Skip to main content

User authorization

After Quorum Key Manager (QKM) authenticates an incoming request, it submits the request to the targeted service which performs authorization checks based on request context before performing service operations.

The authorization process restricts system access through role-based access control or resource-based access control.

Role-based access control

Role-based access control (RBAC) restricts actions over resources to authorized users. Access is specified by roles assigned to users, using a manifest file or an identity provider.

See the full list of RBAC permissions.

Resource-based access control

Resource-based access control restricts access to resources to authorized users. Access is specified by allowed tenants for each resource, using a manifest file.



An action is a functionality of your application to be restricted to authorized users. For example, read, create, sign, encrypt, delete, and destroy.


A resource represents a business entity to be managed by your application. Authorization restricts access over resources. QKM currently has the following resources:

SecretA key-value element stored in a secure vault system.
KeyA cryptographic key.
Ethereum accountA cryptographic key allowing interaction with the Ethereum network.
VaultVault client connector used to persist resources remotely.
StoreA storage space for a set of secrets, keys, or Ethereum accounts.
NodeA representation of an underlying blockchain node.
AliasA representation of an external public key. For example, a Tessera address.
RegistryA storage space for clarifying a set of aliases


A tenant is a set of users with the highest access level to resources. In resource-based access control, you must pass a list of allowed tenants when defining a resource manifest file.


A permission is an authorization of an action over a resource, used in role-based access control (RBAC). Permissions take the form action:resource and are not mutually exclusive.


A role is a named set of permissions defined in a manifest file. Alternatively, you can use Auth0 to specify roles and attach permissions to your token.