How to set up access rules based on circles

Circles can be used to ease the management of access rules. It is not necessary to provide individual signer handles or public keys, which can be hard to maintain in case of many signers in the server. Ledger allows users to secure the ledger based on the circle of request participants - jwt token signer and record signatures.

See How to assign a signer to a circle.

Follow some examples of access rules that grants permissions to circles.

The examples below depict only some applicabilities of access rules. See About Authorization for a full overview about access constraints.

Granting access to circles for mutating records by Ledger SDK

Granting access to all the signers from circle admin to create any record in the ledger:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.ledger.init()
    .data({
        handle: 'test-ledger',
        signer: 'ledger-signer',
        access: [{
            action: 'create',
            record: 'any',
            signer: {
                $circle: 'admin' 
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to all the signers from circle admin and/or owner to create any record in the ledger:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.ledger.init()
    .data({
        handle: 'test-ledger',
        signer: 'ledger-signer',
        access: [{
            action: 'create',
            record: 'any',
            signer: {
                $circle: {
                    $in: ['admin', 'owner']
                }
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to all the signers from circle owner to update wallets in the ledger:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.ledger.init()
    .data({
        handle: 'test-ledger',
        signer: 'ledger-signer',
        access: [{
            action: 'update',
            record: 'wallet',
                signer: {
                $circle: 'owner' 
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to create any record for record signatures made by a signer from circle admin and token signed by a signer from circle oauth0-signers:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.ledger.init()
    .data({
        handle: 'test-ledger',
        signer: 'ledger-signer',
        access: [{
            action: 'create',
            record: 'any',
            bearer: {
                $signer: {
                    $circle: 'oauth0-signers'
                }
            },
            signer: {
                $circle: 'admin' 
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to all the signers from circle owner to update a symbol:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.symbol.init()
    .data({
        handle: 'test-ledger',
        factor: 100,
        access: [{
            action: 'update',
            signer: {
                $circle: 'owner' 
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to all the signers from circle admin and/or owner to update a symbol:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.symbol.init()
    .data({
        handle: 'test-ledger',
        factor: 100,
        access: [{
            action: 'update',
            signer: {
                $circle: {
                    $in: ['admin', 'owner'] 
                }
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to circles to read records by Ledger SDK

Granting access to all the signers from circle admin to read any record in the ledger.

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
  server: '<your ledger URL>',
  signer: {
		format: 'ed25519-raw',
		public: '<your ledger public key>'
	}
})
 
const { ledger } = await sdk.ledger.init()
    .data({
        handle: 'test-ledger',
        signer: 'ledger-signer',
        access: [{
            action: 'read',
            record: 'any',
            bearer: {
                $signer: {
                    $circle: 'admin' 
                }
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to all the signers from circle owner to read wallets in the ledger:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.ledger.init()
    .data({
        handle: 'test-ledger',
        signer: 'ledger-signer',
        access: [{
            action: 'read',
            record: 'wallet',
            bearer: {
                $signer: {
                    $circle: 'owner' 
                }
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to all the signers from circle admin and/or owner to read any record in the ledger:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
  server: '<your ledger URL>',
  signer: {
		format: 'ed25519-raw',
		public: '<your ledger public key>'
	}
})
 
const { ledger } = await sdk.ledger.init()
    .data({
        handle: 'test-ledger',
        signer: 'ledger-signer',
        access: [{
            action: 'read',
            record: 'any',
            bearer: {
                $signer: {
                    $circle: {
                        $in: ['admin', 'owner']
                    }
                }
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to all the signers from circle owner to read a single symbol:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.symbol.init()
    .data({
        handle: 'test-ledger',
        factor: 100,
        access: [{
            action: 'read',
            bearer: {
                $signer: {
                    $circle: 'owner' 
                }
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Granting access to all the signers from circles admin and/or owner to read a single symbol:

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
    server: '<your ledger URL>',
    signer: {
        format: 'ed25519-raw',
        public: '<your ledger public key>'
    }
})
 
const { ledger } = await sdk.symbol.init()
    .data({
        handle: 'test-ledger',
        factor: 100,
        access: [{
            action: 'read',
            bearer: {
                $signer: {
                    $circle: {
                        $in: ['admin', 'owner']
                    }
                }
            }
        }]
    })
    .hash()
    .sign([{ keyPair: yourKeyPair }])
    .send()

Useful links

See About Circles for more details about circle concept.
See About Authorization and About Authentication for more details about security.

How to set up access rules based on circles

Granting access to circles for mutating records by Ledger SDK

Granting access to circles to read records by Ledger SDK

Useful links

Changelog

On this page