1

We set up Hyperledger Fabric and added two channels (for two different applications). We also registered two users in our Organization (one for each application). We should restrict access to each channel so only the corresponding user can read and write based on affiliation or OU of the user.

We checked Hyperledger Fabric documentation on channel policies and did not find any indication on how to use OU or affiliation (i.e. conditions that go beyond "must be member of orgX").

From what I've read so far, I got the impression that restrictions within the organization can only be enforced in chaincode, but not by using policies (this is also indicated in this question).

Is this really the way to go? Is there no possibility to restrict access to either a OU or an attribute like affiliation by just using the channel policy?

user158
  • 12,852
  • 7
  • 62
  • 94
Daria Spescha
  • 11
  • 1

1 Answers1

0

You can define an MSP that is defined with the OU you have in mind, and then the user will have to belong to that MSP and use a certificate with that OU when it sends transactions.

yacovm
  • 5,120
  • 1
  • 11
  • 21
  • Thank you very much for your answer. We were hoping there was a possibility to use the `affiliation` that can be passed to the [`register` command](https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#registering-a-new-identity). But since this does not seem to work, we will either try your solution or go on without further restricting user access to channels. – Daria Spescha Nov 18 '19 at 09:28