Give Party ActAs rights in Navigator

austin · December 19, 2024, 10:03pm

I have a 2 node setup, and I am attempting to create an admin party on top of some dars that already have other parties created. I was able to create users (1 per node, even though this isnt necessary) that have the act as rights as all the parties that already exist on the nodes. I ran a script to onboard this new user and party, and I can see that the party appears on the navigator dropdowns. However, the party cannot see any of the contracts from the parties that it can actAs (when using --feature-user-management false). This goes the same for the user (–feature-user-management true), and when I attempt to submit a contract on behalf of another party from this admin party the transaction does not go through. I think it is because the admin party does not have actAs rights, even though the user does. Does this sound correct? And if so, how would I add the rights of all parties to a new admin party?

WallaceKelly · December 20, 2024, 7:19pm

how would I add the rights of all parties to a new admin party?

The short answer

You can’t. A party cannot actAs or readAs another party. Only users can actAs and readAs parties.

The long answer

You can see this in the skeleton daml new template code. The first two lines of the script create the parties.

  alice <- allocatePartyWithHint "Alice" (PartyIdHint "Alice")
  bob <- allocatePartyWithHint "Bob" (PartyIdHint "Bob")

The next four lines create the users.

  aliceId <- validateUserId "alice"
  bobId <- validateUserId "bob"
  createUser (User aliceId (Some alice)) [CanActAs alice]
  createUser (User bobId (Some bob)) [CanActAs bob]

Notice that you define the users’ access rights in terms of parties (e.g., (Some alice)) [canActAs alice]).

There is no way to say that party alice can act as party bob.
You could define an admin user which can act as either party alice or party bob.

An admin user

Continuing with the skeleton template, one could define an admin user like this:

charlieId <- validateUserId "charlie"
createUser (User charlieId None) [CanActAs alice, CanActAs bob]

Notice I did not define a charlie party. I created a charlieId user.

Once the charlieId user is created in the ledger, then you can submit commands against the Ledger API with a charlie token. Those commands could include commands to do stuff that the alice party or the bob party can do. The Ledger API will see the charlie token and allow commands that require acting as alice or bob.

An example in Daml Script

You can demonstrate this in Daml Script. Instead of submitting a command as the party bob like this:

  submit bob do
     exerciseCmd bobTV Give with newOwner = alice

… you can submit a command as the user charlieId, doing stuff that only party bob can do:

  -- submit bob do
  submitUser charlieId do
    exerciseCmd bobTV Give with newOwner = alice

Notice I am using submitUser instead of submit.

What about Navigator?

Navigator does not have support for querying or submitting commands as a non-primary party. You cannot do what you want to do with Navigator. Instead, use Daml Script and view the results in the Script Results window.

austin · December 20, 2024, 9:23pm

Ah I see. That’s what I figured, but maybe I was missing something. Thank you!

Topic		Replies	Views
How to create User with multiple party ids Questions	4	219	February 23, 2023
Atomic Party Allocation and association with User Questions	10	163	July 12, 2022
Navigator user login does not reflect the correct access Questions daml , canton	2	523	June 1, 2022
Set both the primary party and the user rights? Questions daml	1	17	August 15, 2024
Roles on Navigator Questions daml , navigator	5	321	February 8, 2022