Skip to main content

Roles

A Role is a core element of the M10 permissions system. Roles group together a set of permissions on resources into a single object. For example:

  • a Role called bank-admin that allows a user to create accounts and read data from accounts.
  • a Role called support that enables users to only read account information.

Roles must be "bound" to users (public keys) using a Role Bindings for them to come in effect.

Rules

A Role is made up of one or more Rules. A rule contains three parameters:

  • collection - the type of resource
  • verb - the action to perform on a collection
  • instance - [optional] the particular instance of the collection

Collection

The collection is the type of object to which you are granting permissions. The current supported collections are:

  • Accounts
  • AccountSets
  • AccountMetadata
  • Banks
  • Roles
  • RoleBindings

Verb

The verb is the action that can be performed on a collection.

The following verbs are supported for all of the collection types:

  • READ - Read data
  • CREATE - Create data
  • UPDATE - Update data
  • DELETE - Delete data

The following verbs are only used for Accounts collections:

  • TRANSACT - Perform transactions (INITIATE + COMMIT).
  • INITIATE - Initiate transactions. In a pending state until committed.
  • COMMIT - Commit the transaction. Finalize the transaction and release the pending state.

Instance

Optionally, each rule can apply to only a certain part of the collection, which can be specified by:

  • instance - apply to only a particular instance
  • instance_keys - apply to only a particular instance key
  • excluded_instance - apply to all instances of the collection except a particular instance
  • excluded_instance_keys - apply to all instance keys of the collection except a particular instance key

For example, to give a user access to their account only, you create a rule on the collection Accounts with the desired verbs and accountId for the user's account listed in instance_keys.

The format of the instance or instance_keys depends on the collection it applies to.

Collectioninstance / instance_key
AccountsAccount_Id
AccountMetadataAccountMetadata_Id
AccountSetsAccountSet_Id
BanksBank_Id
RolesRole_Id
RoleBindingsRoleBinding_Id

For example, to create a role with a rule on the collection Roles that gives the subject Read, Update, and Delete capabilities, you would use:

--rules "rule -c roles -v Read -v Update -v Delete roles -v Read -v Update -v Delete -i <RoleId>"

Model

The data model for the M10 Roles is defined in rbac.proto:

API Requests

Create

To create a role on the M10 platform.

  • Rust
  • TypeScript
  • Dart
  • CLI
M10 REPLFOO




note
For an easier way to define roles with multiple or complex rules using the CLI, use the --editor flag. This opens your default text editor to define the role in YAML format.




Update


You can update a role's metadata (like its name, description, or owner) or its rules.


Update Role Metadata


To update a role's metadata, such as its name, you can perform an update operation. The --editor flag is not supported for role-metadata; use the explicit flags instead.


  • Rust
  • TypeScript
  • Dart
  • CLI
M10 REPLFOO




Update Role Rules


To replace all existing rules for a role with a new set of rules, you can perform a rule update.


note
This operation replaces all existing rules on the role with the new ones provided.


  • Rust
  • TypeScript
  • Dart
  • CLI
M10 REPLFOO




note
For an easier way to update rules using the CLI, use the --editor flag with m10 update role-rules. This opens your default editor with the existing rules in YAML format (rule list only).




Delete


To delete a role.


  • Rust
  • TypeScript
  • Dart
  • CLI
M10 REPLFOO






List (Find)


List roles using the filters --name (text or partial text), --instance, or --description (text or partial text):


  • Rust
  • TypeScript
  • Dart
  • CLI
M10 REPLFOO




Get


To get role details.


  • Rust
  • TypeScript
  • Dart
  • CLI
M10 REPLFOO


Output


The response from the get role command should be something like this:


(
    id: "6aa51062-452b-482a-aff0-3e7df1a1aae9",
    owner: "ACMKVkeIt+L5z39xk5YHujjcN7bLhnq+UIkLBlymNM4=",
    name: "bank-admin",
    rules: [(
        collection: "accounts",
        instance_keys: [00800005000000000000000000000002],
        verbs: [Read, Update],
    ), (
        collection: "banks",
        instance_keys: [bc3b532d-6be0-45e1-b98c-5ddc6e8e239a],
        verbs: [Read],
    ), (
        collection: "ledger-accounts",
        instance_keys: [00800005000000000000000000000002],
        verbs: [Create],
    )],
)




HTTP/1
To submit requests over HTTP/1 instead of HTTP/2 with the SDKs, use the http option.