Child Chain Control
Description
Child Chain Control is a feature that introduces permissioning to the Ardor multichain platform. It manages the authorization levels of users on child chains. When operating on a chain that has permissioning policy enabled users can be restricted from performing chain transactions.
Permission Types
To use child chain control features, you need to have the proper setup of the child chain. Namely, its permissionPolicy property should be set to CHILD_CHAIN only then you will be able to control permissioning. To check if it is enabled for a given chain open Account Details dialog. At the bottom of the dialog, you should see the value of the Account Permissions property for the current chain. If you don't see Account Permissions property it means you are operating on a chain that doesn't support permissioning, ask chain developers to enable it.
Without Chain User permission account will not be able to perform chain operations such as sending tokens and the user will be presented with a warning.
Ardor child chains support the following permissions:
| Permission Name | Assigned by | Features |
|---|---|---|
| Master Admin | developers | Can only designate/block admins. Cannot perform operations on the chain. |
| Chain Admin | Master Admin | Can only designate/block users. Cannot perform operations on the chain. |
| Blocked Chain Admin | Master Admin | Chain admin rights blocked. |
| Chain User | Chain Admin | Can perform operations on the chain. |
| Blocked Chain User | Chain Admin | Cannot perform operations on the chain. |
A single account can have multiple permissions per chain:
How to assign account permissions
For Ardor accounts to be able to use child chains you need to explicitly grant them Chain User permission. But first, you need to designate a few accounts as admins by giving them Chain Admin permission. You need to have at least one Master Admin account (ask developers to configure one or a few accounts with Master Admin permission) for that. Master Admin and Chain Admin accounts will have an extra link in the sidebar leading to Permissions Control page:
Permissions Control page has two buttons on top that open a modal dialog through which you can grant or remove permissions for a specific account. It also lists all the recent permissioning operations on this chain.
To grant Chain Admin permission click on Grant Permission button and fill in fields in the modal dialog.
You can filter out operations performed by you using toggle control next to Granted by column title. The last column has action buttons that simplify granting or removing permissions by prepopulating account and permission fields in the modal dialog. Once the account gets Chain Admin permission it can start granting Chain User permission to other accounts. Chain User permission is essential as it gives account access to chain features.
How to see which permissions account has
Even if you don't have Chain Admin or Master Admin rights you can still see who granted you permissions from the Account Permissions tab in the User Info modal. It also shows who granted you permissions and when it happened.
How to remove previously granted permission
If permission was granted to a wrong account or an account no longer needs it you can remove permission (you must yourself have sufficient permissions to do that, check the table above). Click the Remove Permission button on the Permissions Control page and complete the modal dialog. Hint: you can find all the permissions granted by you by clicking the toggle button next to Granted by column title. If you click Remove Permission button from the table - it will prepopulate the modal dialog account and permission fields.
How to block permissions
If you want to block users or admin simply grant them with Blocked Chain User or Blocked Chain Admin permissions. Blocked accounts will not be able to exercise their permissions until someone removes Blocked Chain User or Blocked Chain Admin permissions. Blocked accounts will see who blocked them.
