...by Daniel Szego
"Simplicity is the ultimate sophistication."
Leonardo da Vinci

Monday, January 9, 2017

Creating groups and permissions on the Ethereum Blockchain for a SmartContract

We briefly covered in the last blog how to create permissions for accessing information on the Ethereum Blockchain. Let we extend the model for administrating the access rights not on the individual user (address) basis, but with the help of groups and group membership. We are presenting only a simply version as a prototype; certainly more complex solutions can be built as well. 

As usual, let we create a smart contract, some state variables to access, some elementary access level presented by an enum and two mappings: groupAtomicRoleMapping for mapping an atomic role for a group, and groupsForMembers for mapping list of members for a group name. A constructor is also presented that creates the first Administrators group with an Admin atomic access level and puts the current user into the group. 

Secondly let we create four modifiers to check if the the account calling a function in a group having Read, Write or Admin atomic access. Additionally one modifier checks if the account is the owner of the Smart Contract. 

As a next step some functions are implemented to access to the data of the smart contract and setting access to groups or adding users to group. All functions are modified based on the right modifiers. 

Last but not least, a help function is implemented for string comparison and a destructor as well. 

First testing of the contract can be done in the browser version of solidity. As an example after creating the contract with Create (default zero constructor) we get exception for services that require Admin access. (Please note that in this example there is a type error for the AccessWithGroups constructor. In this way we make tests with or without executing the functionality in the constructor).

After calling the constructor AccesWithGroups constructor explicitly, the administrator group is created set with Admin access and the current account is put into the group. As a consequence we have access for functions like setGroupAccess

Certainly real life examples would require more considerations, like implementing functionality for adding or deleting groups, having the possibility for a group to have more than one atomic access level or just implementing error checking into the existing functions.