The Sylo Data Permissions allows data authors to grant, update, and revoke data permissions. It integrates with the Sylo Data Verification pallet to allow authors to manage fine-grained access control over their data.

Permission Levels

There are three types of permissions that can be associated with data items:
  • VIEW: Allows the grantee to view the data when fetching the item from a storage sylo.
  • MODIFY: Allows the grantee to modify the data. This includes the onchain validation record and also the data itself that is held by storage sylos.
  • DISTRIBUTE: Allows the grantee to distribute the data.
The MODIFY and DISTRIBUTE permissions imply the VIEW permission. 
enum DataPermission {
	VIEW,
	MODIFY,
	DISTRIBUTE,
}

Record Types

Data permissions are stored as records in the Sylo Data Permissions pallet. There are three differing forms of records to satisfy various use cases:
  • Data Permission Record: This is the simplest form of record and applies to a single data item.
  • Tagged Permission Record: A tagged record will hold a set of data tags. The permission applies to any data items that share at least of the tags in the record. This allows an author to easily grant a permission to a group of related data items.
  • Permission Reference Record: This record type indicates that there exists another permission record that is stored offchain on a storage sylo. The offchain permission record itself requires that a on-chain validation record for it exists and stores the actual permissions. This type of record is suitable when an author whishes to grant permissions over many data items that may not share any tags.

Calls

grantDataPermissions

Grants another account access permissions for a set of data items. The caller must be the author or have been granted the DISTRIBUTE permission by the author. Namespace 
api.tx.syloDataPermissions.grantDataPermissions
Type 
function grantDataPermissions(
  /// The account that owns the data. When this differs from the caller, the caller
  /// must be a distributor.
  data_author: AccountId,

  /// The account to grant permissions to
  grantee: AccountId,

  /// List of data ids
  data_ids: Vec<Vec<Bytes>>,

  /// The permission level
  permission: DataPermission,

  /// An optional blocknumber for the expiry
  expiry: Option<BlockNumber>,

  /// Whether the permission is irrevocable
  irrevocable: bool,
)
Data permission records are stored as a list of record under the key of (grantor, grantee). A u32 value will be assigned to each record to identify it.

revokeDataPermission

Revokes a previously granted data permission. The caller must be the author or the original grantor of the permission. Namespace 
api.tx.syloDataPermissions.revokeDataPermission
Type 
function revokeDataPermission(
  /// The account that owns the data. When this differs from the caller, the caller
  /// must be a distributor.
  data_author: AccountId,

  /// The id of the permission record.
  permission_id: u32,

  /// The account that was granted the permission
  grantee: AccountId,

  /// The data id of the item to revoke the permission for
  data_id: Vec<Vec<Bytes>>,
)

grantTaggedPermissions

Grants a tagged permission record. The caller must be the original data author. Distributors are not allowed to grant tagged permissions. Namespace 
api.tx.syloDataPermissions.grantTaggedPermissions
Type 
function grantTaggedPermissions(
  /// The account that was granted the permission
  grantee: AccountId,

  /// The permission level
  permission: DataPermission,

  /// List of data tags
  tags: Vec<Vec<Bytes>>,

  /// An optional blocknumber for the expiry
  expiry: Option<BlockNumber>,

  /// Whether the permission is irrevocable
  irrevocable: bool,
)

revokeTaggedPermission

Revokes a previously granted tagged permission. The caller must be the author or the original grantor of the permission. Namespace 
api.tx.syloDataPermissions.revokeTaggedPermission
Type 
function revokeTaggedPermission(
  /// The id of the permission record.
  permission_id: u32,

  /// The account that was granted the permission
  grantee: AccountId,
)

grantPermissionReference

Creates a permission reference record. The caller must be the author. Namespace 
api.tx.syloDataPermissions.grantPermissionReference
Type 
function grantPermissionReference(
  /// The account to grant permissions to
  grantee: AccountId,

  /// The data id of the offchain permission record. This data item
  // must have an accompanying on-chain validation record.
  permission_record_id: Vec<Bytes>,
)

revokePermissionReference

Revokes a previously granted permission reference. The caller must be the author. Namespace 
api.tx.syloDataPermissions.revokePermissionReference
Type 
function revokePermissionReference(
  /// The account that was granted the permission
  grantee: AccountId,
)

Storage

PermissionRecords

Maps from grantor and grantee to a permission record id and the permission record itself. Namespace 
api.query.syloDataPermissions.PermissionRecords
Type 
type PermissionRecord {
	grantor: AccountId,
	permission: DataPermission,
	block: BlockNumber,
	expiry: Option<BlockNumber>,
	irrevocable: bool,
}

function PermissionRecords(
  data_author: AccountId,
  grantee: AccountId,
  data_id: Bytes
): Vec<(u32, PermissionRecord)>

