# Roles and Permissions User Guide 1. [Step By Step Process](#id-1.-step-by-step-process) 2. [Demo Video](#id-2.-demo-video) ## 1. Step By Step Process Roles and permissions allow for precise configuration of user access rights to Guardian functionality. 1. **Permissions format: {category}\_{entity}\_{action}** * ***POLICIES\_POLICY\_READ*** – Controls read access to policies * ***POLICIES\_POLICY\_EXECUTE*** – Controls access to running policies as a USER. When this access is given to a Guardian user, this user can assume a role within the policy and perform actions in the policy workflow. * ***TOKENS\_TOKEN\_EXECUTE*** – Controls access to viewing tokens (balance, associate, disassociate) * ***POLICIES\_POLICY\_MANAGE*** – Controls access to running policy as an OWNER. * ***TOKENS\_TOKEN\_MANAGE*** – Controls access to managing tokens (balance, grant-kyc, freeze, unfreeze) ## **1. Managing roles** ### **1.1 Create** Standard Registry user with the corresponding permission (*PERMISSIONS\_ROLE\_CREATE*) can create new roles and populate them with the needed permissions. ![](/files/0r3meKOPDVLHUm6KzOC1) ![](/files/zNEy409y4w6g7bDdFAyP) \ Roles consist of a set of permissions which allow uses corresponding actions in the Guardian instance. ![](/files/7L5LwYIe9BSRyffYkC9m) ### **1.2. Edit**
### **1.3 Delete**
### **1.4 Default** Default role would be applied to all new users automatically upon their registration. ![](/files/o2KBnLKYo460NoR9VKkG) ### **2.5 Access** Special configuration option (permission) which controls user access access to specific policies. * ***ACCESS\_POLICY\_ALL** –* when set, the user will have access to all policies of the SR * ***ACCESS\_POLICY\_ASSIGNED –*** when set, the user will only have access to policies assigned to the user * ***ACCESS\_POLICY\_PUBLISHED –*** when set, the user will only have access to published policies of the SR * ***ACCESS\_POLICY\_ASSIGNED\_AND\_PUBLISHED –*** when set, the user will only have access to policies assigned to the user, which are also published. ![](/files/MqHrMD6PoBmrcp8OqyWf) ### **2.6 Delegate** Special permission option which enables uses to transfer their roles (i.e. to delegate, preserving their own rights as per the role as well) to other users.\ Any user with the permission ***DELEGATION\_ROLE\_MANAGE*** can enable access to all or a subset of roles and/or policies (but only for those the user has access to), for other users. ![](/files/uwL7cYtOqYvSrMnm6n9n) ## **2. Assigning roles and policies** ### **2.1 Roles** *User Management* page provides facilities to configure user roles ![](/files/kLzfAdq7B0PcHTSW3cf9) ![](/files/cfTmZSaCQIGwF959kDDX) Administrator can see summary of the permissions from all roles enabled for the user: ![](/files/Zmn07cUCf5Vvmd0mNvbk) ### **2.2 Policies** On the policy page administrator can assign specific policies to be accessible for the user. (If ***ACCESS\_POLICY\_ASSIGNED*** permission is used.)
### **2.3 Delegate** Similarly to how SR can configure roles and policies, uses with the ***DELEGATION\_ROLE\_MANAGE*** permission can delegate its access to policies to other users. the list of the options however is limited by the rules and policies assigned to it by SR and/or other users. ### 2.4 Logs Permissions The Standard Registry (SR) can assign three levels of access to logs for its users:\ • Read – Allows the user to view their own logs. This permission is enabled by default.\ • System – Allows the user to view logs from their SR account as well as system logs.\ • Users – Allows the user to view logs of other users under the same SR.
## **3. Messages** When a role is created, edited, or deleted a corresponding message will be posted to the SR’s Hedera topic in the following format: ``` { "id": "b5aee339-860f-4702-a916-4d4dca93a885", "status": "ISSUE", "type": "Guardian-Role-Document", "action": "create-role", "lang": "en-US", "issuer": "did:hedera:testnet:BJDCUTd8gFSaFwW4w7Tw8dbx7DfnkfLjJ14s2dquesS9_0.0.3579393", "encodedData": false, "cid": "QmUCXmE3KAe16xHEc9sr8vnPaNESKpzDGH8yKCf6jaDevp", "uri": "ipfs://QmUCXmE3KAe16xHEc9sr8vnPaNESKpzDGH8yKCf6jaDevp", "uuid": "6c0c8a7a-afef-40e2-900b-560a60945bfe", "name": "Role name", "description": "Role name" } ``` When the list of rules assigned to the user is updated, the following messages posted to the SR’s Hedera topic ``` { "id": "88865f04-b599-4189-abb0-499de1de2c7d", "status": "ISSUE", "type": "User-Permissions", "action": "set-role", "lang": "en-US", "issuer": "did:hedera:testnet:BJDCUTd8gFSaFwW4w7Tw8dbx7DfnkfLjJ14s2dquesS9_0.0.3579393", "encodedData": false, "cid": "QmfNFrWcPuoiSqMjGqogqTXRDRMEY6s68wsxU6fXTRLsAF", "uri": "ipfs://QmfNFrWcPuoiSqMjGqogqTXRDRMEY6s68wsxU6fXTRLsAF", "user": "did:hedera:testnet:EEGXZeZvcYmWj4e7cyPoDUi7rcRzkGbLBmziRrd7yrQm_0.0.3579393" } ``` The messages are accompanied by assigned VC document with the list of permissions the role contains. ## 2. Demo Video [Youtube](https://youtu.be/4bCrxd_EbTs) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://guardian.hedera.com/guardian-dev/guardian/standard-registry/roles-and-permissions/roles-and-permissions-user-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.