Proposing Future Ethereum Access Control
Dissecting current standards and proposing possible solutions for fully dynamic access control management in smart contracts
Access control is a fundamental element to the security of software infrastructure. Enterprise applications need strict rules on who can do what, depending on each user’s privileges.
It could be argued that access control in smart contracts needs even greater scrutiny since a vulnerability can result in malicious actors taking control of the system.
Simple forms of static access control in smart contracts exist today. The most common is the onlyOwner
pattern. Another is Openzeppelin’s Roles
contract, which enables contracts to define roles before deployment.
Whilst this provides a good foundation for most smart contract applications, modern Role-Based Access Control (RBAC) systems enable administrators to define roles dynamically at runtime. The Roles
contract is restrictive in this sense since roles cannot be defined after deployment.
This article walks through existing patterns for smart contract access control and proposes definitions for RBAC and Attribute-Based Access Control (ABAC) protocols.