The Sylo Data Permissions allows data authors to grant, update, and revoke data
permissions. It integrates with the Sylo Data Verification pallet to allow authors
to manage fine-grained access control over their data.
Permission Levels
There are three types of permissions that can be associated with data items:
- VIEW: Allows the grantee to view the data when fetching the item from a
storage sylo.
- MODIFY: Allows the grantee to modify the data. This includes the onchain
validation record and also the data itself that is held by storage sylos.
- DISTRIBUTE: Allows the grantee to distribute the data.
The MODIFY and DISTRIBUTE permissions imply the VIEW permission.
enum DataPermission {
VIEW,
MODIFY,
DISTRIBUTE,
}
Record Types
Data permissions are stored as records in the Sylo Data Permissions pallet. There are
three differing forms of records to satisfy various use cases:
- Data Permission Record: This is the simplest form of record and applies to
a single data item.
- Tagged Permission Record: A tagged record will hold a set of data tags. The
permission applies to any data items that share at least of the tags in the record.
This allows an author to easily grant a permission to a group of related data items.
- Permission Reference Record: This record type indicates that there exists another
permission record that is stored offchain on a storage sylo. The offchain permission
record itself requires that a on-chain validation record for it exists and stores the
actual permissions. This type of record is suitable when an author whishes to grant
permissions over many data items that may not share any tags.
Calls
grantDataPermissions
Grants another account access permissions for a set of data items.
The caller must be the author or have been granted the DISTRIBUTE permission
by the author.
Namespace
api.tx.syloDataPermissions.grantDataPermissions
Type
function grantDataPermissions(
/// The account that owns the data. When this differs from the caller, the caller
/// must be a distributor.
data_author: AccountId,
/// The account to grant permissions to
grantee: AccountId,
/// List of data ids
data_ids: Vec<Vec<Bytes>>,
/// The permission level
permission: DataPermission,
/// An optional blocknumber for the expiry
expiry: Option<BlockNumber>,
/// Whether the permission is irrevocable
irrevocable: bool,
)
Data permission records are stored as a list of record under the key of
(grantor, grantee). A u32
value will be assigned to each record to
identify it.
revokeDataPermission
Revokes a previously granted data permission.
The caller must be the author or the original grantor of the permission.
Namespace
api.tx.syloDataPermissions.revokeDataPermission
Type
function revokeDataPermission(
/// The account that owns the data. When this differs from the caller, the caller
/// must be a distributor.
data_author: AccountId,
/// The id of the permission record.
permission_id: u32,
/// The account that was granted the permission
grantee: AccountId,
/// The data id of the item to revoke the permission for
data_id: Vec<Vec<Bytes>>,
)
grantTaggedPermissions
Grants a tagged permission record.
The caller must be the original data author. Distributors are not allowed to
grant tagged permissions.
Namespace
api.tx.syloDataPermissions.grantTaggedPermissions
Type
function grantTaggedPermissions(
/// The account that was granted the permission
grantee: AccountId,
/// The permission level
permission: DataPermission,
/// List of data tags
tags: Vec<Vec<Bytes>>,
/// An optional blocknumber for the expiry
expiry: Option<BlockNumber>,
/// Whether the permission is irrevocable
irrevocable: bool,
)
revokeTaggedPermission
Revokes a previously granted tagged permission.
The caller must be the author or the original grantor of the permission.
Namespace
api.tx.syloDataPermissions.revokeTaggedPermission
Type
function revokeTaggedPermission(
/// The id of the permission record.
permission_id: u32,
/// The account that was granted the permission
grantee: AccountId,
)
grantPermissionReference
Creates a permission reference record.
The caller must be the author.
Namespace
api.tx.syloDataPermissions.grantPermissionReference
Type
function grantPermissionReference(
/// The account to grant permissions to
grantee: AccountId,
/// The data id of the offchain permission record. This data item
// must have an accompanying on-chain validation record.
permission_record_id: Vec<Bytes>,
)
revokePermissionReference
Revokes a previously granted permission reference.
The caller must be the author.
Namespace
api.tx.syloDataPermissions.revokePermissionReference
Type
function revokePermissionReference(
/// The account that was granted the permission
grantee: AccountId,
)
Storage
PermissionRecords
Maps from grantor and grantee to a permission record id and the
permission record itself.
Namespace
api.query.syloDataPermissions.PermissionRecords
Type
type PermissionRecord {
grantor: AccountId,
permission: DataPermission,
block: BlockNumber,
expiry: Option<BlockNumber>,
irrevocable: bool,
}
function PermissionRecords(
data_author: AccountId,
grantee: AccountId,
data_id: Bytes
): Vec<(u32, PermissionRecord)>
TaggedPermissionRecords
Maps from grantor and grantee to a permission record id and the
tagged permission record.
