Workshop Recap: Setting Up Access Control for Smart Contracts

OpenZeppelin | April 22, 2021

Products

The workshop was recorded on the 8th April 2021 and led by Fran Giordano – Software Engineer at OpenZeppelin.

The workshop covers the following:

Intro to user roles
Who can grant and revoke roles
Configuration options for admins
The need for granular access control

You can watch the video, view the slides, try out AccessControl using the Contracts Wizard.

Why Access Control?

Access control—that is, “who is allowed to do this thing”—is incredibly important in the world of smart contracts. The access control of your contract may govern who can mint tokens, vote on proposals, freeze transfers, and many other things. It is therefore critical to understand how you implement it, lest someone else steals your whole system.

While the simplicity of ownership can be useful for simple systems or quick prototyping, different levels of authorization are often needed. You may want an account to have permission to ban users from a system, but not create new tokens. Role-Based Access Control (RBAC) offers flexibility in this regard.

OpenZeppelin Contracts provides AccessControl for implementing role-based access control. Its usage is straightforward: for each role that you want to define, you will create a new role identifier that is used to grant, revoke, and check if an account has that role.

By default, accounts with a role cannot grant or revoke the role from other accounts. Every role has an associated admin role, that can grant or revoke the role. Multiple roles may have the same admin role to make management easier. A role’s admin can even be the same role itself, which would cause accounts with that role to be able to also grant and revoke it. This mechanism can be used to create complex permissioning structures resembling organizational charts, but it also provides an easy way to manage simpler applications.