Search
Duplicate
Try Notion
Page icon

Roles & Permissions

Concept

KIRA governance system utilizes a combination of Roles & Permissions to create a multi-layered governance structure that enables a diverse range of councilors to participate and contribute to the network's decision-making processes. The system operates with just two rules enabling it to bootstrap and evolve almost any imaginable governance model. The rules state that :
Only whitelisted actors can execute on-chain actions (submit transactions of a given type).
Whitelisted actors can only execute on-chain actions that they have been given the permission to execute.
For example, a multicameral system can be created where subsets of councilors specialize in creating and voting on specific subsets of proposals. Alternatively, a separation of power through checks and balances can be implemented, preventing a single governance branch from achieving a privileged position. Overall, the KIRA governance system is designed to be flexible and adaptable, allowing it to constantly improve its efficiency and decentralization without relying on factors such as wealth or stake distribution. This makes it an effective tool for ensuring that network actors are motivated and aligned towards common goals, which is crucial for achieving consensus within the network.

Permissions

In KIRA network, every type of transaction that can be sent to SEKAI has a unique permission identifier associated with it and there exist two types of permissions: governance permissions and sudo permissions. Governance permissions allow changes to be made through a governance proposal process, and is always associated with two permissions: proposal creation and voting. Sudo permissions, on the other hand, allow users to make changes directly, bypassing any governance proposal. These permission identifiers can be added to the whitelist or blacklist of an individual KIRA account or a role β€” more on this in the following section. If the permission identifier is on the account's whitelist, the account is able to send the corresponding transaction to the blockchain. If the identifier is not on the account's whitelist or is on its blacklist, the account is not able to send the transaction, with the exception of MsgSend, and MsgMultiSend transactions. For example, if you want to allow a KIRA account to claim a validator seat on the blockchain, you must add the 2 permission to its whitelist. Only then will the account be able to use the claim-validator-seat CLI command to send the MsgClaimValidator transaction.

Roles

To make it easier to manage hundreds of different permissions, KIRA uses a concept of roles. A role is a collection of permissions that can be associated to a specific KIRA address. This allows the network to manage the permissions of all addresses associated with a role at once, rather than having to change permissions for each individual address. Each permission assigned to a role or individual address can have its own defined parameters, which can be used as input for the function that is triggered when a network actor submits a particular type of transaction. These parameters allow for more granular control of permissions, ensuring that the responsibilities and power of individual network actors can vary widely within the governance model. If the permissions associated with a role are changed, the permissions of all accounts that have been assigned that role will also be changed. Roles can be assigned either by a group of governance members with the appropriate permissions 22 and 23, or by a sudo member 9 .

Role & account permission conflicts

Permissions in the KIRA governance system can be managed at both account and role levels, each with separate whitelists and blacklists. Within the same type (account or role), a permission cannot be present on both the whitelist and the blacklist. In other words, if a permission is on a role's blacklist, it cannot be added to the role's whitelist, and vice versa. The same rule applies to account whitelists and blacklists.
It is important to note that conflicting permissions between account and role levels are possible. In cases where conflicts arise between an account's and a role's whitelists and blacklists, the blacklisted permissions always take precedence. This means that if a permission is blacklisted at either the account or role level, the user will be denied that permission, regardless of any whitelists.
πŸ“
Suppose a user has permission 10 whitelisted on their account and is also assigned to a role that has permission 10 blacklisted. In this case, the user will be denied permission 10, as the blacklisted permission takes precedence over the whitelisted permission.

Parameters

Permissions

Existing permissions and their correspond types and identifiers are listed here, or in the following page:

Roles

NAME
TYPE
EXAMPLE
DESCRIPTION
id
int
1
Identification number of the role - auto assigned
sid
string
some name
Unique identification name of the role
description
string
some text
Description of the role

CLI syntax & examples

Callout icon
Each CLI command and proposal process in KIRA requires specific permissions. These permissions must be added to the account's whitelist or obtained as sudo permissions for direct changes. Refer to the Roles & Permissions documentation for more details. $SIGNER represents the transaction signer's account name or address. For instructions on setting common flags as environment variables, such as $FLAGS_TX and $FLAGS_QR, see the CLI flags configuration section

