Concept
KIRA governance system utilizes a combination of Roles & Permissions to create a multi-layered governance structure that enables a diverse range of councilors to participate and contribute to the network's decision-making processes. The system operates with just two rules enabling it to bootstrap and evolve almost any imaginable governance model. The rules state that :
Only whitelisted actors can execute on-chain actions (submit transactions of a given type).
Whitelisted actors can only execute on-chain actions that they have been given the permission to execute.
For example, a multicameral system can be created where subsets of councilors specialize in creating and voting on specific subsets of proposals. Alternatively, a separation of power through checks and balances can be implemented, preventing a single governance branch from achieving a privileged position. Overall, the KIRA governance system is designed to be flexible and adaptable, allowing it to constantly improve its efficiency and decentralization without relying on factors such as wealth or stake distribution. This makes it an effective tool for ensuring that network actors are motivated and aligned towards common goals, which is crucial for achieving consensus within the network.
Permissions
In KIRA network, every type of transaction that can be sent to SEKAI has a unique permission identifier associated with it and there exist two types of permissions: governance permissions and sudo permissions. Governance permissions allow changes to be made through a governance proposal process, and is always associated with two permissions: proposal creation and voting. Sudo permissions, on the other hand, allow users to make changes directly, bypassing any governance proposal. These permission identifiers can be added to the whitelist or blacklist of an individual KIRA account or a role β more on this in the following section. If the permission identifier is on the account's whitelist, the account is able to send the corresponding transaction to the blockchain. If the identifier is not on the account's whitelist or is on its blacklist, the account is not able to send the transaction, with the exception of MsgSend, and MsgMultiSend transactions. For example, if you want to allow a KIRA account to claim a validator seat on the blockchain, you must add the 2 permission to its whitelist. Only then will the account be able to use the claim-validator-seat CLI command to send the MsgClaimValidator transaction.
Roles
To make it easier to manage hundreds of different permissions, KIRA uses a concept of roles. A role is a collection of permissions that can be associated to a specific KIRA address. This allows the network to manage the permissions of all addresses associated with a role at once, rather than having to change permissions for each individual address. Each permission assigned to a role or individual address can have its own defined parameters, which can be used as input for the function that is triggered when a network actor submits a particular type of transaction. These parameters allow for more granular control of permissions, ensuring that the responsibilities and power of individual network actors can vary widely within the governance model. If the permissions associated with a role are changed, the permissions of all accounts that have been assigned that role will also be changed. Roles can be assigned either by a group of governance members with the appropriate permissions 22 and 23, or by a sudo member 9 .
Role & account permission conflicts
Permissions in the KIRA governance system can be managed at both account and role levels, each with separate whitelists and blacklists. Within the same type (account or role), a permission cannot be present on both the whitelist and the blacklist. In other words, if a permission is on a role's blacklist, it cannot be added to the role's whitelist, and vice versa. The same rule applies to account whitelists and blacklists.
It is important to note that conflicting permissions between account and role levels are possible. In cases where conflicts arise between an account's and a role's whitelists and blacklists, the blacklisted permissions always take precedence. This means that if a permission is blacklisted at either the account or role level, the user will be denied that permission, regardless of any whitelists.
Parameters
Permissions
Existing permissions and their correspond types and identifiers are listed here, or in the following page:
Roles
CLI syntax & examples
Each CLI command and proposal process in KIRA requires specific permissions. These permissions must be added to the account's whitelist or obtained as sudo permissions for direct changes. Refer to the Roles & Permissions documentation for more details. $SIGNER represents the transaction signer's account name or address. For instructions on setting common flags as environment variables, such as $FLAGS_TX and $FLAGS_QR, see the CLI flags configuration section
Governance
Transaction
sekaid tx customgov role
create role
assign
unassign role
blacklist-permission
remove-whitelisted-permission
remove-blacklisted-permission
whitelist-permission
sekaid tx customgov permission
whitelist
blacklist
remove-whitelisted
remove-blacklisted
Create Role
Create a new role with sudo permissions using the create command followed by the role's unique identifier $ROLE_SID and a description $ROLE_DESCRIPTION.
Variables
$ROLE_SID: Unique string identifier for the role.
$ROLE_DESCRIPTION: A brief description of the role.
Bash
Copy
sekaid tx customgov role create \
--from=$SIGNER $FLAGS_TX \
$ROLE_SID $ROLE_DESCRIPTION
Assign Role
Assign a role with sudo permissions to an account using the assign command followed by the role's identifier $ROLE_ID.
Args
$ROLE_ID: The unique identifier of the role to be assigned.
Flags
$TARGET_ADDRESS: The target address to which the role will be assigned.
Bash
Copy
sekaid tx customgov role assign \
--from=$SIGNER $FLAGS_TX \
$ROLE_ID --addr=$TARGET_ADDRESS
Remove Role
Remove a role with sudo permissions from an account using the remove role command followed by the role's identifier $ROLE_ID.
Args
$ROLE_ID: The unique identifier of the role to be removed.
Flags
$TARGET_ADDRESS: The target address from which the role will be removed.
Bash
Copy
sekaid tx customgov role remove role \
--from=$SIGNER $FLAGS_TX \
$ROLE_ID --addr=$TARGET_ADDRESS
Whitelist Role Permission
Whitelist a permission to a role with sudo permissions using the whitelist-permission command followed by the role's identifier $ROLE_ID and the permission's identifier $PERMISSION_ID.
Args
$ROLE_ID: The unique identifier of the role.
