问题
lets say we have a 2 organization network (OrgA and OrgB) both organizations have there own "Admin" identity that can issue identities. If the admin identity for OrgA issues a identity for a participant "ParA", how can one prohibit OrgB to issue a identity for that participent?
回答1:
You can use ACLs to restrict the kind of participants created or that are viewable, by either Organisation's admins. Simplest way is designated participant classes for each Org and control access to participants by class
Alternatively, they can be in the same participant class but have identifying Org metadata, ie. where you DO insist that the participants are created in the same participant class. Then (with ACLs in place) the org admin from 'another org' won't have the capability to bind an identity he issued, to the 'wrong' participant (ie one he should not even see, to bind it to), because a condition check in the ACL will prevent the access.
eg
rule myRule1 {
description: "Org admin can see/access/create participants matching own org"
participant(p): "org.acme.nwk.IssuerAdmins" // ie only someone of this class, can 'issue identities' -
operation: ALL // (CREATE, READ, UPDATE, DELETE) // do everything, for IDs in their Org ?
resource(r): "org.acme.nwk.myParticipants"
condition: (p.organisation == r.organisation) // can ONLY see or do anything with participants from own Org
action: ALLOW
}
An Org Admin from a 'different' org - can issue identities, but will not be able to see a participant 'not in his/her Org' (to try map to his own org's identities).
Its possible to be more 'succinct' and base it on data, but putting complex javascript evaluations (check the attribute value for an Org pattern sequence etc) adds more overhead, if large amounts of data is being compared against. you could also do another way:
来源:https://stackoverflow.com/questions/50680188/organization-based-restrictions-for-participant-identity-issuing-in-hyperledger