The Sylo Data Permissions allows data authors to grant, update, and revoke data permissions. It integrates with the Sylo Data Verification pallet to allow authors to manage fine-grained access control over their data.

Permission Levels

There are three types of permissions that can be associated with data items:
  • VIEW: Allows the grantee to view the data when fetching the item from a storage sylo.
  • MODIFY: Allows the grantee to modify the data. This includes the onchain validation record and also the data itself that is held by storage sylos.
  • DISTRIBUTE: Allows the grantee to distribute the data.
The MODIFY and DISTRIBUTE permissions imply the VIEW permission.
enum DataPermission {
	VIEW,
	MODIFY,
	DISTRIBUTE,
}

Record Types

Data permissions are stored as records in the Sylo Data Permissions pallet. There are three differing forms of records to satisfy various use cases:
  • Data Permission Record: This is the simplest form of record and applies to a single data item.
  • Tagged Permission Record: A tagged record will hold a set of data tags. The permission applies to any data items that share at least of the tags in the record. This allows an author to easily grant a permission to a group of related data items.
  • Permission Reference Record: This record type indicates that there exists another permission record that is stored offchain on a storage sylo. The offchain permission record itself requires that a on-chain validation record for it exists and stores the actual permissions. This type of record is suitable when an author whishes to grant permissions over many data items that may not share any tags.

Calls

grantDataPermissions

Grants another account access permissions for a set of data items. The caller must be the author or have been granted the DISTRIBUTE permission by the author. Namespace
api.tx.syloDataPermissions.grantDataPermissions
Type
function grantDataPermissions(
  /// The account that owns the data. When this differs from the caller, the caller
  /// must be a distributor.
  data_author: AccountId,

  /// The account to grant permissions to
  grantee: AccountId,

  /// List of data ids
  data_ids: Vec<Vec<Bytes>>,

  /// The permission level
  permission: DataPermission,

  /// An optional blocknumber for the expiry
  expiry: Option<BlockNumber>,

  /// Whether the permission is irrevocable
  irrevocable: bool,
)
Data permission records are stored as a list of record under the key of (grantor, grantee). A u32 value will be assigned to each record to identify it.

revokeDataPermission

Revokes a previously granted data permission. The caller must be the author or the original grantor of the permission. Namespace
api.tx.syloDataPermissions.revokeDataPermission
Type
function revokeDataPermission(
  /// The account that owns the data. When this differs from the caller, the caller
  /// must be a distributor.
  data_author: AccountId,

  /// The id of the permission record.
  permission_id: u32,

  /// The account that was granted the permission
  grantee: AccountId,

  /// The data id of the item to revoke the permission for
  data_id: Vec<Vec<Bytes>>,
)

grantTaggedPermissions

Grants a tagged permission record. The caller must be the original data author. Distributors are not allowed to grant tagged permissions. Namespace
api.tx.syloDataPermissions.grantTaggedPermissions
Type
function grantTaggedPermissions(
  /// The account that was granted the permission
  grantee: AccountId,

  /// The permission level
  permission: DataPermission,

  /// List of data tags
  tags: Vec<Vec<Bytes>>,

  /// An optional blocknumber for the expiry
  expiry: Option<BlockNumber>,

  /// Whether the permission is irrevocable
  irrevocable: bool,
)

revokeTaggedPermission

Revokes a previously granted tagged permission. The caller must be the author or the original grantor of the permission. Namespace
api.tx.syloDataPermissions.revokeTaggedPermission
Type
function revokeTaggedPermission(
  /// The id of the permission record.
  permission_id: u32,

  /// The account that was granted the permission
  grantee: AccountId,
)

grantPermissionReference

Creates a permission reference record. The caller must be the author. Namespace
api.tx.syloDataPermissions.grantPermissionReference
Type
function grantPermissionReference(
  /// The account to grant permissions to
  grantee: AccountId,

  /// The data id of the offchain permission record. This data item
  // must have an accompanying on-chain validation record.
  permission_record_id: Vec<Bytes>,
)

revokePermissionReference

Revokes a previously granted permission reference. The caller must be the author. Namespace
api.tx.syloDataPermissions.revokePermissionReference
Type
function revokePermissionReference(
  /// The account that was granted the permission
  grantee: AccountId,
)

Storage

PermissionRecords

Maps from grantor and grantee to a permission record id and the permission record itself. Namespace
api.query.syloDataPermissions.PermissionRecords
Type
type PermissionRecord {
	grantor: AccountId,
	permission: DataPermission,
	block: BlockNumber,
	expiry: Option<BlockNumber>,
	irrevocable: bool,
}

function PermissionRecords(
  data_author: AccountId,
  grantee: AccountId,
  data_id: Bytes
): Vec<(u32, PermissionRecord)>

