Role membership management automation?

Hi,

I am currently working on a model that uses role membership contracts and multi-party submission.

template IncomeRoleMembership
  with
    admin: Party
    user: Party
  where
    signatory admin
    ensure admin /= user
    key (admin, user) : (Party,Party)
    maintainer key._1
    observer user
    choice RemoveIncomeUser: ()
      with
        actingParty: Party
      controller actingParty
      do
        role <- lookupByKey @AdminMembership (admin, actingParty)
        assertMsg "User not permissioned as Admin." (isSome role)
        return ()

As we have choices not limited to certain controllers we are checking for said membership contracts in order to make sure that the user acting belongs to the current assigned department:

    choice ProposeArchival: ContractId ArchivalProposal
    with
      reason: Text
      timeStamp:Text
      actingParty: Party
  controller actingParty
    do
      assertMsg "Only Income can propose an archival" (assignee == income)
      role <- lookupByKey @IncomeRoleMembership (admin, actingParty)
      assertMsg "User not permissioned as Income" (isSome role)

Apart from this we have our IAM system managing token readAs and actAs claims.

Getting to the point: currently onboarding users is a two-step process, first the IAM role is assigned and the readAs filled with the department the user works for, and secondly an Admin user has to create this membership contract so that the user can actually act on contracts assigned to his department.

Is there a way to somehow transform this into one-step process? or perhaps automate the membership contract creation based on the token payload?

1 Like

Hi @Matheus,

There is nothing builtin for this since it is very specific to your templates and to your IAM. IAMs often allow you to run some piece of code on user registration. That code could then allocate the party on the ledger and create contracts like the IncomeRoleMembership or something else.

If your IAM has no functionality to do something like this, then you have to build some component outside of it. E.g., some service that accepts requests for user registration and then calls both the iAM and the ledger.

1 Like

@cocreature, by “some component outside” do you mean a trigger for example?

I’m thinking on user creating some sort of “proposal” contract could be created, and a trigger (running as admin) could accept these and by doing so create the membership contracts.

1 Like

@Tamas_Kalcza no, triggers only interact with the ledger. They can’t bridge IAM <-> ledger. This could be something that is written using the Java bindings for example.

1 Like

Right. I meant, that some code Java/JS/etc would create a proposal or request contract.

2 Likes

Yeah something along those lines should work.

1 Like