Permissions and Access Control

Learn how Prividium™ controls access to deploying and calling smart contracts.

Prividium™ provides granular control over who can deploy contracts and call contract functions on your chain. The Prividium API manages all access control through a permission system that authenticates users and validates their authorization before executing requests.

Prividium™ is a licensed product. Non-production use requires accepting the license terms; production deployments require a commercial agreement.

How Permissions Work

The Prividium API sits between clients and the standard RPC API, controlling who can deploy contracts and call specific contract functions. All requests require user authentication via the selected OIDC provider or SIWE (Sign-In With Ethereum) wallet signatures.

When a user attempts to deploy or interact with a contract on a Prividium™ chain:

  1. User authenticates via the selected OIDC provider or wallet signature
  2. User signs transaction with an EIP-712 typed message including a JSON Web Token (JWT)
  3. Prividium API receives request and verifies the JWT and wallet address
  4. Permission check validates whether the user has authorization
  5. Request proceeds or fails based on the permission evaluation
  6. If authorized, the request forwards to the standard RPC API for execution

Chain administrators configure all permissions through the Admin Dashboard.

Contract Deployment Permissions

Only authorized users can deploy smart contracts to a Prividium™ chain. Administrators control deployment access by assigning specific roles to users who need deployment privileges.

This ensures:

  • Controlled contract deployment to prevent unauthorized or malicious contracts
  • Audit trail of who deployed which contracts
  • Compliance with organizational policies for contract deployment

Administrators configure deployment permissions through the Admin Dashboard by assigning appropriate roles to users.

Learn more about user management in User Management.

Contract Function Permissions

After deployment, administrators configure granular permissions for each contract function. The Prividium API enforces these permissions every time a user attempts to call a function.

Permission Types

Each contract function can be assigned one of the following permission types:

  1. Forbidden: Prevents any user from calling the function. This is the default permission type for all functions after a contract is deployed.
  2. All Users: Allows any authenticated user to call the function without role restrictions. The user must still authenticate, but no specific role is required.
  3. Check Role: Restricts function access to authenticated users with specific roles. The Prividium API checks roles assigned to the authenticated user and only permits the call if the user has a required role.
  4. Restrict Argument: Allows any authenticated user to call the function, but restricts specific function arguments. Users can only pass argument values that meet the configured restrictions. For example, you might restrict a transfer function to only allow transfers below a certain amount.
  5. Check Role AND Restrict Argument: Combines role-based access control with argument restrictions. Users must have the required role AND can only use permitted argument values. Both conditions must be satisfied for the call to proceed.
  6. Check Role OR Restrict Argument: Provides flexible access where users can gain authorization either through having a required role OR by using restricted arguments. Role holders get unrestricted access, while users without the role get limited access through argument restrictions.

Configuration

Administrators configure function permissions through the Admin Dashboard:

  • Select a deployed contract from the contracts list
  • View all contract functions with their current permission settings
  • Assign permission types to each function
  • Configure role requirements for role-based permissions
  • Define argument restrictions for argument-based permissions

Changes to permissions take effect immediately. Users may need to refresh their session to see updated access.

User Authentication

All permissions require user authentication. Prividium™ supports two authentication methods:

OIDC Authentication

Users authenticate through your organization's identity provider. This integrates with existing corporate identity systems and provides centralized user management.

Wallet Authentication (SIWE)

Users authenticate by signing a message with their Ethereum wallet using the Sign-In With Ethereum (SIWE) standard. This provides crypto-native authentication without requiring a corporate identity provider.

Hybrid Authentication

Users can be configured to authenticate with either Okta or a linked wallet, providing flexibility for different use cases and user preferences.

Permission Management

Administrators manage permissions through the Admin Dashboard, which provides:

  • User management - Create users, assign roles, link wallets
  • Role management - Define roles and assign permissions to roles
  • Contract permissions - Configure function-level access control
  • Audit capabilities - Monitor access patterns and permission changes

For detailed information on managing users and roles, see User Management.

Administration and User Management

Manage users and roles to control access to your Prividium™ chain.

Prividium™ SDK

Get started with the Prividium™ SDK.

Made with ❤️ by the ZKsync Community