Role membership management automation?

Matheus · April 9, 2021, 9:28am

Hi,

I am currently working on a model that uses role membership contracts and multi-party submission.

template IncomeRoleMembership
  with
    admin: Party
    user: Party
  where
    signatory admin
    ensure admin /= user
    key (admin, user) : (Party,Party)
    maintainer key._1
    observer user
    choice RemoveIncomeUser: ()
      with
        actingParty: Party
      controller actingParty
      do
        role <- lookupByKey @AdminMembership (admin, actingParty)
        assertMsg "User not permissioned as Admin." (isSome role)
        return ()

As we have choices not limited to certain controllers we are checking for said membership contracts in order to make sure that the user acting belongs to the current assigned department:

    choice ProposeArchival: ContractId ArchivalProposal
    with
      reason: Text
      timeStamp:Text
      actingParty: Party
  controller actingParty
    do
      assertMsg "Only Income can propose an archival" (assignee == income)
      role <- lookupByKey @IncomeRoleMembership (admin, actingParty)
      assertMsg "User not permissioned as Income" (isSome role)

Apart from this we have our IAM system managing token readAs and actAs claims.

Getting to the point: currently onboarding users is a two-step process, first the IAM role is assigned and the readAs filled with the department the user works for, and secondly an Admin user has to create this membership contract so that the user can actually act on contracts assigned to his department.

Is there a way to somehow transform this into one-step process? or perhaps automate the membership contract creation based on the token payload?

cocreature · April 9, 2021, 7:14pm

Hi @Matheus,

There is nothing builtin for this since it is very specific to your templates and to your IAM. IAMs often allow you to run some piece of code on user registration. That code could then allocate the party on the ledger and create contracts like the IncomeRoleMembership or something else.

If your IAM has no functionality to do something like this, then you have to build some component outside of it. E.g., some service that accepts requests for user registration and then calls both the iAM and the ledger.

Tamas_Kalcza · April 12, 2021, 12:58pm

@cocreature, by “some component outside” do you mean a trigger for example?

I’m thinking on user creating some sort of “proposal” contract could be created, and a trigger (running as admin) could accept these and by doing so create the membership contracts.

cocreature · April 12, 2021, 1:02pm

@Tamas_Kalcza no, triggers only interact with the ledger. They can’t bridge IAM <-> ledger. This could be something that is written using the Java bindings for example.

Tamas_Kalcza · April 12, 2021, 1:03pm

Right. I meant, that some code Java/JS/etc would create a proposal or request contract.

cocreature · April 12, 2021, 1:06pm

Yeah something along those lines should work.

Topic		Replies	Views
How to create templates using UserAdmin Party Questions damlhub , trigger	5	291	April 8, 2022
User Access, Authentication , Access Token and DAML Roles - Questions daml	2	816	July 16, 2020
Update Arrays Cid Questions daml	1	92	November 21, 2023
Role-Contracts: Using Parties per instance of a contract or shared party? Questions	2	122	May 26, 2022
Party visibility and Contract owner change on "to-do list" example New to Daml	2	225	July 6, 2022

Role membership management automation?

Related Topics