github.com/hyperion-hyn/go-ethereum@v2.4.0+incompatible/docs/Permissioning/Usage.md (about) 1 2 **This section describes the usage of permission model for creation of a network, initial set up and management of network. The network management activities can be broadly categorized into:** 3 4 * [Initial network set up](#initial-network-set-up) 5 * [Proposing a new organization into the network](#proposing-a-new-organization-into-the-network) 6 * [Organization admin managing the organization level permissions](#organization-admin-managing-the-organization-level-permissions) 7 * [Suspending an organization temporarily](#suspending-an-organization-temporarily) 8 * [Revoking suspension of an organization](#revoking-suspension-of-an-organization) 9 * [Assigning admin privileges at organization and network level](#assigning-admin-privileges-at-organization-and-network-level) 10 11 12 ### Initial network set up 13 Please refer to [set up](../setup). For an existing network running with an older version of Quorum: 14 15 * Upgrade Quorum to the latest version 16 * Deploy the contracts 17 * Execute the `init` method of `PermissionsUpgradable.sol` from the guardian account 18 * Copy the `permission-config.json` to the data directory of each node 19 * Bring `geth` up in `--permissioned` mode. 20 21 For a new network using the latest version of Quorum: 22 23 * Bring up the initial set of nodes 24 * Deploy the contracts 25 * Execute the `init` method of `PermissionsUpgradable.sol` from the guardian account 26 * Upgrade Quorum to the latest version 27 * Copy the `permission-config.json` to the data directory of each node 28 * Bring `geth` up in `--permissioned` mode. 29 30 As part of network initialization: 31 32 * A network admin organization is created with the `nwAdminOrg` name specified in `permission-config.json`. All nodes which are part of `static-nodes.json` are assigned to this organization. 33 * A network admin role is created with the `nwAdminRole` name specified in the config file. 34 * All accounts given in the `accounts` array of the config file are assigned the network admin role. These accounts will have the ability to propose and approve new organizations into the network. 35 36 Assuming that the network was started with the `permission-config.json` given in the [set up](../setup), and assuming the network was brought up with the `static-nodes.json` file given below: 37 ```json 38 [ 39 "enode://72c0572f7a2492cffb5efc3463ef350c68a0446402a123dacec9db5c378789205b525b3f5f623f7548379ab0e5957110bffcf43a6115e450890f97a9f65a681a@127.0.0.1:21000?discport=0", 40 "enode://7a1e3b5c6ad614086a4e5fb55b6fe0a7cf7a7ac92ac3a60e6033de29df14148e7a6a7b4461eb70639df9aa379bd77487937bea0a8da862142b12d326c7285742@127.0.0.1:21001?discport=0", 41 "enode://5085e86db5324ca4a55aeccfbb35befb412def36e6bc74f166102796ac3c8af3cc83a5dec9c32e6fd6d359b779dba9a911da8f3e722cb11eb4e10694c59fd4a1@127.0.0.1:21002?discport=0", 42 "enode://28a4afcf56ee5e435c65b9581fc36896cc684695fa1db83c9568de4353dc6664b5cab09694d9427e9cf26a5cd2ac2fb45a63b43bb24e46ee121f21beb3a7865e@127.0.0.1:21003?discport=0" 43 ] 44 ``` 45 then the network will have the following configuration once it has started up: 46 ``` 47 > quorumPermission.orgList 48 [{ 49 fullOrgId: "ADMINORG", 50 level: 1, 51 orgId: "ADMINORG", 52 parentOrgId: "", 53 status: 2, 54 subOrgList: null, 55 ultimateParent: "ADMINORG" 56 }] 57 > quorumPermission.getOrgDetails("ADMINORG") 58 { 59 acctList: [{ 60 acctId: "0xed9d02e382b34818e88b88a309c7fe71e65f419d", 61 isOrgAdmin: true, 62 orgId: "ADMINORG", 63 roleId: "ADMIN", 64 status: 2 65 }, { 66 acctId: "0xca843569e3427144cead5e4d5999a3d0ccf92b8e", 67 isOrgAdmin: true, 