST operations. No checks are made to whether the user can start a particular flow
Communication between participants in an application network is peer-to-peer using flows.
. These checks should be performed against the RBAC sub-system before passing the start request to a FlowWorker.
Was this page helpful?
Thanks for your feedback!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.
We're sorry this page wasn't helpful. Let us know how we can make it better!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Create an issue
Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.