0075 XLS-75d: Account Permission Delegation #218
Replies: 13 comments 23 replies
-
It must be documented about Batch transaction.
|
Beta Was this translation helpful? Give feedback.
-
The ability for an issuer to “blackhole” an account (not delegating payments) while still retaining operational abilities for everything else via another account would be great! (Even greater 3 years ago but 😅 🤷🏻♂️) |
Beta Was this translation helpful? Give feedback.
-
Wouldn't a |
Beta Was this translation helpful? Give feedback.
-
regarding 3.1 fields, do we need |
Beta Was this translation helpful? Give feedback.
-
Since we use |
Beta Was this translation helpful? Give feedback.
-
Can we differentiate the transaction permission and granular permission in the json request by using
|
Beta Was this translation helpful? Give feedback.
-
Can we simplify the permission
|
Beta Was this translation helpful? Give feedback.
-
Should AccountPermissionSet transaction be banned from being delegated to other accounts? |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Shouldn't there be a transaction to delete |
Beta Was this translation helpful? Give feedback.
-
The first failure condition in |
Beta Was this translation helpful? Give feedback.
-
there should be an RPC call like |
Beta Was this translation helpful? Give feedback.
-
Per the XLS Contributing process, it is my opinion that we have reached a "well-refined standard." As such, I propose that we move this discussion to a file (via #257) and work on final changes using additional PRs, for better change-tracking. Please comment here if you would like to object to moving this spec/discussion forward in the process into a DRAFT spec. (Note that per the Contributing guidelines, moving a spec into the DRAFT state does not mean any kind of endorsement, nor does it mean that this specification will become adopted. It is solely meant as a mechanism to enable better change tracking using PRs.) |
Beta Was this translation helpful? Give feedback.
-
Account Permission Delegation
Abstract
This proposal introduces a delegated authorization mechanism to enhance the flexibility and usability of XRPL accounts.
Currently, critical issuer actions, such as authorizing trustlines, require direct control by the account's keys, hindering operational efficiency and complex use cases. By empowering account holders to selectively delegate specific permissions to other accounts, this proposal aims to enhance account usability without compromising security. This mechanism will unlock new possibilities for XRPL applications, such as multi-party workflows and advanced account management strategies.
1. Overview
We propose:
AccountPermission
ledger object.AccountPermissionSet
transaction type.We also propose modifying the transaction common fields.
This feature will require an amendment, tentatively titled
AccountPermission
.1.1. Terminology
1.2. Basic Flow
Isaac, a token issuer, wants to set up his account to follow security best practices and separation of responsibilities. He wants Alice to manage token issuing and Bob to manage trustlines. He is also working with Kylie, a KYC provider, who he wants to be able to authorize trustlines but not have any other permissions (as she is an external party).
He can authorize:
Payment
transaction permission.TrustSet
transaction permission.TrustlineAuthorize
granular permission.The full set of available permissions is listed in XLS-74d, Account Permissions
2. On-Ledger Object:
AccountPermission
This object represents a set of permissions that an account has delegated to another account, and is modeled to be similar to
DepositPreauth
objects.2.1. Fields
LedgerIndex
string
Hash256
LedgerEntryType
string
UInt16
AccountPermission
)Account
string
AccountID
Authorize
string
AccountID
Permissions
string
STArray
OwnerNode
string
UInt64
PreviousTxnID
string
Hash256
PreviousTxnLgrSeqNumber
number
UInt32
2.1.1. Object ID
The ID of this object will be a hash of the
Account
andAuthorize
fields, combined with the unique space key forAccountPermission
objects, which will be defined during implementation.2.1.2.
Permissions
This field is an array of permissions to delegate to the account, as listed in XLS-74d, Account Permissions. The array will have a maximum length of 10.
2.2. Account Deletion
The
AccountPermission
object is not a deletion blocker.3. Transaction:
AccountPermissionSet
This object represents a set of permissions that an account has delegated to another account, and is modeled to be similar to the
DepositPreauth
transaction type.3.1. Fields
TransactionType
string
UInt16
AccountPermissionSet
).Account
string
AccountID
Authorize
string
AccountID
Permissions
string
STArray
3.1.1.
Permissions
This transaction works slightly differently from the
DepositPreauth
transaction type. Instead of using anUnauthorize
field, an account is unauthorized by using an emptyPermissions
list.3.2. Failure Conditions
Permissions
is too long (the limit is 10), or includes duplicates.Authorize
doesn't exist.3.3. State Changes
A
AccountPermission
object will be created, modified, or deleted based on the provided fields.4. Transactions: Common Fields
4.1. Fields
As a reference, here are the fields that all transactions currently have.
