# Access Control List

The ACL is used to control who can execute on-chain transactions. It is also used by the back-end to control access to off-chain data by the end user. The ACL is a mechanism of specifying the role an object has in the context of another object. For example, a user can have a role within the context of the business entity or company they represent. Roles are grouped and user functions are restricted to users in certain groups. Users are allowed to assign roles to other users based on the group they belong to.

# Aspects of roles

  • A user can have only one role in any given context.
  • The system is a context and roles granted within the context of the system are system roles and apply globally, to all objects. System roles include "System Manager" and "System Administrator"
  • A role can belong to multiple groups. A group can contain multiple roles.
  • A role can have only one assigner group

Roles are configured by providing two tables, or two two-dimensional arrays of strings: [Roles, Groups] [Roles, Assigner Group] For details please review the Role and Group Configuration Tables.