The workshop was recorded on the 8th April 2021 and led by Fran Giordano – Software Engineer at OpenZeppelin.
The workshop covers the following:
- Intro to user roles
- Who can grant and revoke roles
- Configuration options for admins
- The need for granular access control
You can watch the video, view the slides, try out AccessControl using the Contracts Wizard.
Why Access Control?
Access control—that is, “who is allowed to do this thing”—is incredibly important in the world of smart contracts. The access control of your contract may govern who can mint tokens, vote on proposals, freeze transfers, and many other things. It is therefore critical to understand how you implement it, lest someone else steals your whole system.
While the simplicity of ownership can be useful for simple systems or quick prototyping, different levels of authorization are often needed. You may want an account to have permission to ban users from a system, but not create new tokens. Role-Based Access Control (RBAC) offers flexibility in this regard.
OpenZeppelin Contracts provides AccessControl for implementing role-based access control. Its usage is straightforward: for each role that you want to define, you will create a new role identifier that is used to grant, revoke, and check if an account has that role.
By default, accounts with a role cannot grant or revoke the role from other accounts. Every role has an associated admin role, that can grant or revoke the role. Multiple roles may have the same admin role to make management easier. A role’s admin can even be the same role itself, which would cause accounts with that role to be able to also grant and revoke it. This mechanism can be used to create complex permissioning structures resembling organizational charts, but it also provides an easy way to manage simpler applications.
Try out AccessControl
We can use the OpenZeppelin Contracts Wizard to experiment with using AccessControl for features such as minting and pausing.
Learn more about OpenZeppelin Contracts: openzeppelin.com/contracts
See the documentation: docs.openzeppelin.com/contracts