The Sylo Data Permissions allows data authors to grant, update, and revoke data permissions. It integrates with the Sylo Data Verification pallet to allow authors to manage fine-grained access control over their data.

Permission Levels

There are three types of permissions that can be associated with data items:

  • VIEW: Allows the grantee to view the data when fetching the item from a storage sylo.
  • MODIFY: Allows the grantee to modify the data. This includes the onchain validation record and also the data itself that is held by storage sylos.
  • DISTRIBUTE: Allows the grantee to distribute the data.

The MODIFY and DISTRIBUTE permissions imply the VIEW permission.

enum DataPermission {
	VIEW,
	MODIFY,
	DISTRIBUTE,
}

Record Types

Data permissions are stored as records in the Sylo Data Permissions pallet. There are three differing forms of records to satisfy various use cases:

  • Data Permission Record: This is the simplest form of record and applies to a single data item.
  • Tagged Permission Record: A tagged record will hold a set of data tags. The permission applies to any data items that share at least of the tags in the record. This allows an author to easily grant a permission to a group of related data items.
  • Permission Reference Record: This record type indicates that there exists another permission record that is stored offchain on a storage sylo. The offchain permission record itself requires that a on-chain validation record for it exists and stores the actual permissions. This type of record is suitable when an author whishes to grant permissions over many data items that may not share any tags.

Calls

grantDataPermissions

Grants another account access permissions for a set of data items.

The caller must be the author or have been granted the DISTRIBUTE permission by the author.

Namespace

api.tx.syloDataPermissions.grantDataPermissions

Type

function grantDataPermissions(
  /// The account that owns the data. When this differs from the caller, the caller
  /// must be a distributor.
  data_author: AccountId,

  /// The account to grant permissions to
  grantee: AccountId,

  /// List of data ids
  data_ids: Vec<Vec<Bytes>>,

  /// The permission level
  permission: DataPermission,

  /// An optional blocknumber for the expiry
  expiry: Option<BlockNumber>,

  /// Whether the permission is irrevocable
  irrevocable: bool,
)

Data permission records are stored as a list of record under the key of (grantor, grantee). A u32 value will be assigned to each record to identify it.

revokeDataPermission

Revokes a previously granted data permission.

The caller must be the author or the original grantor of the permission.

Namespace

api.tx.syloDataPermissions.revokeDataPermission

Type

function revokeDataPermission(
  /// The account that owns the data. When this differs from the caller, the caller
  /// must be a distributor.
  data_author: AccountId,

  /// The id of the permission record.
  permission_id: u32,

  /// The account that was granted the permission
  grantee: AccountId,

  /// The data id of the item to revoke the permission for
  data_id: Vec<Vec<Bytes>>,
)

grantTaggedPermissions

Grants a tagged permission record.

The caller must be the original data author. Distributors are not allowed to grant tagged permissions.

Namespace

api.tx.syloDataPermissions.grantTaggedPermissions

Type

function grantTaggedPermissions(
  /// The account that was granted the permission
  grantee: AccountId,

  /// The permission level
  permission: DataPermission,

  /// List of data tags
  tags: Vec<Vec<Bytes>>,

  /// An optional blocknumber for the expiry
  expiry: Option<BlockNumber>,

  /// Whether the permission is irrevocable
  irrevocable: bool,
)

revokeTaggedPermission

Revokes a previously granted tagged permission.

The caller must be the author or the original grantor of the permission.

Namespace

api.tx.syloDataPermissions.revokeTaggedPermission

Type

function revokeTaggedPermission(
  /// The id of the permission record.
  permission_id: u32,

  /// The account that was granted the permission
  grantee: AccountId,
)

grantPermissionReference

Creates a permission reference record.

The caller must be the author.

Namespace

api.tx.syloDataPermissions.grantPermissionReference

Type

function grantPermissionReference(
  /// The account to grant permissions to
  grantee: AccountId,

  /// The data id of the offchain permission record. This data item
  // must have an accompanying on-chain validation record.
  permission_record_id: Vec<Bytes>,
)

revokePermissionReference

Revokes a previously granted permission reference.

The caller must be the author.

Namespace

api.tx.syloDataPermissions.revokePermissionReference

Type

function revokePermissionReference(
  /// The account that was granted the permission
  grantee: AccountId,
)

Storage

PermissionRecords

Maps from grantor and grantee to a permission record id and the permission record itself.

Namespace

api.query.syloDataPermissions.PermissionRecords

Type

type PermissionRecord {
	grantor: AccountId,
	permission: DataPermission,
	block: BlockNumber,
	expiry: Option<BlockNumber>,
	irrevocable: bool,
}

function PermissionRecords(
  data_author: AccountId,
  grantee: AccountId,
  data_id: Bytes
): Vec<(u32, PermissionRecord)>

TaggedPermissionRecords

Maps from grantor and grantee to a permission record id and the tagged permission record.