$PERMISSION_ID: The unique identifier of the permission to be whitelisted.
Bash
Copy
sekaid tx customgov role whitelist-permission \
--from=$SIGNER $FLAGS_TX \
$ROLE_ID $PERMISSION_ID
Blacklist Roleβs Permission
Blacklist a permission for a governance role with sudo permissions using the blacklist-permission command followed by the role's identifier $ROLE_ID and the permission's identifier $PERMISSION_ID.
Args
$ROLE_ID: The unique identifier of the role.
$PERMISSION_ID: The unique identifier of the permission to be blacklisted.
Bash
Copy
sekaid tx customgov role blacklist-permission \
--from=$SIGNER $FLAGS_TX \
$ROLE_ID $PERMISSION_ID
Remove Roleβs Whitelisted Permission
Remove a whitelisted permission from a governance role with sudo permissions using the remove-whitelisted-permission command followed by the role's identifier $ROLE_ID and the permission's identifier $PERMISSION_ID.
Args
$ROLE_ID: The unique identifier of the role.
$PERMISSION_ID: The unique identifier of the whitelisted permission to be removed.
Bash
Copy
sekaid tx customgov role remove-whitelisted-permission \
--from=$SIGNER $FLAGS_TX \
$ROLE_ID $PERMISSION_ID
Remove Roleβs Blacklisted Permission
Remove a blacklisted permission from a governance role with sudo permissions using the remove-blacklisted-permission command followed by the role's identifier $ROLE_ID and the permission's identifier $PERMISSION_ID.
Args
$ROLE_ID: The unique identifier of the role.
$PERMISSION_ID: The unique identifier of the blacklisted permission to be removed.
Bash
Copy
sekaid tx customgov role remove-blacklisted-permission \
--from=$SIGNER $FLAGS_TX \
$ROLE_ID $PERMISSION_ID
Whitelist Account Permission
Assign permission to a Kira address whitelist with sudo permissions using the whitelist command.
Flags
$ADDRESS: The address for which permissions should be set.
$PERMISSION: The permission value to be assigned.
Bash
Copy
sekaid tx customgov permission whitelist \
--from=$SIGNER $FLAGS_TX \
--addr=$ADDRESS --permission=$PERMISSION
Remove Account Whitelisted Permission
Remove whitelisted permission from an address with sudo permissions using the remove-whitelisted command.
Flags
$ADDRESS: The address from which permissions should be removed.
$PERMISSION: The permission value to be removed.
Bash
Copy
sekaid tx customgov permission remove-whitelisted \
--from=$SIGNER $FLAGS_TX \
--addr=$ADDRESS --permission=$PERMISSION
Blacklist Accountβs Permission
Assign permission to a Kira account blacklist with sudo permissions using the blacklist command.
Flags
$ADDRESS: The address for which permissions should be set.
$PERMISSION: The permission value to be assigned.
Bash
Copy
sekaid tx customgov permission blacklist \
--from=$SIGNER $FLAGS_TX \
--addr=$ADDRESS --permission=$PERMISSION
Remove Accountβs Blacklisted Permissions
Remove blacklisted permission from an address with sudo permissions using the remove-blacklisted command.
Flags
$ADDRESS: The address from which permissions should be removed.
$PERMISSION: The permission value to be removed.
Bash
Copy
sekaid tx customgov permission remove-blacklisted \
--from=$SIGNER $FLAGS_TX \
--addr=$ADDRESS --permission=$PERMISSION
Queries
sekaid query customgov
permissions
whitelisted-permission-addresses
blacklisted-permission-addresses
all-roles
roles
role
whitelisted-role-addresses
Query Address Permissions
Retrieve the permissions associated with a specific KIRA address using the permissions command.
Args
$ADDR: The address whose permissions are to be queried.
Shell
Copy
sekaid query customgov permissions $ADDR $FLAGS_QR | jq
Query Addresses by Whitelisted Permission
List all KIRA addresses that are associated with a specific whitelisted permission using the whitelisted-permission-addresses command.
Args
$PERM: The whitelisted permission value to be queried.
Shell
Copy
sekaid query customgov whitelisted-permission-addresses $PERM $FLAGS_QR | jq
Query Addresses by Blacklisted Permission
List all KIRA addresses that are associated with a specific blacklisted permission using the blacklisted-permission-addresses command.
Args
$PERM: The blacklisted permission value to be queried.
Shell
Copy
sekaid query customgov blacklisted-permission-addresses $PERM $FLAGS_QR | jq
Query All Registered Roles
Retrieve a list of all registered roles in the KIRA network using the all-roles command.
Shell
Copy
sekaid query customgov all-roles $FLAGS_QR | jq
Query Roles Assigned to an Address
Retrieve the roles assigned to a specific KIRA address using the roles command.
Args
$ADDR: The address whose roles are to be queried.
Shell
Copy
sekaid query customgov roles $ADDR $FLAGS_QR | jq
Query Role by SID
Retrieve information about a specific role using its SID (Service Identifier) with the role command.
Args
$ROLE_IDENTIFIER: The SID of the role to be queried.
Shell
Copy
sekaid query customgov role $ROLE_IDENTIFIER $FLAGS_QR | jq
Query Addresses by Whitelisted Role
List all KIRA addresses associated with a specific whitelisted role using the whitelisted-role-addresses command.
Args
$ROLE: The whitelisted role value to be queried.
Shell
Copy
sekaid query customgov whitelisted-role-addresses $ROLE $FLAGS_QR | jq