Governance

To assign governance permissions, a group of governance members must submit and vote a proposal using whitelist-permission with the appropriate proposal creation permission 4 and voting permission 5. Sudo permissions can be assigned by an account which has the permission 1.
Proposals
Filter
Sort
Subcommand Path
CLI
DESCRIPTION
PERMISSIONS (VOTE/CREATION/SUDO)
Proposes to remove a blacklisted permission from an account
Proposes to blacklist an account's permission
Proposes to whitelist an account's permission
Proposes to assign a role to a specific account
Proposes to remove a whitelisted permission from an account
Proposes to unassign a role from a specific account
Proposes to remove a whitelisted permission from a role
Proposes to whitelist a role's permission
Proposes to create a new role with specific permissions
Proposes to blacklist a role's permission
Proposes to remove a role from the network
Proposes to remove a blacklisted permission from a role

Transaction

sekaid tx customgov role
create role
assign
unassign role
blacklist-permission
remove-whitelisted-permission
remove-blacklisted-permission
whitelist-permission
sekaid tx customgov permission
whitelist
blacklist
remove-whitelisted
remove-blacklisted

Create Role

Create a new role with sudo permissions using the create command followed by the role's unique identifier $ROLE_SID and a description $ROLE_DESCRIPTION.
Variables
$ROLE_SID: Unique string identifier for the role.
$ROLE_DESCRIPTION: A brief description of the role.
Bash
Copy
sekaid tx customgov role create \ --from=$SIGNER $FLAGS_TX \ $ROLE_SID $ROLE_DESCRIPTION
​

Assign Role

Assign a role with sudo permissions to an account using the assign command followed by the role's identifier $ROLE_ID.
Args
$ROLE_ID: The unique identifier of the role to be assigned.
Flags
$TARGET_ADDRESS: The target address to which the role will be assigned.
Bash
Copy
sekaid tx customgov role assign \ --from=$SIGNER $FLAGS_TX \ $ROLE_ID --addr=$TARGET_ADDRESS
​

Remove Role

Remove a role with sudo permissions from an account using the remove role command followed by the role's identifier $ROLE_ID.
Args
$ROLE_ID: The unique identifier of the role to be removed.
Flags
$TARGET_ADDRESS: The target address from which the role will be removed.
Bash
Copy
sekaid tx customgov role remove role \ --from=$SIGNER $FLAGS_TX \ $ROLE_ID --addr=$TARGET_ADDRESS
​

Whitelist Role Permission

Whitelist a permission to a role with sudo permissions using the whitelist-permission command followed by the role's identifier $ROLE_ID and the permission's identifier $PERMISSION_ID.
Args
$ROLE_ID: The unique identifier of the role.
$PERMISSION_ID: The unique identifier of the permission to be whitelisted.
Bash
Copy
sekaid tx customgov role whitelist-permission \ --from=$SIGNER $FLAGS_TX \ $ROLE_ID $PERMISSION_ID
​

Blacklist Role’s Permission

Blacklist a permission for a governance role with sudo permissions using the blacklist-permission command followed by the role's identifier $ROLE_ID and the permission's identifier $PERMISSION_ID.
Args
$ROLE_ID: The unique identifier of the role.
$PERMISSION_ID: The unique identifier of the permission to be blacklisted.
Bash
Copy
sekaid tx customgov role blacklist-permission \ --from=$SIGNER $FLAGS_TX \ $ROLE_ID $PERMISSION_ID
​

Remove Role’s Whitelisted Permission

Remove a whitelisted permission from a governance role with sudo permissions using the remove-whitelisted-permission command followed by the role's identifier $ROLE_ID and the permission's identifier $PERMISSION_ID.
Args
$ROLE_ID: The unique identifier of the role.
$PERMISSION_ID: The unique identifier of the whitelisted permission to be removed.
Bash
Copy
sekaid tx customgov role remove-whitelisted-permission \ --from=$SIGNER $FLAGS_TX \ $ROLE_ID $PERMISSION_ID
​

