AccessControl API
This page provides the full AccessControl module API.
Roles are referred to by their Bytes<32> identifier.
These should be exposed in the top-level contract and be unique.
The best way to achieve this is by using export sealed ledger hash digests that are initialized in the top-level contract:
import CompactStandardLibrary;
import "./node_modules/@openzeppelin/compact-contracts/access/AccessControl"
prefix AccessControl_;
export sealed ledger MY_ROLE: Bytes<32>;
constructor() {
MY_ROLE = persistentHash<Bytes<32>>(pad(32, "MY_ROLE"));
}To restrict access to a circuit, use assertOnlyRole:
circuit foo(): [] {
AccessControl_assertOnlyRole(MY_ROLE);
}Roles can be granted and revoked dynamically via the grantRole and revokeRole circuits. Each role has an associated admin role, and only accounts that have a role's admin role can call grantRole and revokeRole.
By default, the admin role for all roles is DEFAULT_ADMIN_ROLE (zero bytes),
which means that only accounts with this role will be able to grant or revoke other roles.
More complex role relationships can be created by using _setRoleAdmin.
The DEFAULT_ADMIN_ROLE is also its own admin: it has permission to grant and revoke this role.
Extra precautions should be taken to secure accounts that have been granted it.
For an overview of the module, read the AccessControl guide.
import "./node_modules/@openzeppelin/compact-contracts/access/AccessControl";Ledger
_operatorRoles: Map<Bytes<32>, Map<Either<Bytes<32>, ContractAddress>, Boolean>>
ledger
#Mapping from a role identifier -> account -> its permissions.
_adminRoles: Map<Bytes<32>, Bytes<32>>
ledger
#Mapping from a role identifier to an admin role identifier.
Witnesses
wit_AccessControlSK() → Bytes<32>
witness
#Returns the caller's secret key used in deriving the account identifier.
The same key produces the same account identifier across all contracts. Users who desire cross-contract unlinkability should use different keys per contract.
Circuits
DEFAULT_ADMIN_ROLE() → Bytes<32>
circuit
#The default admin role for all roles. Returns zero bytes (default<Bytes<32>>).
Only accounts with this role will be able to grant or revoke other roles
unless custom admin roles are created via _setRoleAdmin.
hasRole(roleId: Bytes<32>, account: Either<Bytes<32>, ContractAddress>) → Boolean
circuit
#Returns true if account has been granted roleId.
_hasRole(
roleId: Bytes<32>,
account: Either<Bytes<32>, ContractAddress>
) → Booleaninternal
#Returns true if account has been granted roleId.
Internal variant that assumes account has already been canonicalized by the caller.
External consumers should use hasRole which canonicalizes the input automatically.
assertOnlyRole(roleId: Bytes<32>) → []
circuit
#Reverts if the caller cannot prove ownership of roleId.
The caller's identity is derived from the wit_AccessControlSK witness as persistentHash(secretKey).
Requirements:
- The caller must have
roleId.
_checkRole(roleId: Bytes<32>, account: Either<Bytes<32>, ContractAddress>) → []
circuit
#Reverts if account is missing roleId.
Requirements:
accountmust haveroleId.
getRoleAdmin(roleId: Bytes<32>) → Bytes<32>
circuit
#Returns the admin role that controls roleId or a byte array with all zero bytes if roleId doesn't exist.
See grantRole and revokeRole.
To change a role's admin use _setRoleAdmin.
grantRole(roleId: Bytes<32>, account: Either<Bytes<32>, ContractAddress>) → []
circuit
#Grants roleId to account.
Granting roles to contract addresses is currently disallowed until contract-to-contract interactions are supported in Compact. This restriction prevents permanently disabling access to a circuit.
Requirements:
accountmust not be a ContractAddress.- The caller must have
roleId's admin role.
revokeRole(roleId: Bytes<32>, account: Either<Bytes<32>, ContractAddress>) → []
circuit
#Revokes roleId from account.
Requirements:
- The caller must have
roleId's admin role.
renounceRole(
roleId: Bytes<32>,
callerConfirmation: Either<Bytes<32>, ContractAddress>
) → []circuit
#Revokes roleId from the calling account.
Roles are often managed via grantRole and revokeRole: this circuit's purpose is to provide a mechanism for accounts to lose their privileges if they are compromised (such as when a trusted device is misplaced).
The caller's identity is derived from the wit_AccessControlSK witness as
persistentHash(secretKey). The callerConfirmation parameter must match
the caller's computed account identifier to prevent accidental renunciation.
We do not provide functionality for smart contracts to renounce roles because self-executing transactions are not supported on Midnight at this time. We may revisit this in future if this feature is made available in Compact.
Requirements:
- The caller's computed account identifier must match
callerConfirmation. - The caller must not be a
ContractAddress.
_setRoleAdmin(roleId: Bytes<32>, adminRole: Bytes<32>) → []
circuit
#Sets adminRole as roleId's admin role.
_grantRole(roleId: Bytes<32>, account: Either<Bytes<32>, ContractAddress>) → Boolean
circuit
#Attempts to grant roleId to account and returns a boolean indicating if roleId was granted.
Internal circuit without access restriction.
Granting roles to contract addresses is currently disallowed in this circuit until contract-to-contract interactions are supported in Compact. This restriction prevents permanently disabling access to a circuit.
Requirements:
accountmust not be a ContractAddress.
_unsafeGrantRole(roleId: Bytes<32>, account: Either<Bytes<32>, ContractAddress>) → Boolean
circuit
#Unsafe variant of _grantRole.
Granting roles to contract addresses is considered unsafe because contract-to-contract calls are not currently supported. Granting a role to a smart contract may render a circuit permanently inaccessible. Once contract-to-contract calls are supported, this circuit may be deprecated.
_revokeRole(roleId: Bytes<32>, account: Either<Bytes<32>, ContractAddress>) → Boolean
circuit
#Attempts to revoke roleId from account and returns a boolean indicating if roleId was revoked.
Internal circuit without access restriction.
_computeAccountId() → Bytes<32>
internal
#Computes the caller's account identifier from the wit_AccessControlSK witness.
ID Derivation: accountId = persistentHash(secretKey)
The result is a 32-byte commitment that uniquely identifies the caller.
computeAccountId(secretKey: Bytes<32>) → Bytes<32>
pure
#Computes an account identifier without on-chain state, allowing a user to derive
their identity commitment before submitting it in a grant or revoke operation.
This is the off-chain counterpart to the internal _computeAccountId and produces an identical result
given the same inputs.
ID Derivation: accountId = persistentHash(secretKey)
The secretKey parameter is a sensitive secret. Mishandling it can permanently compromise the privacy guarantees of this system.
Never log or persist the key in plaintext. Use cryptographically secure randomness to generate keys.
Treat key loss as identity loss.
A lost key cannot be recovered.