We propose these modifications:
OnBehalfOf
string
AccountID
4.2. Failure Conditions
OnBehalfOf
account doesn't exist.OnBehalfOf
account hasn't authorized the transaction'sAccount
to send transactions on behalf of it.OnBehalfOf
account hasn't authorized the transaction'sAccount
to send this particular transaction type/granular permission on behalf of it.4.3. State Changes
The transaction succeeds as if the transaction was sent by the
OnBehalfOf
account.5. Examples
5.1.
Payment
PermissionIn this example, Isaac is delegating the
Payment
permission to Alice.5.1.1.
AccountPermissionSet
TransactionNote: the weird format of
Permissions
, with needing an internal object, is due to peculiarities in the XRPL's Binary Format. It can be cleaned up/simplified in tooling.5.1.2.
AccountPermission
Ledger Object5.1.3.
Payment
Transaction5.2.
TrustSet
PermissionIn this example, Isaac is delegating the
TrustSet
permission to Bob.5.2.1.
AccountPermissionSet
Transaction5.2.2.
AccountPermission
Ledger Object5.2.3.
TrustSet
TransactionIn this example, Bob is freezing a trustline from Holden, a USD.Isaac token holder.
5.3.
TrustlineAuthorize
PermissionIn this example, Isaac is delegating the
TrustlineAuthorize
permission to Kylie.5.3.1.
AccountPermissionSet
Transaction5.3.2.
AccountPermission
Object5.3.3.
TrustSet
TransactionIn this example, Kylie is authorizing Holden's trustline.
Note that this transaction will fail if:
tfSetfAuth
flag.6. Invariants
An account should never be able to send a transaction on behalf of another account without a valid
AccountPermission
object.7. Security
Delegating permissions to other accounts requires a high degree of trust, especially when the delegated account can potentially access funds (
Payment
s) or charge reserves (any transaction that can create objects). In addition, any account that has access to the entireAccountSet
,SetRegularKey
,SignerListSet
, orAccountPermissionSet
transactions can give themselves any permissions even if this was not originally part of the intention. Authorizing users for those transactions should have heavy warnings associated with it in tooling and UIs.All tooling indicating whether an account has been blackholed will need to be updated to also check if
AccountSet
,SetRegularKey
,SignerListSet
, orAccountPermissionSet
permissions have been delegated.On the other hand, this mechanism also offers a granular approach to authorization, allowing accounts to selectively grant specific permissions without compromising overall account control. This approach provides a balance between security and usability, empowering account holders to manage their assets and interactions more effectively.
Appendix
Appendix A: Comparing with XLS-49d, Multiple Signer Lists
In XLS-49d:
In this proposal:
Both are useful for slightly different usecases; XLS-49d is more useful when you want multiple signatures to guard certain features, while this proposal is useful when you want certain parties to have access to certain features. This proposal does support XLS-49d-like usage, but it would cost more XRP, as a second account would need to be created.
Appendix B: FAQ
B.1: Who pays the transaction fees?
The account that sends the transaction pays the transaction fees (not the delegating account, but the delegated account).
B.2: How does using an
NFTokenMint
permission compare to using the existingNFTokenMinter
account field?Note that the
NFTokenMinter
field provides more permissions than justNFTokenMint
ing; it provides permissions over offers and burning as well (though of course multiple permissions can be delegated to one account).The biggest advantage to using the
NFTokenMint
field is that it's "free" (it doesn't cost any additional reserve). Delegating a permission to an account costs one object reserve (for theAccountPermission
object).On the other hand, with this proposal, you can have as many accounts with the
NFTokenMint
permission as you want. The minting account can also mint NFTs directly into your account, instead of into their own account.Given the overlap in functionality, the
NFTokenMinter
field could potentially be deprecated in the future.B.3: Can a blackholed account have some permissions set?
Yes, in certain cases. For example, an account could still be considered "blackholed" if it has the
AccountDomainSet
permission delegated, but not if it has theSetRegularKey
permission delegated. The definition of a blackholed account will need to be modified after this amendment.B.4: Can I delegate permissions to a
Batch
transaction (XLS-56d)?No,
OnBehalfOf
will not be allowed onBatch
transactions. Instead, the inner transactions must include theOnBehalfOf
field.B.5: Why is the process of unauthorizing an account different between the
DepositPreauth
transaction and theAccountPermissionSet
transaction?The
DepositPreauth
transaction has anUnauthorize
field. It seemed more confusing to use such a paradigm here, but it can be changed if there are strong objections.Beta Was this translation helpful? Give feedback.
All reactions