Default AUTH_MAP Rules¶
Transaction type | Action | Field | Previous value | New value | Who can | Description |
---|---|---|---|---|---|---|
NYM | ADD | role |
* |
TRUSTEE | 1 TRUSTEE | Adding a new TRUSTEE |
NYM | ADD | role |
* |
STEWARD | 1 TRUSTEE | Adding a new STEWARD |
NYM | ADD | role |
* |
ENDORSER | 1 TRUSTEE OR 1 STEWARD | Adding a new ENDORSER |
NYM | ADD | role |
* |
NETWORK_MONITOR | 1 TRUSTEE OR 1 STEWARD | Adding a new NETWORK_MONITOR |
NYM | ADD | role |
* |
<None> |
1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER | Adding a new Identity Owner |
NYM | EDIT | role |
TRUSTEE | STEWARD | 1 TRUSTEE | Changing Trustee to Steward |
NYM | EDIT | role |
TRUSTEE | ENDORSER | 1 TRUSTEE | Changing Trustee to Endorser |
NYM | EDIT | role |
TRUSTEE | NETWORK_MONITOR | 1 TRUSTEE | Changing Trustee to Network Monitor |
NYM | EDIT | role |
TRUSTEE | <None> |
1 TRUSTEE | Demoting a Trustee |
NYM | EDIT | role |
STEWARD | TRUSTEE | 1 TRUSTEE | Changing Steward to Trustee |
NYM | EDIT | role |
STEWARD | ENDORSER | 1 TRUSTEE | Changing Steward to Endorser |
NYM | EDIT | role |
STEWARD | NETWORK_MONITOR | 1 TRUSTEE | Changing Steward to Network Monitor |
NYM | EDIT | role |
STEWARD | <None> |
1 TRUSTEE | Demoting a Steward |
NYM | EDIT | role |
ENDORSER | TRUSTEE | 1 TRUSTEE | Changing Endorser to Trustee |
NYM | EDIT | role |
ENDORSER | STEWARD | 1 TRUSTEE | Changing Endorser to Steward |
NYM | EDIT | role |
ENDORSER | NETWORK_MONITOR | 1 TRUSTEE | Changing Endorser to Network Monitor |
NYM | EDIT | role |
ENDORSER | <None> |
1 TRUSTEE | Demoting a Endorser |
NYM | EDIT | role |
NETWORK_MONITOR | TRUSTEE | 1 TRUSTEE | Changing Network Monitor to Trustee |
NYM | EDIT | role |
NETWORK_MONITOR | STEWARD | 1 TRUSTEE | Changing Network Monitor to Steward |
NYM | EDIT | role |
NETWORK_MONITOR | ENDORSER | 1 TRUSTEE OR 1 STEWARD | Changing Network Monitor to Endorser |
NYM | EDIT | role |
NETWORK_MONITOR | <None> |
1 TRUSTEE OR 1 STEWARD | Demoting a Network Monitor |
NYM | EDIT | role |
<None> |
TRUSTEE | 1 TRUSTEE | Promoting Identity Owner to Trustee |
NYM | EDIT | role |
<None> |
STEWARD | 1 TRUSTEE | Promoting Identity Owner to Steward |
NYM | EDIT | role |
<None> |
ENDORSER | 1 TRUSTEE OR 1 STEWARD | Promoting Identity Owner to Endorser |
NYM | EDIT | role |
<None> |
NETWORK_MONITOR | 1 TRUSTEE OR 1 STEWARD | Promoting Identity Owner to Network Monitor |
NYM | EDIT | verkey |
* |
* |
1 any (*) role owner | Rotation the key or assigning a key to a DID under guardianship |
ATTRIB | ADD | * |
* |
* |
1 any (*) role owner of the corresponding NYM | Adding a new ATTRIB for the NYM |
ATTRIB | EDIT | * |
* |
* |
1 any (*) role owner of the corresponding NYM | Editing an ATTRIB for the NYM |
SCHEMA | ADD | * |
* |
* |
1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER | Adding a new Schema |
SCHEMA | EDIT | * |
* |
* |
No one can edit existing Schema | Editing a Schema |
SET_CONTEXT | ADD | * |
* |
* |
1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER | Adding a new Context |
SET_CONTEXT | EDIT | * |
* |
* |
No one can edit existing Context | Editing a Context |
SET_RICH_SCHEMA | ADD | * |
* |
* |
1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER | Adding a new Rich Schema |
SET_RICH_SCHEMA | EDIT | * |
* |
* |
No one can edit existing Context | Editing a Rich Schema |
CLAIM_DEF | ADD | * |
* |
* |
1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER | Adding a new CLAIM_DEF |
CLAIM_DEF | EDIT | * |
* |
* |
1 owner TRUSTEE OR 1 owner STEWARD OR 1 owner ENDORSER | Editing a CLAIM_DEF: INDY-2078 - can not be configured by auth rule; ADD CLAIM_DEF rule is currently used for editing where owner is always true as it's part of the primary key |
REVOC_REG_DEF | ADD | * |
* |
* |
1 TRUSTEE OR 1 STEWARD OR 1 ENDORSER | Adding a new REVOC_REG_DEF |
REVOC_REG_DEF | EDIT | * |
* |
* |
1 any (*) role owner | Editing a REVOC_REG_DEF |
REVOC_REG_ENTRY | ADD | * |
* |
* |
1 any (*) role owner of the corresponding REVOC_REG_DEF | Adding a new REVOC_REG_ENTRY |