68 orgId: "ADMINORG", 69 roleId: "ADMIN", 70 status: 2 71 }], 72 nodeList: [{ 73 orgId: "ADMINORG", 74 status: 2, 75 url: "enode://72c0572f7a2492cffb5efc3463ef350c68a0446402a123dacec9db5c378789205b525b3f5f623f7548379ab0e5957110bffcf43a6115e450890f97a9f65a681a@127.0.0.1:21000?discport=0" 76 }, { 77 orgId: "ADMINORG", 78 status: 2, 79 url: "enode://7a1e3b5c6ad614086a4e5fb55b6fe0a7cf7a7ac92ac3a60e6033de29df14148e7a6a7b4461eb70639df9aa379bd77487937bea0a8da862142b12d326c7285742@127.0.0.1:21001?discport=0" 80 }, { 81 orgId: "ADMINORG", 82 status: 2, 83 url: "enode://5085e86db5324ca4a55aeccfbb35befb412def36e6bc74f166102796ac3c8af3cc83a5dec9c32e6fd6d359b779dba9a911da8f3e722cb11eb4e10694c59fd4a1@127.0.0.1:21002?discport=0" 84 }, { 85 orgId: "ADMINORG", 86 status: 2, 87 url: "enode://28a4afcf56ee5e435c65b9581fc36896cc684695fa1db83c9568de4353dc6664b5cab09694d9427e9cf26a5cd2ac2fb45a63b43bb24e46ee121f21beb3a7865e@127.0.0.1:21003?discport=0" 88 }], 89 roleList: [{ 90 access: 3, 91 active: true, 92 isAdmin: true, 93 isVoter: true, 94 orgId: "ADMINORG", 95 roleId: "ADMIN" 96 }], 97 subOrgList: null 98 } 99 ``` 100 101 ### Proposing a new organization into the network 102 Once the network is up, the network admin accounts can then propose a new organization into the network. Majority approval from the network admin accounts is required before an organization is approved. The APIs for [proposing](../Permissioning%20apis#quorumpermissionaddorg) and [approving](../Permissioning%20apis#quorumpermissionapproveorg) an organization are documented in [permission APIs](../Permissioning%20apis) 103 104 #### Example 105 An example to propose and approve an organization by name `ORG1` is as shown below: 106 107 ```javascript 108 > quorumPermission.addOrg("ORG1", "enode://de9c2d5937e599930832cecc1df8cc90b50839bdf635c1a4e68e1dab2d001cd4a11c626e155078cc65958a72e2d72c1342a28909775edd99cc39470172cce0ac@127.0.0.1:21004?discport=0", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"}) 109 "Action completed successfully" 110 ``` 111 112 Once the org is proposed, it will be in `Proposed` state awaiting approval from other network admin accounts. The org status is as shown below: 113 ```javascript 114 > quorumPermission.orgList[1] 115 { 116 fullOrgId: "ORG1", 117 level: 1, 118 orgId: "ORG1", 119 parentOrgId: "", 120 status: 1, 121 subOrgList: null, 122 ultimateParent: "ORG1" 123 } 124 ``` 125 126 The network admin accounts can then approve the proposed organizations and once the majority approval is achieved, the organization status is updated as `Approved` 127 128 ```javascript 129 > quorumPermission.approveOrg("ORG1", "enode://de9c2d5937e599930832cecc1df8cc90b50839bdf635c1a4e68e1dab2d001cd4a11c626e155078cc65958a72e2d72c1342a28909775edd99cc39470172cce0ac@127.0.0.1:21004?discport=0", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: "0xca843569e3427144cead5e4d5999a3d0ccf92b8e"}) 130 "Action completed successfully" 131 > quorumPermission.orgList[1] 132 { 133 fullOrgId: "ORG1", 134 level: 1, 135 orgId: "ORG1", 136 parentOrgId: "", 137 status: 2, 138 subOrgList: null, 139 ultimateParent: "ORG1" 140 } 141 ``` 142 143 The details of the new organization approved are as below: 144 ```javascript 145 > quorumPermission.getOrgDetails("ORG1") 146 { 147 acctList: [{ 148 acctId: "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", 149 isOrgAdmin: true, 150 orgId: "ORG1", 151 roleId: "ORGADMIN", 152 status: 2 153 }], 154 nodeList: [{ 155 orgId: "ORG1", 156 status: 2, 157 url: "enode://de9c2d5937e599930832cecc1df8cc90b50839bdf635c1a4e68e1dab2d001cd4a11c626e155078cc65958a72e2d72c1342a28909775edd99cc39470172cce0ac@127.0.0.1:21004?discport=0" 158 }], 159 roleList: [{ 160 access: 3, 161 active: true, 162 isAdmin: true, 163 isVoter: true, 164 orgId: "ORG1", 165 roleId: "ORGADMIN" 166 }], 167 subOrgList: null 168 } 169 ``` 170 171 As can be seen from the above, as a part of approval: 172 173 * A org admin role with name as given in `orgAdminRole` in `permission-config.json` has been created and linked to the organization `ORG1` 174 * The account given has been linked to the organization `ORG1` and org admin role. This account acts as the organization admin account and can in turn manage further roles, nodes and accounts at organization level 175 * The node has been linked to organization and status has been updated as `Approved` 176 177 The new node belonging to the organization can now join the network. In case the network is running in `Raft` consensus mode, before the node joins the network, please ensure that: 178 179 * The node has been added as a peer using `raft.addPeer(<<enodeId>>)` 180 * Bring up `geth` for the new node using `--raftjoinexisting` with the peer id as obtained in the above step 181 182 ### Organization admin managing the organization level permissions 183 Once the organization is approved and the node of the organization has joined the network, the organization admin can then create sub organizations, roles, add additional nodes at organization level, add accounts to the organization and change roles of existing organization level accounts. 184 185 To add a sub org at `ORG1` level refer to [addSubOrg API](../Permissioning%20apis#quorumpermissionaddsuborg) 186 ```javascript 187 > quorumPermission.addSubOrg("ORG1", "SUB1", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0", {from: eth.accounts[0]}) 188 "Action completed successfully" 189 > quorumPermission.getOrgDetails("ORG1.SUB1") 190 { 191 acctList: null, 192 nodeList: [{ 193 orgId: "ORG1.SUB1", 194 status: 2, 195 url: "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0" 196 }], 197 roleList: null, 198 subOrgList: null 199 } 200 ``` 201 202 For adding a sub org the enode id is not mandatory. For the newly created sub org if the org admin desires to add an administration account, the org admin account will have to first create a role with `isAdmin` flag as `Y` and then assign this role to the account which belongs to the sub org. Once assigned the account will act as org admin at sub org level. Refer to [addNewRole API](../Permissioning%20apis#quorumpermissionaddnewrole) 203 ```javascript 204 > quorumPermission.addNewRole("ORG1.SUB1", "SUBADMIN", 3, false, true,{from: eth.accounts[0]}) 205 "Action completed successfully" 206 > eth.accounts[0] 207 "0x0638e1574728b6d862dd5d3a3e0942c3be47d996" 208 ``` 209 210 The role `SUBADMIN` can now be assigned to an account at sub org `SUB1` for making the account admin for the sub org. 211 ```javascript 212 > quorumPermission.addAccountToOrg("0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0", "ORG1.SUB1", "SUBADMIN", {from: "0x0638e1574728b6d862dd5d3a3e0942c3be47d996"}) 213 "Action completed successfully" 214 > quorumPermission.getOrgDetails("ORG1.SUB1") 215 { 216 acctList: [{ 217 acctId: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0", 218 isOrgAdmin: true, 219 orgId: "ORG1.SUB1", 220 roleId: "SUBADMIN", 221 status: 2 222 }], 223 nodeList: [{ 224 orgId: "ORG1.SUB1", 225 status: 2, 226 url: "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0" 227 }], 228 roleList: [{ 229 access: 3, 230 active: true, 231 isAdmin: true, 232 isVoter: false, 233 orgId: "ORG1.SUB1", 234 roleId: "SUBADMIN" 235 }], 236 subOrgList: null 237 } 238 ``` 239 240 The account `0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0` is now the admin for sub org `SUB1` and will be able to add roles, accounts and nodes to the sub org. It should be noted that the org admin account at master org level has the admin rights on all the sub organizations below. However the admin account at sub org level has control only in the sub org to which it is linked. 