...by Daniel Szego
quote
"Simplicity is the ultimate sophistication."
Leonardo da Vinci

Friday, July 13, 2018

Fabric composer tips and tricks - revoking CRUD right for a resource


If you revoke the Create, Update or Delete access for a role in Hyperledger Fabric Composer, you have to pay attention to the following things:
- The evaluation of the ACL file is executed rule by rule, the first rule that matches the to the participant, asset and operation will be applied. 
- If no rule matches but there is an ACL file, the access will be denied. 
- So one way to do it is to give a general access to the given participant which is evaluated if no deny rule is found. If you use the Hyperledger Fabric Composer online playground, you might as well give for the user during the testing access even for the system resources as well, because otherwise you can not test your code with that identity from the playground.
- As a first rule however you have to explicitly deny the operations on the specific resource. 

Rule first: 

rule UserHasNoCreateUpdateDeleteRirght {
    description: "User can not create update or delete "
    participant: "org.model.User"
    operation: CREATE, UPDATE, DELETE
    resource: "org.bicyclesharing.model.Asset"
    action: DENY
}

Rule second: 

rule UserHasAccessForAll {
    description: "User role has access for everything"
    participant: "org.model.User"
    operation: ALL
    resource: "**"
    action: ALLOW
}