Allow participant full read access

Question

I would like to give read access to all 'Person' participants working in a company, in which the company's type is "BORDER". The company type is an enum.

ACL:

rule NetworkAdminUser {
    description: "Grant business network administrators full access to user resources"
    participant: "org.hyperledger.composer.system.NetworkAdmin"
    operation: ALL
    resource: "**"
    action: ALLOW
}

rule NetworkAdminSystem {
    description: "Grant business network administrators full access to system resources"
    participant: "org.hyperledger.composer.system.NetworkAdmin"
    operation: ALL
    resource: "org.hyperledger.composer.system.**"
    action: ALLOW
}

rule SystemACL {
  description:  "System ACL to permit all access"
  participant: "org.hyperledger.composer.system.Participant"
  operation: ALL
  resource: "org.hyperledger.composer.system.**"
  action: ALLOW
}

rule transaction {
    description: "Allow participants full access to transactions"
    participant: "org.acme.shipping.participants.Person"
    operation: ALL
    resource: "org.acme.shipping.transactions.**"
    action: ALLOW
}

rule containers {
    description: "Allow participants access to containers owned by their company"
    participant(p): "org.acme.shipping.participants.Person"
    operation: ALL
    resource(c): "org.acme.shipping.assets.**"
    condition: (c.owner.getIdentifier() == p.company.getIdentifier())
    action: ALLOW
}

rule border {
    description: "Allow Border access to containers"
    participant(p): "org.acme.shipping.participants.Person"
    operation: READ
    resource: "org.acme.shipping.assets.**"
    condition: (p.company.type == "BORDER")
    action: ALLOW
}

Participant model file:

namespace org.acme.shipping.participants

participant Company identified by cid {
  o String cid
  o String name
  o CompanyType type
}

enum CompanyType {
  o BORDER
  o COURIER
  o SHIPPER
}

participant Person identified by id {
  o String id
  o String name
  --> Company company
}

However, the Person is still not able to see any assets.

Any suggestions how this could be resolved?

Please can you share your complete ACL list, and the model file. — R Thatcher, May 04 '18 at 11:09

score 1 · Accepted Answer · answered May 04 '18 at 20:11

There's no issue with the ACL rule that you have written for granting access to all containers for Border Companies. The main issue is that Each Person participant has a reference to their Company but there is no rule specified for a participant of type Person to access / READ their company details in the ACL. Therefore by default ACL denies READ access for a Person to READ their company details and as you are accessing person's company in the rule condition as

p.company.type

the access is simply restricted. To achieve the same functionality, you must at first provide READ access to the Person's own company using

rule readCompany {
    description: "Allow Read Access to Person's Own Company"
    participant(p): "org.acme.shipping.participants.Person"
    operation: READ
    resource(comp): "org.acme.shipping.participants.Company"
    condition: (p.company.getIdentifier() == comp.getIdentifier())
    action: ALLOW
}

Then you'll be able to grant access of all the containers to the persons belonging to company of type Border using your same rule as

rule border {
    description: "Allow Border access to containers"
    participant(p): "org.acme.shipping.participants.Person"
    operation: READ
    resource: "org.acme.shipping.assets.**"
    condition: (p.company.type == "BORDER")
    action: ALLOW
}

I did not even think about the condition requiring (read) access. Thanks a lot! — Lars, May 06 '18 at 14:28

Allow participant full read access

1 Answers1