241 ```javascript 242 > quorumPermission.addNewRole("ORG1.SUB1", "TRANSACT", 1, false, true,{from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"}) 243 "Action completed successfully" 244 > quorumPermission.getOrgDetails("ORG1.SUB1").roleList 245 [{ 246 access: 3, 247 active: true, 248 isAdmin: true, 249 isVoter: false, 250 orgId: "ORG1.SUB1", 251 roleId: "SUBADMIN" 252 }, { 253 access: 1, 254 active: true, 255 isAdmin: true, 256 isVoter: false, 257 orgId: "ORG1.SUB1", 258 roleId: "TRANSACT" 259 }] 260 ``` 261 262 To add an account to an organization refer to [addAccountToOrg API](../Permissioning%20apis#quorumpermissionaddaccounttoorg). 263 ```javascript 264 > quorumPermission.addAccountToOrg("0x283f3b8989ec20df621166973c93b56b0f4b5455", "ORG1.SUB1", "SUBADMIN", {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"}) 265 "Action completed successfully" 266 > quorumPermission.getOrgDetails("ORG1.SUB1").acctList 267 268 [{ 269 acctId: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0", 270 isOrgAdmin: true, 271 orgId: "ORG1.SUB1", 272 roleId: "SUBADMIN", 273 status: 2 274 }, { 275 acctId: "0x283f3b8989ec20df621166973c93b56b0f4b5455", 276 isOrgAdmin: true, 277 orgId: "ORG1.SUB1", 278 roleId: "TRANSACT", 279 status: 2 280 }] 281 ``` 282 283 To suspend an account [updateAccountStatus](../Permissioning%20apis#quorumpermissionupdateaccountstatus) API can be invoked with action as 1. 284 ```javascript 285 > quorumPermission.updateAccountStatus("ORG1.SUB1", "0x283f3b8989ec20df621166973c93b56b0f4b5455", 1, {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"}) 286 "Action completed successfully" 287 > quorumPermission.getOrgDetails("ORG1.SUB1").acctList 288 [{ 289 acctId: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0", 290 isOrgAdmin: true, 291 orgId: "ORG1.SUB1", 292 roleId: "SUBADMIN", 293 status: 2 294 }, { 295 acctId: "0x283f3b8989ec20df621166973c93b56b0f4b5455", 296 isOrgAdmin: true, 297 orgId: "ORG1.SUB1", 298 roleId: "TRANSACT", 299 status: 1 300 }] 301 ``` 302 303 To revoke suspension of an account [updateAccountStatus](../Permissioning%20apis#quorumpermissionupdateaccountstatus) API can be invoked with action as 2. 304 ```javascript 305 > quorumPermission.updateAccountStatus("ORG1.SUB1", "0x283f3b8989ec20df621166973c93b56b0f4b5455", 2, {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"}) 306 "Action completed successfully" 307 > quorumPermission.getOrgDetails("ORG1.SUB1").acctList 308 309 [{ 310 acctId: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0", 311 isOrgAdmin: true, 312 orgId: "ORG1.SUB1", 313 roleId: "SUBADMIN", 314 status: 2 315 }, { 316 acctId: "0x283f3b8989ec20df621166973c93b56b0f4b5455", 317 isOrgAdmin: true, 318 orgId: "ORG1.SUB1", 319 roleId: "TRANSACT", 320 status: 2 321 }] 322 ``` 323 324 To [blacklist an account updateAccountStatus](../Permissioning%20apis#quorumpermissionupdateaccountstatus) API can be invoked with action as 3. Once blacklisted no further activity will be possible on the account. 325 ```javascript 326 > quorumPermission.updateAccountStatus("ORG1.SUB1", "0x283f3b8989ec20df621166973c93b56b0f4b5455", 3, {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"}) 327 "Action completed successfully" 328 > quorumPermission.getOrgDetails("ORG1.SUB1").acctList 329 330 [{ 331 acctId: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0", 332 isOrgAdmin: true, 333 orgId: "ORG1.SUB1", 334 roleId: "SUBADMIN", 335 status: 2 336 }, { 337 acctId: "0x283f3b8989ec20df621166973c93b56b0f4b5455", 338 isOrgAdmin: true, 339 orgId: "ORG1.SUB1", 340 roleId: "TRANSACT", 341 status: 5 342 }] 343 ``` 344 345 To [add nodes addNode ](../Permissioning%20apis#quorumpermissionaddnode) at organization and sub organization level by the org admin. 