Remove Role’s Blacklisted Permission

Remove a blacklisted permission from a governance role with sudo permissions using the remove-blacklisted-permission command followed by the role's identifier $ROLE_ID and the permission's identifier $PERMISSION_ID.
Args
$ROLE_ID: The unique identifier of the role.
$PERMISSION_ID: The unique identifier of the blacklisted permission to be removed.
Bash
Copy
sekaid tx customgov role remove-blacklisted-permission \ --from=$SIGNER $FLAGS_TX \ $ROLE_ID $PERMISSION_ID
​

Whitelist Account Permission

Assign permission to a Kira address whitelist with sudo permissions using the whitelist command.
Flags
$ADDRESS: The address for which permissions should be set.
$PERMISSION: The permission value to be assigned.
Bash
Copy
sekaid tx customgov permission whitelist \ --from=$SIGNER $FLAGS_TX \ --addr=$ADDRESS --permission=$PERMISSION
​

Remove Account Whitelisted Permission

Remove whitelisted permission from an address with sudo permissions using the remove-whitelisted command.
Flags
$ADDRESS: The address from which permissions should be removed.
$PERMISSION: The permission value to be removed.
Bash
Copy
sekaid tx customgov permission remove-whitelisted \ --from=$SIGNER $FLAGS_TX \ --addr=$ADDRESS --permission=$PERMISSION
​

Blacklist Account’s Permission

Assign permission to a Kira account blacklist with sudo permissions using the blacklist command.
Flags
$ADDRESS: The address for which permissions should be set.
$PERMISSION: The permission value to be assigned.
Bash
Copy
sekaid tx customgov permission blacklist \ --from=$SIGNER $FLAGS_TX \ --addr=$ADDRESS --permission=$PERMISSION
​

Remove Account’s Blacklisted Permissions

Remove blacklisted permission from an address with sudo permissions using the remove-blacklisted command.
Flags
$ADDRESS: The address from which permissions should be removed.
$PERMISSION: The permission value to be removed.
Bash
Copy
sekaid tx customgov permission remove-blacklisted \ --from=$SIGNER $FLAGS_TX \ --addr=$ADDRESS --permission=$PERMISSION
​

Queries

sekaid query customgov
permissions
whitelisted-permission-addresses
blacklisted-permission-addresses
all-roles
roles
role
whitelisted-role-addresses

Query Address Permissions

Retrieve the permissions associated with a specific KIRA address using the permissions command.
Args
$ADDR: The address whose permissions are to be queried.
Shell
Copy
sekaid query customgov permissions $ADDR $FLAGS_QR | jq
​

Query Addresses by Whitelisted Permission

List all KIRA addresses that are associated with a specific whitelisted permission using the whitelisted-permission-addresses command.
Args
$PERM: The whitelisted permission value to be queried.
Shell
Copy
sekaid query customgov whitelisted-permission-addresses $PERM $FLAGS_QR | jq
​

Query Addresses by Blacklisted Permission

List all KIRA addresses that are associated with a specific blacklisted permission using the blacklisted-permission-addresses command.
Args
$PERM: The blacklisted permission value to be queried.
Shell
Copy
sekaid query customgov blacklisted-permission-addresses $PERM $FLAGS_QR | jq
​

Query All Registered Roles

Retrieve a list of all registered roles in the KIRA network using the all-roles command.
Shell
Copy
sekaid query customgov all-roles $FLAGS_QR | jq
​

Query Roles Assigned to an Address

Retrieve the roles assigned to a specific KIRA address using the roles command.
Args
$ADDR: The address whose roles are to be queried.
Shell
Copy
sekaid query customgov roles $ADDR $FLAGS_QR | jq
​

Query Role by SID

Retrieve information about a specific role using its SID (Service Identifier) with the role command.
Args
$ROLE_IDENTIFIER: The SID of the role to be queried.
Shell
Copy
sekaid query customgov role $ROLE_IDENTIFIER $FLAGS_QR | jq
​

Query Addresses by Whitelisted Role

List all KIRA addresses associated with a specific whitelisted role using the whitelisted-role-addresses command.
Args
$ROLE: The whitelisted role value to be queried.
Shell
Copy
sekaid query customgov whitelisted-role-addresses $ROLE $FLAGS_QR | jq
​
Proposals