Namespace
api.query.syloDataPermissions.TaggedPermissionRecords
Type
type TaggedPermissionRecord {
permission: DataPermission,
tags: Vec<Vec<Bytes>>,
block: BlockNumber,
expiry: Option<BlockNumber>,
irrevocable: bool,
}
function TaggedPermissionRecords(
data_author: AccountId,
grantee: AccountId
): Vec<(u32, TaggedPermissionRecord)>
PermissionReferences
Stores permission references for off-chain records.
Namespace
api.query.syloDataPermissions.PermissionReferences
Type
type PermissionReference {
permission_record_id: Vec<Bytes>,
}
function PermissionReferences(
data_author: AccountId,
grantee: AccountId
): Option<PermissionReference>
Events
DataPermissionGranted
An account has been granted permission for a specific data record.
Namespace
api.events.syloDataPermissions.DataPermissionGranted
Type
type DataPermissionGranted = {
data_author: AccountId,
grantor: AccountId,
grantee: AccountId,
data_id: Bytes,
permission: DataPermission,
expiry: Option<BlockNumber>,
irrevocable: bool,
}
DataPermissionRevoked
An account’s permission has been revoked for a specific data record.
Namespace
api.events.syloDataPermissions.DataPermissionRevoked
Type
type DataPermissionRevoked = {
revoker: AccountId,
grantee: AccountId,
permission: DataPermission,
data_id: Bytes,
}
ExpiredDataPermissionRemoved
An expired data permission has been automatically removed.
Namespace
api.events.syloDataPermissions.ExpiredDataPermissionRemoved
Type
type ExpiredDataPermissionRemoved = {
data_author: AccountId,
grantee: AccountId,
data_id: Bytes,
permission_id: u32,
}
TaggedDataPermissionsGranted
An account has been granted tagged permissions.
Namespace
api.events.syloDataPermissions.TaggedDataPermissionsGranted
Type
type TaggedDataPermissionsGranted = {
grantor: AccountId,
grantee: AccountId,
permission: DataPermission,
tags: Vec<Bytes>,
expiry: Option<BlockNumber>,
irrevocable: bool,
}
TaggedDataPermissionsRevoked
A tagged permission for an account has been revoked.
Namespace
api.events.syloDataPermissions.TaggedDataPermissionsRevoked
Type
type TaggedDataPermissionsRevoked = {
revoker: AccountId,
grantee: AccountId,
permission: DataPermission,
tags: Vec<Bytes>,
}
PermissionReferenceGranted
An account has been granted a permission reference.
Namespace
api.events.syloDataPermissions.PermissionReferenceGranted
Type
type PermissionReferenceGranted = {
grantor: AccountId,
grantee: AccountId,
permission_record_id: Bytes,
}
PermissionReferenceRevoked
An account’s permission reference has been revoked.
Namespace
api.events.syloDataPermissions.PermissionReferenceRevoked
Type
type PermissionReferenceRevoked = {
grantor: AccountId,
grantee: AccountId,
permission_record_id: Bytes,
}
Errors
DataRecordDoesNotExist
Attempted to grant permissions for a data record that does not exist.
Namespace
api.errors.syloDataPermissions.DataRecordDoesNotExist
IrrevocableCannotBeExpirable
A permission that is set to irrevocable cannot also be set to have an expiry.
Namespace
api.errors.syloDataPermissions.IrrevocableCannotBeExpirable
InvalidExpiry
Expiry value for permission record is invalid.
Namespace
api.errors.syloDataPermissions.InvalidExpiry
ExceededMaxPermissions
Exceeded the maximum number of record permissions granted to a given account.
Namespace
api.errors.syloDataPermissions.ExceededMaxPermissions
MissingDistributePermission
Attempted to grant a permission as a delegate without the required DISTRIBUTE permission.
Namespace
api.errors.syloDataPermissions.MissingDistributePermission
CannotGrantDistributePermission
Distribute permissions can only be granted by the data author.
Namespace
api.errors.syloDataPermissions.CannotGrantDistributePermission
PermissionIrrevocable
An irrevocable permission cannot be revoked.
Namespace
api.errors.syloDataPermissions.PermissionIrrevocable
NotPermissionGrantor
Only the account that granted a permission or the data author can revoke a permission.
Namespace
api.errors.syloDataPermissions.NotPermissionGrantor
PermissionNotFound
Cannot revoke a permission that does not exist.
Namespace
api.errors.syloDataPermissions.PermissionNotFound
MissingValidationRecord
An accompanying verification record for the off-chain permission does not exist.
Namespace
api.errors.syloDataPermissions.MissingValidationRecord
PermissionReferenceAlreadyExists
An existing permission reference has already been granted.
Namespace
api.errors.syloDataPermissions.PermissionReferenceAlreadyExists
ExceededMaxExpiringPermissions
Exceeded the maximum number of permissions that can expire on the same block.
Namespace
api.errors.syloDataPermissions.ExceededMaxExpiringPermissions
InvalidString
String values in an RPC call, in either the inputs or outputs, are invalid.
Namespace
api.errors.syloDataPermissions.InvalidString
Responses are generated using AI and may contain mistakes.