346 ```javascript 347 > quorumPermission.addNode("ORG1.SUB1", "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0", {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"}) 348 "Action completed successfully" 349 > quorumPermission.getOrgDetails("ORG1.SUB1").nodeList 350 [{ 351 orgId: "ORG1.SUB1", 352 status: 2, 353 url: "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0" 354 }, { 355 orgId: "ORG1.SUB1", 356 status: 2, 357 url: "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0" 358 }] 359 ``` 360 361 Org admin can manage the status of the nodes by using [updateNodeStatus](../Permissioning%20apis#quorumpermissionupdatenodestatus) API. To deactivate a node the API can be invoked with action 1. 362 ```javascript 363 > quorumPermission.getOrgDetails("ORG1.SUB1").nodeList 364 [{ 365 orgId: "ORG1.SUB1", 366 status: 2, 367 url: "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0" 368 }, { 369 orgId: "ORG1.SUB1", 370 status: 3, 371 url: "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0" 372 }] 373 ``` 374 375 To activate the node back invoke [updateNodeStatus](../Permissioning%20apis#quorumpermissionupdatenodestatus) API with action 2. 376 ```javascript 377 > quorumPermission.updateNodeStatus("ORG1.SUB1", "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0",2, {from:"0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"}) 378 "Action completed successfully" 379 > quorumPermission.getOrgDetails("ORG1.SUB1").nodeList 380 [{ 381 orgId: "ORG1.SUB1", 382 status: 2, 383 url: "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0" 384 }, { 385 orgId: "ORG1.SUB1", 386 status: 2, 387 url: "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0" 388 }] 389 ``` 390 391 To blacklist a node invoke [updateNodeStatus](../Permissioning%20apis#quorumpermissionupdatenodestatus) API with action 3. Once blacklisted the node will never be able join the network again. 392 ```javascript 393 > quorumPermission.getOrgDetails("ORG1.SUB1").nodeList 394 [{ 395 orgId: "ORG1.SUB1", 396 status: 2, 397 url: "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0" 398 }, { 399 orgId: "ORG1.SUB1", 400 status: 4, 401 url: "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0" 402 }] 403 ``` 404 405 It should be noted that in the case of the `Raft` consensus mechanism, when the node is deactivated the peer id is lost and hence upon activation, the node needs to be added to Raft cluster again using `raft.addPeer` and the node should be brought up with new peer id. 406 407 Further: 408 409 * An account can transact from any of the nodes linked to org or sub org with in the same organization 410 * If a node is deactivated no transaction will be allowed from that node 411 412 ### Suspending an organization temporarily 413 If there is a need to temporarily suspend all activities of an organization [updateOrgStatus](../Permissioning%20apis#quorumpermissionupdateorgstatus) API can be invoked with action 1. This can be invoked only by the network admin accounts and will reuiqre majority voting. 