REVOC_REG_ENTRY | EDIT | * |
* |
* |
1 any (*) role owner | Editing a REVOC_REG_ENTRY |
NODE | ADD | services |
* |
['VALIDATOR'] |
1 STEWARD (if it doesn't own NODE transaction yet) | Adding a new node to the pool in the active (Validator) state |
NODE | ADD | services |
* |
[] |
1 STEWARD if it doesn't own NODE transaction yet | Adding a new node to the pool in inactive state |
NODE | EDIT | services |
['VALIDATOR'] |
[] |
1 TRUSTEE OR 1 owner STEWARD | Demoting a node |
NODE | EDIT | services |
[] |
['VALIDATOR'] |
1 TRUSTEE or 1 owner STEWARD | Promoting a node |
NODE | EDIT | node_ip |
* |
* |
1 owner STEWARD | Changing Node's ip address |
NODE | EDIT | node_port |
* |
* |
1 owner STEWARD | Changing Node's port |
NODE | EDIT | client_ip |
* |
* |
1 owner STEWARD | Changing Client's ip address |
NODE | EDIT | client_port |
* |
* |
1 owner STEWARD | Changing Client's port |
NODE | EDIT | blskey |
* |
* |
1 owner STEWARD | Changing Node's blskey |
POOL_UPGRADE | ADD | action |
* |
start |
1 TRUSTEE | Starting upgrade procedure |
POOL_UPGRADE | EDIT | action |
start |
cancel |
1 TRUSTEE | Canceling upgrade procedure |
POOL_RESTART | ADD | action |
* |
* |
1 TRUSTEE | Restarting the whole pool |
POOL_CONFIG | EDIT | action |
* |
* |
1 TRUSTEE | Changing Pool config (for example, putting the pool into read only state) |
AUTH_RULE | EDIT | * |
* |
* |
1 TRUSTEE | Changing an authentification rule |
AUTH_RULES | EDIT | * |
* |
* |
1 TRUSTEE | Changing a number of authentification rules |
TRANSACTION_AUTHOR_AGREEMENT | ADD | * |
* |
* |
1 TRUSTEE | Adding a new Transaction Author Agreement |
TRANSACTION_AUTHOR_AGREEMENT_AML | ADD | * |
* |
* |
1 TRUSTEE | Adding a new Transaction Author Agreement Mechanism List |
VALIDATOR_INFO | ADD | * |
* |
* |
1 TRUSTEE OR 1 STEWARD OR 1 NETWORK_MONITOR | Getting validator_info from pool |
LEDGERS_FREEZE | EDIT | * |
* |
* |
3 TRUSTEE | Freeze specific ledgers |
Who Is Owner¶
Transaction Type | Action | Who is Owner |
---|---|---|
NYM | ADD | N/A |
NYM | EDIT | The DID defined by the NYM txn (`dest` field) if `verkey` is set; otherwise the submitter of the NYM txn (`identifier` field) |
ATTRIB | ADD | The owner of the DID (`dest` field) the ATTRIB is created for (see NYM's owner description) |
ATTRIB | EDIT | The owner of the DID (`dest` field) the ATTRIB is created for (see NYM's owner description) |
SCHEMA | ADD | N/A |
SCHEMA | EDIT | The DID used to create the SCHEMA |
SET_CONTEXT | ADD | N/A |
SET_CONTEXT | EDIT | The DID used to create the CONTEXT |
SET_RICH_SCHEMA | ADD | N/A |
SET_RICH_SCHEMA | EDIT | The DID used to create the RICH_SCHEMA |
CLAIM_DEF | ADD | N/A |
CLAIM_DEF | EDIT | The DID used to create the CLAIM_DEF |
REVOC_REG_DEF | ADD | N/A |
REVOC_REG_DEF | EDIT | The DID used to create the REVOC_REG_DEF |
REVOC_REG_ENTRY | ADD | The DID used to create the corresponding REVOC_REG_DEF |
REVOC_REG_ENTRY | EDIT | The DID used to create the REVOC_REG_ENTRY |
NODE | ADD | N/A |
NODE | EDIT | The Steward's DID used to create the NODE |
POOL_UPGRADE | ADD | N/A |
POOL_UPGRADE | EDIT | N/A |
POOL_RESTART | ADD | N/A |
POOL_RESTART | EDIT | N/A |
POOL_CONFIG | ADD | N/A |
POOL_CONFIG | EDIT | N/A |
GET_VALIDATOR_INFO | ADD | N/A |
GET_VALIDATOR_INFO | EDIT | N/A |
AUTH_RULE | ADD | N/A |
AUTH_RULE | EDIT | N/A |
TRANSACTION_AUTHOR_AGREEMENT | ADD | N/A |
TRANSACTION_AUTHOR_AGREEMENT_AML | ADD | N/A |
LEDGERS_FREEZE | EDIT | N/A |
Endorser using¶
Endorser is required only when the transaction is endorsed, that is signed by someone else besides the author.
If transaction is endorsed, Endorser must sign the transaction.
If author of txn has role
ENDORSER
, then no multi-sig is required, since he’s already signed the txn.Endorser is required for unprivileged roles only.
Unprivileged users cannot submit any transaction (including administrative transactions like pool upgrade or restart) without a signature from a DID with the endorser role that is specified in the endorser field.