CanReadAsAnyParty, WildcardFilter, and "Claims do not authorize to read data as any party (super-reader wildcard)"

When querying the active-contracts endpoint of a 3.x Ledger JSON API, I get no results and I see the following WARN in the Canton logs:

PERMISSION_DENIED: Claims do not authorize
to read data as any party (super-reader wildcard)

Here is my query filter:

{
  "verbose": true,
  "activeAtOffset": "'${LEDGER_OFFSET}'",
  "filter": {
    "filtersByParty": {},
    "filtersForAnyParty": {
      "cumulative": [
        {
          "identifierFilter": {
            "WildcardFilter": {
              "value": {
                "includeCreatedEventBlob": true
              }
            }
          }
        }
      ]
    }
  }
}

Here is the user token:

{
  "sub": "alice",
  "aud": "https://daml.com/jwt/aud/participant/sandbox::1220714098aeb3c1903fce76d5fa484dbcffef08542aa8482f2430df3cdfa9a13a12",
      :
}

Here is the user:

{
  "id": "alice",
  "primaryParty": "alice::1220714098aeb3c1903fce76d5fa484dbcffef08542aa8482f2430df3cdfa9a13a12",
  "isDeactivated": false,
  "metadata": {
    "resourceVersion": "0",
    "annotations": {}
  },
  "identityProviderId": ""
}

Here are the user rights:

{
  "rights": [
    {
      "kind": {
        "CanActAs": {
          "value": {
            "party": "alice::1220714098aeb3c1903fce76d5fa484dbcffef08542aa8482f2430df3cdfa9a13a12"
          }
        }
      }
    }
  ]
}

Question: What do I need to change to get the WildcardFilter to give me all the contracts in the ACS?

NOTE: These examples were done with Daml SDK 3.2.0-snapshot.20250206.0. Things may change.

Solution: Add the CanReadAsAnyParty right to a user.

Here is how I did it:

  1. I created a new Daml party and Canton user for bob:
{
  "id": "bob",
  "primaryParty": "bob::1220145d398cd9274c18fbea5695e98a4c2c29b0340fab7c71f601c9549c207ae414"
        :
}
  1. I granted the bob user the right to read as any party:
{
  "rights": [
    {
      "kind": {
        "CanReadAsAnyParty": {
          "value": {}
        }
      }
    }
  ]
}
  1. Now, when I use a bob JWT:
{
  "sub": "bob",
  "aud": "https://daml.com/jwt/aud/participant/sandbox::1220714098aeb3c1903fce76d5fa484dbcffef08542aa8482f2430df3cdfa9a13a12",
      :
}

Then bob can read as any party, including alice’s contracts:

echo '
{
  "verbose": true,
  "activeAtOffset": "24",
  "filter": {
    "filtersByParty": {},
    "filtersForAnyParty": {
      "cumulative": [
        {
          "identifierFilter": {
            "WildcardFilter": {
              "value": {
                "includeCreatedEventBlob": true
              }
            }
          }
        }
      ]
    }
  }
}
' | jq --compact-output \
  | curl --silent --json @- \
     --oauth2-bearer ${BOB_TOKEN} \
     "http://localhost:7575/v2/state/active-contracts"
1 Like