Role-Based Access Control (RBAC)
Chainlink Nodes allow the root admin CLI user and additional admin users to assign role-based access tiers. This approach grants specific access to multiple users without providing admin privileges to all users.
These new API users can log in to the Operator UI independently.
Roles and access
Each user has a specific role assigned to their account. There are four roles: admin, edit, run, and view.
Specific actions are enabled to check role-based access before they execute. The following table lists the actions that have role-based access and the role that is required to run that action:
| Action | View | Run | Edit | Admin |
|---|---|---|---|---|
| Update password | X | X | X | X |
| Create self API token | X | X | X | X |
| Delete self API token | X | X | X | X |
| List external initiators | X | X | X | X |
| Create external initiator | X | X | ||
| Delete external initiator | X | X | ||
| List bridges | X | X | X | X |
| View bridge | X | X | X | X |
| Create bridge | X | X | ||
| Edit bridge | X | X | ||
| Delete bridge | X | X | ||
| View config | X | X | X | X |
| Update config | X | |||
| Dump env/config | X | |||
| View transaction attempts | X | X | X | X |
| View transaction attempts EVM | X | X | X | X |
| View transactions | X | X | X | X |
| Replay a specific block number | X | X | X | |
| List keys (CSA,ETH,OCR(2),P2P,Solana,Terra) | X | X | X | X |
| Create keys (CSA,ETH,OCR(2),P2P,Solana,Terra) | X | X | ||
| Delete keys (CSA,ETH,OCR(2),P2P,Solana,Terra) | X | |||
| Import keys (CSA,ETH,OCR(2),P2P,Solana,Terra) | X | |||
| Export keys (CSA,ETH,OCR(2),P2P,Solana,Terra) | X | |||
| List jobs | X | X | X | X |
| View job | X | X | X | X |
| Create job | X | X | ||
| Delete job | X | X | ||
| List pipeline runs | X | X | X | X |
| View job runs | X | X | X | X |
| Delete job spec errors | X | X | ||
| View features | X | X | X | X |
| View log | X | X | X | X |
| Update log | X | |||
| List chains | X | X | X | X |
| View chain | X | X | X | X |
| Create chain | X | X | ||
| Update chain | X | X | ||
| Delete chain | X | X | ||
| View nodes | X | X | X | X |
| Create node | X | X | ||
| Update node | X | X | ||
| Delete node | X | X | ||
| View forwarders | X | X | X | X |
| Create forwarder | X | X | ||
| Delete forwarder | X | X | ||
| Create job run | X | X | X | |
| Create Transfer EVM | X | |||
| Create Transfer Terra | X | |||
| Create Transfer Solana | X | |||
| Create user | X | |||
| Delete user | X | |||
| Edit user | X | |||
| List users | X |
Configure users and roles
You can only use the CLI to configure role-based access.
Prerequisites
Only admins can configure role-based access. Connect to the Chainlink node container and log in as an admin before you create, modify, or delete user roles for other accounts:
-
Open an interactive shell session on the container that is running your node:
docker exec -it chainlink /bin/bash -
Log into the Chainlink CLI:
chainlink admin loginThe CLI prompts you for the admin credentials that you configured for your node.
View the current list of users
To view the current list of users, run the following command:
chainlink admin users listCreate a new user with a specific role
For example, you can create a user with view-only permissions on the node with the following command:
chainlink admin users create --email=operator-ui-view-only@test.com --role=viewThis user can now log into the UI and query the API, but cannot change any settings or jobs.
Modify a user role and permissions
To modify permissions, run the admin users chrole command. Use the -h flag to get a complete list of options for these commands:
chainlink admin users chrole -hDelete a user role and permissions
To delete existing users, run the admin users delete command. Use the -h flag to get a complete list of options for these commands:
chainlink admin users delete -h