Fabric Composer

Task - Implement access control using the current Participant

Implementing access control using the current Participant

The current participant can be used to implement access control in a transaction processor function. You can use the type and the identifier of the current participant to permit or reject the execution of a transaction processor function.

Before you start

Before you follow these steps, you must have modelled a participant in a Business Network Definition and deployed it as a Business Network. You must have created some instances of those participants, and issued those participants with identities.

The procedure below shows an example using the following participant models:

namespace net.biz.digitalPropertyNetwork

participant Person identified by personId {
  o String personId
  o String firstName
  o String lastName
}

participant PrivilegedPerson extends Person {

}

Procedure

  1. In your transaction processor function, verify the type of the current participant meets the requirements by using the getCurrentParticipant function:
   function onPrivilegedTransaction(privilegedTransaction) {
       var currentParticipant = getCurrentParticipant();
       if (currentParticipant.getFullyQualifiedType() !== 'net.biz.digitalPropertyNetwork.PrivilegedPerson') {
           throw new Error('Transaction can only be submitted by a privileged person');
       }
       // Current participant must be a privileged person to get here.
   }
  1. In your transaction processor function, verify the participant ID of the current participant by using the getCurrentParticipant function:
   function onPrivilegedTransaction(privilegedTransaction) {
       var currentParticipant = getCurrentParticipant();
       if (currentParticipant.getFullyQualifiedIdentifier() !== 'net.biz.digitalPropertyNetwork.Person#PERSON_1') {
           throw new Error('Transaction can only be submitted by person 1');
       }
       // Current participant must be person 1 to get here.
   }

The participant ID of the current participant can be compared to a participant that is linked to an asset (by a relationship) to verify that the current participant has the authority to access or modify an asset:

   function onPrivilegedTransaction(privilegedTransaction) {
       // Get the owner of the asset in the transaction.
       var assetOwner = privilegedTransaction.asset.owner;
       var currentParticipant = getCurrentParticipant();
       if (currentParticipant.getFullyQualifiedIdentifier() !== asset.owner.getFullyQualifiedIdentifier()) {
           throw new Error('Transaction can only be submitted by the owner of the asset');
       }
       // Current participant must be the owner of the asset to get here.
   }