B Using the Fine-Grained Access Control Library Included in the Marbles Sample

Starting in v1.2, Hyperledger Fabric provided fine-grained access control to many of the management functions. Oracle Blockchain Platform now provides a updated version of the mables sample package on the Developer Tools tab of the console, implementing a library of functions that chaincode developers can use to create access control lists for chaincode functions. It currently only supports the Go language.



The goal of this sample access control library is to provide the following:

  • Provides a mechanism to allow you to control which users can access particular chaincode functions.
  • The list of users and their entitlements should be dynamic and shared across chaincodes.
  • Provides access control checks so that a chaincode can check the access control list easily.
  • At chaincode deployment time, allows you to populate the list of resources and access control lists with your initial members.
  • An access control list must be provided to authorize users to perform access control list operations.

Download the Sample

On the Developer Tools tab, open the Samples pane. Click the download link under Marbles with Fine-Grained ACLs. This package contains three sub-packages:
  • Fine-GrainedAccessControlLibrary.zip:

    The fine-grained access control library. It contains functions in Go which can be used by chaincode developers to create access control lists for chaincode functions.

  • fgACL_MarbleSampleCC.zip:

    The marbles sample with access control lists implemented. It includes a variety of functions to let you examine how to work with fine-grained access control lists, groups and resources to restrict functions to certain users/identities.

  • fgACL-NodeJSCode.zip:

    Node.js scripts which use the Node.js SDK to run the sample. registerEnrollUser.js can be used to register new users with the Blockchain Platform. invokeQueryCC.js can be used to run transactions against a Blockchain Platform instance.

Terminology and Acronyms

Term Description
Identity An X509 certificate representing the identity of either the caller or the specific identity the chaincode wants to check.
Identity Pattern

A pattern that matches one or more identities. The following patterns are suggested:

  • X.509 Subject Common Name – CN
  • X.509 Subject Organizational Unit – OU
  • X.509 Subject Organization – O
  • Group as defined in this library – GRP
  • Attribute – ATTR

The format for a pattern is essentially just a string with a prefix. For example, to define a pattern that matches any identity in organization "example.com", the pattern would be "%O%example.com".

Resource The name of anything the chaincode wants to control access to. To this library it is just a named arbitrary string contained in a flat namespace. The semantics of the name are completely up to the chaincode.
Group A group of identity patterns.
ACL Access Control List: a named entity that has a list of identity patterns, a list of types of access such as "READ", "CREATE", "INVOKE", "FORWARD", or anything the chaincode wants to use. This library will use access types of CREATE, READ, UPDATE, and DELETE (standard CRUD operations) to maintain its information. Other than those four as they relate to the items in this library, they are just strings with no implied semantics. An application may decide to use accesses of "A", "B", and "CUSTOM".