TaggedPermissionRecords

Maps from grantor and grantee to a permission record id and the tagged permission record. Namespace
api.query.syloDataPermissions.TaggedPermissionRecords
Type
type TaggedPermissionRecord {
	permission: DataPermission,
	tags: Vec<Vec<Bytes>>,
	block: BlockNumber,
	expiry: Option<BlockNumber>,
	irrevocable: bool,
}

function TaggedPermissionRecords(
  data_author: AccountId,
  grantee: AccountId
): Vec<(u32, TaggedPermissionRecord)>

PermissionReferences

Stores permission references for off-chain records. Namespace
api.query.syloDataPermissions.PermissionReferences
Type
type PermissionReference {
	permission_record_id: Vec<Bytes>,
}

function PermissionReferences(
  data_author: AccountId,
  grantee: AccountId
): Option<PermissionReference>

Events

DataPermissionGranted

An account has been granted permission for a specific data record. Namespace
api.events.syloDataPermissions.DataPermissionGranted
Type
type DataPermissionGranted = {
  data_author: AccountId,
  grantor: AccountId,
  grantee: AccountId,
  data_id: Bytes,
  permission: DataPermission,
  expiry: Option<BlockNumber>,
  irrevocable: bool,
}

DataPermissionRevoked

An account’s permission has been revoked for a specific data record. Namespace
api.events.syloDataPermissions.DataPermissionRevoked
Type
type DataPermissionRevoked = {
  revoker: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  data_id: Bytes,
}

ExpiredDataPermissionRemoved

An expired data permission has been automatically removed. Namespace
api.events.syloDataPermissions.ExpiredDataPermissionRemoved
Type
type ExpiredDataPermissionRemoved = {
  data_author: AccountId,
  grantee: AccountId,
  data_id: Bytes,
  permission_id: u32,
}

TaggedDataPermissionsGranted

An account has been granted tagged permissions. Namespace
api.events.syloDataPermissions.TaggedDataPermissionsGranted
Type
type TaggedDataPermissionsGranted = {
  grantor: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  tags: Vec<Bytes>,
  expiry: Option<BlockNumber>,
  irrevocable: bool,
}

TaggedDataPermissionsRevoked

A tagged permission for an account has been revoked. Namespace
api.events.syloDataPermissions.TaggedDataPermissionsRevoked
Type
type TaggedDataPermissionsRevoked = {
  revoker: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  tags: Vec<Bytes>,
}

PermissionReferenceGranted

An account has been granted a permission reference. Namespace
api.events.syloDataPermissions.PermissionReferenceGranted
Type
type PermissionReferenceGranted = {
  grantor: AccountId,
  grantee: AccountId,
  permission_record_id: Bytes,
}

PermissionReferenceRevoked

An account’s permission reference has been revoked. Namespace
api.events.syloDataPermissions.PermissionReferenceRevoked
Type
type PermissionReferenceRevoked = {
  grantor: AccountId,
  grantee: AccountId,
  permission_record_id: Bytes,
}

Errors

DataRecordDoesNotExist

Attempted to grant permissions for a data record that does not exist. Namespace
api.errors.syloDataPermissions.DataRecordDoesNotExist

IrrevocableCannotBeExpirable

A permission that is set to irrevocable cannot also be set to have an expiry. Namespace
api.errors.syloDataPermissions.IrrevocableCannotBeExpirable

InvalidExpiry

Expiry value for permission record is invalid. Namespace
api.errors.syloDataPermissions.InvalidExpiry

ExceededMaxPermissions

Exceeded the maximum number of record permissions granted to a given account. Namespace
api.errors.syloDataPermissions.ExceededMaxPermissions

MissingDistributePermission

Attempted to grant a permission as a delegate without the required DISTRIBUTE permission. Namespace
api.errors.syloDataPermissions.MissingDistributePermission

CannotGrantDistributePermission

Distribute permissions can only be granted by the data author. Namespace
api.errors.syloDataPermissions.CannotGrantDistributePermission

PermissionIrrevocable

An irrevocable permission cannot be revoked. Namespace
api.errors.syloDataPermissions.PermissionIrrevocable

NotPermissionGrantor

Only the account that granted a permission or the data author can revoke a permission. Namespace
api.errors.syloDataPermissions.NotPermissionGrantor

PermissionNotFound

Cannot revoke a permission that does not exist. Namespace
api.errors.syloDataPermissions.PermissionNotFound

MissingValidationRecord

An accompanying verification record for the off-chain permission does not exist. Namespace
api.errors.syloDataPermissions.MissingValidationRecord

PermissionReferenceAlreadyExists

An existing permission reference has already been granted. Namespace
api.errors.syloDataPermissions.PermissionReferenceAlreadyExists

ExceededMaxExpiringPermissions

Exceeded the maximum number of permissions that can expire on the same block. Namespace
api.errors.syloDataPermissions.ExceededMaxExpiringPermissions

InvalidString

String values in an RPC call, in either the inputs or outputs, are invalid. Namespace
api.errors.syloDataPermissions.InvalidString