Introduction to Roles

Roles in Dew Finance are simple string identifiers that determine who can initiate or approve policy executions. Below are a few key points about roles:

• Roles are lightweight - they're just string identifiers that can be assigned to accounts
• Role assignment is managed through the grant_role and revoke_role policy
• Multiple roles can be assigned to a single account, and multiple accounts can share the same role (many-to-many relationship)
• A role can be granted to a RoleTarget which can either be:
  1. AccountId: Any specified NEAR account ID
  2. Codehash: A code hash derived from shade agent code, allowing any shade agent running that code to assume the role.

Role assignment

Role assignment in Dew Finance is managed through the grant_role policy, which allows authorized vault operators to assign roles to accounts or code hashes.

Granting a role to a code hash involves an additional step: after the code hash is assigned a role via the grant_role policy, any Shade agent running the approved code can register itself using the register_agent method. Once registered, the agent can participate in proposal submission and voting, similar to a regular account.

By default:

• The owner role is created automatically when the vault is initialized.
• The vault creator is assigned the owner role by default.
• All vault configuration policies initially require the owner role, but these requirements can be updated for more granular permission management.

// other vault states
account_roles: IterableMap<RoleTarget, UnorderedSet<Role>>,
// other vault states
 
pub enum RoleTarget {
    AccountId(AccountId),
    Codehash(Codehash),
}