Namespace

api.query.syloDataPermissions.TaggedPermissionRecords

Type

type TaggedPermissionRecord {
	permission: DataPermission,
	tags: Vec<Vec<Bytes>>,
	block: BlockNumber,
	expiry: Option<BlockNumber>,
	irrevocable: bool,
}

function TaggedPermissionRecords(
  data_author: AccountId,
  grantee: AccountId
): Vec<(u32, TaggedPermissionRecord)>

PermissionReferences

Stores permission references for off-chain records.

Namespace

api.query.syloDataPermissions.PermissionReferences

Type

type PermissionReference {
	permission_record_id: Vec<Bytes>,
}

function PermissionReferences(
  data_author: AccountId,
  grantee: AccountId
): Option<PermissionReference>

Events

DataPermissionGranted

An account has been granted permission for a specific data record.

Namespace

api.events.syloDataPermissions.DataPermissionGranted

Type

type DataPermissionGranted = {
  data_author: AccountId,
  grantor: AccountId,
  grantee: AccountId,
  data_id: Bytes,
  permission: DataPermission,
  expiry: Option<BlockNumber>,
  irrevocable: bool,
}

DataPermissionRevoked

An account’s permission has been revoked for a specific data record.

Namespace

api.events.syloDataPermissions.DataPermissionRevoked

Type

type DataPermissionRevoked = {
  revoker: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  data_id: Bytes,
}

ExpiredDataPermissionRemoved

An expired data permission has been automatically removed.

Namespace

api.events.syloDataPermissions.ExpiredDataPermissionRemoved

Type

type ExpiredDataPermissionRemoved = {
  data_author: AccountId,
  grantee: AccountId,
  data_id: Bytes,
  permission_id: u32,
}

TaggedDataPermissionsGranted

An account has been granted tagged permissions.

Namespace

api.events.syloDataPermissions.TaggedDataPermissionsGranted

Type

type TaggedDataPermissionsGranted = {
  grantor: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  tags: Vec<Bytes>,
  expiry: Option<BlockNumber>,
  irrevocable: bool,
}

TaggedDataPermissionsRevoked

A tagged permission for an account has been revoked.

Namespace

api.events.syloDataPermissions.TaggedDataPermissionsRevoked

Type

type TaggedDataPermissionsRevoked = {
  revoker: AccountId,
  grantee: AccountId,
  permission: DataPermission,
  tags: Vec<Bytes>,
}

PermissionReferenceGranted

An account has been granted a permission reference.

Namespace

api.events.syloDataPermissions.PermissionReferenceGranted

Type

type PermissionReferenceGranted = {
  grantor: AccountId,
  grantee: AccountId,
  permission_record_id: Bytes,
}

PermissionReferenceRevoked

An account’s permission reference has been revoked.

Namespace

api.events.syloDataPermissions.PermissionReferenceRevoked

Type

type PermissionReferenceRevoked = {
  grantor: AccountId,
  grantee: AccountId,
  permission_record_id: Bytes,
}

Errors

DataRecordDoesNotExist

Attempted to grant permissions for a data record that does not exist.

Namespace

api.errors.syloDataPermissions.DataRecordDoesNotExist

IrrevocableCannotBeExpirable

A permission that is set to irrevocable cannot also be set to have an expiry.

Namespace

api.errors.syloDataPermissions.IrrevocableCannotBeExpirable

InvalidExpiry

Expiry value for permission record is invalid.

Namespace

api.errors.syloDataPermissions.InvalidExpiry

ExceededMaxPermissions

Exceeded the maximum number of record permissions granted to a given account.

Namespace

api.errors.syloDataPermissions.ExceededMaxPermissions

MissingDistributePermission

Attempted to grant a permission as a delegate without the required DISTRIBUTE permission.

Namespace

api.errors.syloDataPermissions.MissingDistributePermission

CannotGrantDistributePermission

Distribute permissions can only be granted by the data author.

Namespace

api.errors.syloDataPermissions.CannotGrantDistributePermission

PermissionIrrevocable

An irrevocable permission cannot be revoked.

Namespace

api.errors.syloDataPermissions.PermissionIrrevocable

NotPermissionGrantor

Only the account that granted a permission or the data author can revoke a permission.

Namespace

api.errors.syloDataPermissions.NotPermissionGrantor

PermissionNotFound

Cannot revoke a permission that does not exist.

Namespace

api.errors.syloDataPermissions.PermissionNotFound

MissingValidationRecord

An accompanying verification record for the off-chain permission does not exist.

Namespace

api.errors.syloDataPermissions.MissingValidationRecord

PermissionReferenceAlreadyExists

An existing permission reference has already been granted.

Namespace

api.errors.syloDataPermissions.PermissionReferenceAlreadyExists

ExceededMaxExpiringPermissions

Exceeded the maximum number of permissions that can expire on the same block.

Namespace

api.errors.syloDataPermissions.ExceededMaxExpiringPermissions

InvalidString

String values in an RPC call, in either the inputs or outputs, are invalid.

Namespace

api.errors.syloDataPermissions.InvalidString