CanReadAsAnyParty, WildcardFilter, and "Claims do not authorize to read data as any party (super-reader wildcard)"

WallaceKelly · April 7, 2025, 11:36pm

When querying the active-contracts endpoint of a 3.x Ledger JSON API, I get no results and I see the following WARN in the Canton logs:

PERMISSION_DENIED: Claims do not authorize
to read data as any party (super-reader wildcard)

Here is my query filter:

{
  "verbose": true,
  "activeAtOffset": "'${LEDGER_OFFSET}'",
  "filter": {
    "filtersByParty": {},
    "filtersForAnyParty": {
      "cumulative": [
        {
          "identifierFilter": {
            "WildcardFilter": {
              "value": {
                "includeCreatedEventBlob": true
              }
            }
          }
        }
      ]
    }
  }
}

Here is the user token:

{
  "sub": "alice",
  "aud": "https://daml.com/jwt/aud/participant/sandbox::1220714098aeb3c1903fce76d5fa484dbcffef08542aa8482f2430df3cdfa9a13a12",
      :
}

Here is the user:

{
  "id": "alice",
  "primaryParty": "alice::1220714098aeb3c1903fce76d5fa484dbcffef08542aa8482f2430df3cdfa9a13a12",
  "isDeactivated": false,
  "metadata": {
    "resourceVersion": "0",
    "annotations": {}
  },
  "identityProviderId": ""
}

Here are the user rights:

{
  "rights": [
    {
      "kind": {
        "CanActAs": {
          "value": {
            "party": "alice::1220714098aeb3c1903fce76d5fa484dbcffef08542aa8482f2430df3cdfa9a13a12"
          }
        }
      }
    }
  ]
}

Question: What do I need to change to get the WildcardFilter to give me all the contracts in the ACS?

NOTE: These examples were done with Daml SDK 3.2.0-snapshot.20250206.0. Things may change.

WallaceKelly · April 8, 2025, 10:30pm

Solution: Add the CanReadAsAnyParty right to a user.

Here is how I did it:

I created a new Daml party and Canton user for bob:

{
  "id": "bob",
  "primaryParty": "bob::1220145d398cd9274c18fbea5695e98a4c2c29b0340fab7c71f601c9549c207ae414"
        :
}

I granted the bob user the right to read as any party:

{
  "rights": [
    {
      "kind": {
        "CanReadAsAnyParty": {
          "value": {}
        }
      }
    }
  ]
}

Now, when I use a bob JWT:

{
  "sub": "bob",
  "aud": "https://daml.com/jwt/aud/participant/sandbox::1220714098aeb3c1903fce76d5fa484dbcffef08542aa8482f2430df3cdfa9a13a12",
      :
}

Then bob can read as any party, including alice’s contracts:

echo '
{
  "verbose": true,
  "activeAtOffset": "24",
  "filter": {
    "filtersByParty": {},
    "filtersForAnyParty": {
      "cumulative": [
        {
          "identifierFilter": {
            "WildcardFilter": {
              "value": {
                "includeCreatedEventBlob": true
              }
            }
          }
        }
      ]
    }
  }
}
' | jq --compact-output \
  | curl --silent --json @- \
     --oauth2-bearer ${BOB_TOKEN} \
     "http://localhost:7575/v2/state/active-contracts"

Topic		Replies	Views
Claims in JWT for multi-party submission using JSON API Questions daml , json-api	7	496	April 14, 2021
In Canton 3.x, how do I use the admin console to list contracts visible to a given user? Questions canton	2	33	February 11, 2025
Canton user multiple actas behaviour Questions daml , canton	5	489	October 25, 2022
Authorization with different ledgers Questions	1	313	April 16, 2020
Daml Connect 1.18.0 is out! Announcements stable-release	3	342	January 19, 2022

CanReadAsAnyParty, WildcardFilter, and "Claims do not authorize to read data as any party (super-reader wildcard)"

Related topics