0

I issued new identity to already existing participant by composer rest server and got it activated. Now in wallet section section I selected the new card to use composer rest server. ACL for participant is:

rule SimpleRule {
description: "Description of the ACL rule"
participant: "org.example.auction.Buyer"
operation: ALL
resource: "org.example.auction.*"
action: ALLOW
}

When I try to query the network I get error

"Error trying to query business network. Error: chaincode error (status: 500, message: Error: Participant 'org.example.auction.Buyer#Buyer2' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#auction-network@0.0.1')",

user9040429
  • 690
  • 1
  • 8
  • 29

2 Answers2

1

Give access to read the business network.

Add another rule to .acl file

rule Rule1 {
description: "Description of the ACL rule"
participant: "org.example.auction.Buyer"
operation: READ 
resource: "org.hyperledger.composer.system.*"
action: ALLOW
}

Update the network, restart the REST server and try again.

Sneha
  • 147
  • 7
  • Sneha same question to you as well :am able to access network after that, and then had to give access for AddAsset. But it raises a question why a participant need to get the access to read the system. Is it possible to to just give him access to AddAsset ? – user9040429 Mar 08 '18 at 19:26
0

as Sneha as indicated, you need your ACLs updated to grant access to the business network ie grant access to all operations and commands in the business network, including network access and business access.

See the trade-network example for an example of a permissions ACL file. https://github.com/hyperledger/composer-sample-networks/blob/master/packages/trade-network/permissions.acl

Paul O'Mahony
  • 6,740
  • 1
  • 10
  • 15
  • Ok am able to access network after that, and then had to give access for AddAsset. But it raises a question why a participant need to get the access to read the system. Is it possible to to just give him access to AddAsset ? – user9040429 Mar 08 '18 at 17:21
  • In ACL security, the mantra is 'DENY unless explicitly GRANTed'. A participant will need 'system' level accesses (ie however much you wish to GRANT in terms of operations) to be able to perform operations on the network (your rule above governs access to resource instances INSIDE your business network fyi). Yes you could pick out what operations (like restricting him to Adding Assets) you want to restrict him/her to. See also hyperledger.github.io/composer/reference/acl_language.html – Paul O'Mahony Mar 11 '18 at 21:40