RBAC Permission Templates
By default, when a cluster starts there is a single “admin” account auto-created which can do everything. While this account can be used to perform any action, there is room for error if not used carefully. RBAC permission templates enable you to create fine-grained roles for specific actions such as:
- A dedicated role which can create users, roles, and permissions and drive all the associations between them.
- A dedicated role with a set of all the necessary permissions to create a virtual node (including CPI upload).
- A dedicated role which allows flows to run on this virtual node.
Role | Description |
|---|---|
UserAdminRole | Creates roles and permissions and controls all associations between the user roles, and permissions. This role is created at cluster bootstrap by the admin user. This role is created via a REST call enabling to have complete audit trail of the operation performed. |
VNodeCreatorRole | Sets all the necessary permissions to create a virtual node, including CPI upload and CPI update. Create this role at cluster bootstrapping time. |
CordaDeveloperRole | Enables the use of virtual node reset and virtual node status update. This role should be provisioned at cluster bootstrap time and should re-use previously created permissions for other roles. |
FlowExecutorRole | Permits the creation of a role for a given virtual node to start flows and enquire the status of the running flows once the virtual node is created. |
Querying Permissions via REST
At the moment, it is only possible to retrieve a permission if its identifier is known to the caller. However, there might be cases when a new role is being set up and existing permissions need to be included.
Checking Permissions When Starting Flows
Currently, Corda checks if a user can execute startFlow REST operations. No checks are made to whether the user can start a particular flow.
These checks should be performed against the RBAC sub-system before passing the start request to a FlowWorker.
Was this page helpful?
Thanks for your feedback!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.
We're sorry this page wasn't helpful. Let us know how we can make it better!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Create an issue
Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.