TaggedPermissionRecords

Maps from grantor and grantee to a permission record id and the tagged permission record. Namespace 
api.query.syloDataPermissions.TaggedPermissionRecords
Type 
type TaggedPermissionRecord {
	permission: DataPermission,
	tags: Vec<Vec<Bytes>>,
	block: BlockNumber,
	expiry: Option<BlockNumber>,
	irrevocable: bool,
}

function TaggedPermissionRecords(
  data_author: AccountId,
  grantee: AccountId
): Vec<(u32, TaggedPermissionRecord)>

PermissionReferences

Stores permission references for off-chain records. Namespace 
api.query.syloDataPermissions.PermissionReferences
Type 
type PermissionReference {
	permission_record_id: Vec<Bytes>,
}

function PermissionReferences(
  data_author: AccountId,
  grantee: AccountId
): Option<PermissionReference>

Events

DataPermissionGranted

An account has been granted permission for a specific data record. Namespace 
api.events.syloDataPermissions.DataPermissionGranted
Type 
type DataPermissionGranted = {
  data_author: AccountId,
  grantor: AccountId,
  grantee: AccountId,
  data_id: Bytes,
  permission: DataPermission,
  expiry: Option<BlockNumber>,
  irrevocable: bool,
}

DataPermissionRevoked

An account’s permission has been revoked for a specific data record. Namespace 
api.events.syloDataPermissions.DataPermissionRevoked
Type 
type DataPermissionRevoked = {
  revoker: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  data_id: Bytes,
}

ExpiredDataPermissionRemoved

An expired data permission has been automatically removed. Namespace 
api.events.syloDataPermissions.ExpiredDataPermissionRemoved
Type 
type ExpiredDataPermissionRemoved = {
  data_author: AccountId,
  grantee: AccountId,
  data_id: Bytes,
  permission_id: u32,
}

TaggedDataPermissionsGranted

An account has been granted tagged permissions. Namespace 
api.events.syloDataPermissions.TaggedDataPermissionsGranted
Type 
type TaggedDataPermissionsGranted = {
  grantor: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  tags: Vec<Bytes>,
  expiry: Option<BlockNumber>,
  irrevocable: bool,
}

TaggedDataPermissionsRevoked

A tagged permission for an account has been revoked. Namespace 
api.events.syloDataPermissions.TaggedDataPermissionsRevoked
Type 
type TaggedDataPermissionsRevoked = {
  revoker: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  tags: Vec<Bytes>,
}

PermissionReferenceGranted

An account has been granted a permission reference. Namespace 
api.events.syloDataPermissions.PermissionReferenceGranted
Type 
type PermissionReferenceGranted = {
  grantor: AccountId,
  grantee: AccountId,
  permission_record_id: Bytes,
}

PermissionReferenceRevoked

An account’s permission reference has been revoked. Namespace 
api.events.syloDataPermissions.PermissionReferenceRevoked
Type 
type PermissionReferenceRevoked = {
  grantor: AccountId,
  grantee: AccountId,
  permission_record_id: Bytes,
}

Errors

DataRecordDoesNotExist

Attempted to grant permissions for a data record that does not exist. Namespace 
api.errors.syloDataPermissions.DataRecordDoesNotExist

IrrevocableCannotBeExpirable

A permission that is set to irrevocable cannot also be set to have an expiry. Namespace 
api.errors.syloDataPermissions.IrrevocableCannotBeExpirable

InvalidExpiry

Expiry value for permission record is invalid. Namespace 
api.errors.syloDataPermissions.InvalidExpiry

ExceededMaxPermissions

Exceeded the maximum number of record permissions granted to a given account. Namespace 
api.errors.syloDataPermissions.ExceededMaxPermissions

MissingDistributePermission

Attempted to grant a permission as a delegate without the required DISTRIBUTE permission. Namespace 
api.errors.syloDataPermissions.MissingDistributePermission

CannotGrantDistributePermission

Distribute permissions can only be granted by the data author. Namespace 
api.errors.syloDataPermissions.CannotGrantDistributePermission

PermissionIrrevocable

An irrevocable permission cannot be revoked. Namespace 
api.errors.syloDataPermissions.PermissionIrrevocable

NotPermissionGrantor

Only the account that granted a permission or the data author can revoke a permission. Namespace 
api.errors.syloDataPermissions.NotPermissionGrantor

PermissionNotFound

Cannot revoke a permission that does not exist. Namespace 
api.errors.syloDataPermissions.PermissionNotFound

MissingValidationRecord

An accompanying verification record for the off-chain permission does not exist. Namespace 
api.errors.syloDataPermissions.MissingValidationRecord

PermissionReferenceAlreadyExists

An existing permission reference has already been granted. Namespace 
api.errors.syloDataPermissions.PermissionReferenceAlreadyExists

ExceededMaxExpiringPermissions

Exceeded the maximum number of permissions that can expire on the same block. Namespace 
api.errors.syloDataPermissions.ExceededMaxExpiringPermissions

InvalidString

String values in an RPC call, in either the inputs or outputs, are invalid. Namespace 
api.errors.syloDataPermissions.InvalidString