Daml assistant permission

For daml ledger commands in Daml Assistant, what permission do they need? Do they always require admin=true token? Or each command has different permission requirement?

BTW, congratulations on the Series D funding. :capybara: :partying_face: :partying_face: :partying_face:

1 Like

It depends on the command. daml ledger commands map pretty directly to the underlying Ledger API calls. You can find the table of required permissions for the Ledger API at Authorization β€” Daml SDK 1.12.0 documentation. Putting that together you get the following:

  1. daml ledger list-parties maps to the PartyManagementService so requires admin=true.
  2. daml ledger allocate-parties also maps to the PartyManagementService so also requires admin=true.
  3. daml ledger upload-dar maps to the PackageManagementService so also needs admin=true.
  4. daml ledger fetch-dar maps to the PackageService so it only requires a public token (meaning no admin token or actAs, readAs necessary).

Just noticed that there is a new claim called public. What does the token look like in this case? A token without admin, readAs and actAs fields?

1 Like

A token without a requirement for admin, readAs or actAs. If they are present this is still a valid token but they are not required. You only need a non-expired token and if you have ledgerId and participantId in the token, they will be validated (but it’s fine to omit them).