EOS Permission Management
One of the main differences of EOS with other blockchains is the account system. Between your funds and you, there’s an account. A 12 character name. And when you want to spend those funds, you need to sign a transaction for the account, not an associated key directly. Behind the account you can have one or more keys and those are on chain, and you can change those. You can alter them and there’s different permission levels. That’s really awesome. It also means you can do permissions management on your account. -Alexandre Bourget
The default permissions setup
As explained above, EOS has a unique account system, which allows users to manage permissions on their account. Each permission requires a valid transaction, or multiple valid transactions to be transferred to the blockchain. By default, an EOS account has 2 permissions, active and owner.
The active permission authority is used for transferring funds, voting for producers and making other high-level account changes.
The owner permission symbolizes ownership of an account. There are only a few transactions that require this authority, but most notably, are actions that make any kind of change to the owner authority. Generally, it is suggested that owner is kept in cold storage and not shared with anyone. The owner permission can be used to recover another permission that may have been compromised.
By default, the keys for the active and owner both have a weight of 1, and both the active and the owner permission have a default threshold of 1. This means that there is only 1 signature from the owner key required to perform any action that requires the owner permission. The same goes for the active permission. There is only 1 signature from the active key required to perform any action that requires the active permission.
This is how a default EOS account is set up.
Changing and adding permissions
Luckily, you can add and change permissions, allowing you to create a multisignature account, create new permissions and much more. To show you the possibilities of changing and adding permissions we will explain an example.
Multisignature account
In this example we will explain how a multisignature wallet works, and how to set one up yourself.
In the above image you can see a possible setup of a multisignature account. In this example the owner permission has a threshold of 2, and has 2 keys, both with a weight of 1. This means that the signature of both keys is needed to perform any action that requires the owner permission.
The active permission has a threshold of 1, and has 2 keys, both with a weight of 1. This means that only 1 signature of any of of the 2 keys is required to perform any action that requires the active permission.
How to set this up on your own account (toolkit)
Assuming the above makes sense, we will now explain how to setup a multisignature account on your own, using the EOSToolkit by Genereos. We will set up the account just like the multisignature account explained above.
First of all you have to download Scatter, a browser extension. You can get Scatter here. Follow the instructions on how to set up your Scatter account and login to your Scatter extension. After that go to toolkit and connect your existing EOS account.
After you have connected your Scatter account, you can visit the ‘advanced permissions’ tab. We will start by changing the owner permission of the account. Fill in the blanks using the correct information and keys and click update. You can also add more keys and change the threshold and the weight of the keys if you want.
After you have updated the owner permission you can update the active permission. Fill in the blanks using the correct information and keys and click update. Just like with the owner permission, you can also add more keys and change the threshold and the weight of the keys if you want.
Now you have a multisignature account, just like the multisignature account in the first example.
Custom permissions
A multisignature account is just one of many possibilities of EOS permissions. Creating a multisignature account only requires you to change the default permissions, though. To create more advanced permission structures, you can create new permissions, or manage and set existing permissions. We will show you how to create a new permissions using both the toolkit by Genereos and cleos.
How to create new permissions (toolkit)
Managing, setting and creating new permissions has now been made really easy and accessible thanks to toolkits. Let’s say you have an EOS account, but don’t want to use your active key to vote with that account, as having the key compromised could be disastrous. You could give another account the permission to vote on that account. (You can do similar things using proxies, this is just to explain things)
In the above image you can see how to fill in the blanks to give the second account the ability to use the vote permission on the main account. Only access to the active permission on the second account is required.
After confirming the above transaction, you will need to link your new vote permission to an eosio action. Since we want the second account that has this permission to be able to vote on the main account, we link the vote permission to the ‘voteproducer’ action using the ‘Link Auth’ tool.
Now the second account will be able to use the vote permission on the main account.
How to create new permissions (cleos)
You can also create a new, custom permission, using cleos. Below we will show you an example by EOS Canada, on how to create a new permission for claiming rewards using cleos.
EOS block producers get payed every day, so they have to claim these rewards every day. If they don’t claim the rewards, the rewards are gone, so every (paid) block producer wants to claim their rewards every day. By default, to claim the rewards the active key is needed, but putting the active key on a server that collects the rewards daily is very risky. That’s why it is desirable to set a new permission for this and to use a new, much less important, key for this.
To do this you need to run the following command using cleos:
cleos set account permission PRODUCERACCT claimer '{"threshold":1,"keys":[{"key":"YOUR_PUB_KEY","weight":1}]}' "active" -p PRODUCERACCT@active PRODUCERACCT is the 12 character account name that will collect the rewards, claimer is the name of the new permission, "key":"YOUR_PUB_KEY","weight":1 is the new public key, with a weight of 1, that has the new permission and "active" -p PRODUCERACCT@active means that the parent permission of the new permission is the active permission.
After running the command above you need to link the permission to a certain action. To do this you need to run the following command.
cleos set action permission PRODUCERACCT eosio claimrewards claimer Running this command links the claimrewards action to the claimer permission, eosio is the smart contract.
Now only the new key is needed to use claimrewards , having this key compromised wouldn’t be that big of a problem, as the only thing you can do with this key, is claim the rewards on the producer account.
*USE THIS GUIDE AND THESE TOOLS AT YOUR OWN RISK, WRONGFULLY USING THESE TOOLS CAN RESULT IN MAKING YOUR ACCOUNT INACCESSIBLE*
*KEEP IN MIND THAT FOLLOWING THESE TUTORIALS CAN RESULT IN MAKING YOUR ACCOUNT HARDER TO USE. THERE ARE NOT MANY TOOLS AVAILABLE THAT SUPPORT CUSTOM PERMISSIONS (YET)*
Special thanks to Nathan Rempel from Genereos for helping with this guide.
Our socials
Website
Twitter
Youtube
Meetup
Steem
Written by Yannick Slenter for Blockgenic