414 ```javascript 415 > quorumPermission.updateOrgStatus("ORG1", 1, {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"}) 416 "Action completed successfully" 417 > quorumPermission.orgList[2] 418 { 419 fullOrgId: "ORG1", 420 level: 1, 421 orgId: "ORG1", 422 parentOrgId: "", 423 status: 3, 424 subOrgList: null, 425 ultimateParent: "ORG1" 426 } 427 ``` 428 429 To approve the org, suspension majority approval from other network admin accounts is required. The api for the same is [approveOrgStatus](../Permissioning%20apis#quorumpermissionapproveorgstatus). Once approved the org status is marked as suspended. 430 ```javascript 431 > quorumPermission.approveOrgStatus("ORG1", 1, {from: "0xca843569e3427144cead5e4d5999a3d0ccf92b8e"}) 432 "Action completed successfully" 433 > quorumPermission.orgList[2] 434 { 435 fullOrgId: "ORG1", 436 level: 1, 437 orgId: "ORG1", 438 parentOrgId: "", 439 status: 4, 440 subOrgList: null, 441 ultimateParent: "ORG1" 442 } 443 ``` 444 445 When the org is suspended no transaction from any of the account linked to the organization or sub organizations under it is allowed. However, the nodes linked to the organization will be active and will be syncing with the network. 446 447 448 ### Revoking suspension of an organization 449 To revoke the suspension of an org [updateOrgStatus](../Permissioning%20apis#quorumpermissionupdateorgstatus) can be called with action as 2. This will require majority approval (API [approveOrgStatus](../Permissioning%20apis#quorumpermissionapproveorgstatus) with action 2). 450 ```javascript 451 > quorumPermission.updateOrgStatus("ORG1", 2, {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"}) 452 "Action completed successfully" 453 > quorumPermission.approveOrgStatus("ORG1", 2, {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"}) 454 "Action completed successfully" 455 > quorumPermission.orgList[0] 456 { 457 fullOrgId: "ORG1.SUB1", 458 level: 2, 459 orgId: "SUB1", 460 parentOrgId: "ORG1", 461 status: 2, 462 subOrgList: null, 463 ultimateParent: "ORG1" 464 } 465 ``` 466 467 Once the revoke is approved, all accounts in the organization and sub organization will be able to transact as per role level access. 468 469 ### Assigning admin privileges at organization and network level 470 There may be a scenario where one of the accounts at the organization level needs to have network admin level permissions and be able to perform network admin activities. Similarly there can be a need to change the admin account at organization level. Both these activities can be performed by existing network admin accounts only, and will require majority approval from the network admin accounts. The API usage details are as below. 471 To assign network admin or org admin role to an account invoke [assignAdminRole](../Permissioning%20apis#quorumpermissionassignadminrole). 472 ```javascript 473 > quorumPermission.assignAdminRole("ORG1", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", "ADMIN", {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"}) 474 "Action completed successfully" 475 > quorumPermission.acctList[3] 476 { 477 acctId: "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", 478 isOrgAdmin: true, 479 orgId: "ORG1", 480 roleId: "ADMIN", 481 status: 1 482 } 483 ``` 484 485 To approve the assignment of network admin role invoke [approveAdminRole](../Permissioning%20apis#quorumpermissionapproveadminrole) API. 486 ```javascript 487 > quorumPermission.approveAdminRole("ORG1", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: eth.accounts[0]}) 488 "Action completed successfully" 489 > quorumPermission.acctList[4] 490 { 491 acctId: "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", 492 isOrgAdmin: true, 493 orgId: "ORG1", 494 roleId: "ADMIN", 495 status: 2 496 } 497 ``` 498 499 The above account can now perform all activities allowable by a network admin account and can participate in the approval process for any actions at network level. 500 501 502 503 504