AccessControlMod

Manage roles and permissions within a diamond

Key Features

• All functions are internal for integration into custom facets.
• Utilizes the diamond storage pattern for shared state management.
• Compatible with ERC-2535 diamonds.
• No external dependencies, promoting composability.

Module Usage

This module provides internal functions for use in your custom facets. Import it to access shared logic and storage.

Overview

This module provides internal functions for managing role-based access control within a Compose diamond. Facets can import this module to grant, revoke, and check roles using shared diamond storage. This pattern ensures consistent permission management across all facets interacting with the same storage.

---

Storage

AccessControlStorage

Definition

struct AccessControlStorage {
  mapping(address account => mapping(bytes32 role => bool hasRole)) hasRole;
  mapping(bytes32 role => bytes32 adminRole) adminRole;
}

State Variables

Property	Type	Description
STORAGE_POSITION	bytes32	Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol"))
DEFAULT_ADMIN_ROLE	bytes32	Default administrative role identifier (bytes32(0)) (Value: 0x00)

Functions

getStorage

Returns the storage for the AccessControl.

function getStorage() pure returns (AccessControlStorage storage _s);

Returns:

Property	Type	Description
_s	AccessControlStorage	The storage for the AccessControl.

---

grantRole

function to grant a role to an account.

function grantRole(bytes32 _role, address _account) returns (bool);

Parameters:

Property	Type	Description
_role	bytes32	The role to grant.
_account	address	The account to grant the role to.

Returns:

Property	Type	Description
-	bool	True if the role was granted, false otherwise.

---

hasRole

function to check if an account has a role.

function hasRole(bytes32 _role, address _account) view returns (bool);

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check the role for.

Returns:

Property	Type	Description
-	bool	True if the account has the role, false otherwise.

---

requireRole

function to check if an account has a required role. Reverts with AccessControlUnauthorizedAccount If the account does not have the role.

function requireRole(bytes32 _role, address _account) view;

Parameters:

Property	Type	Description
_role	bytes32	The role to assert.
_account	address	The account to assert the role for.

---

revokeRole

function to revoke a role from an account.

function revokeRole(bytes32 _role, address _account) returns (bool);

Parameters:

Property	Type	Description
_role	bytes32	The role to revoke.
_account	address	The account to revoke the role from.

Returns:

Property	Type	Description
-	bool	True if the role was revoked, false otherwise.

---

setRoleAdmin

function to set the admin role for a role.

function setRoleAdmin(bytes32 _role, bytes32 _adminRole) ;

Parameters:

Property	Type	Description
_role	bytes32	The role to set the admin for.
_adminRole	bytes32	The admin role to set.

Events

Emitted when the admin role for a role is changed.

Signature:

event RoleAdminChanged(bytes32 indexed _role, bytes32 indexed _previousAdminRole, bytes32 indexed _newAdminRole);

Parameters:

Property	Type	Description
_role	bytes32	The role that was changed.
_previousAdminRole	bytes32	The previous admin role.
_newAdminRole	bytes32	The new admin role.

Emitted when a role is granted to an account.

Signature:

event RoleGranted(bytes32 indexed _role, address indexed _account, address indexed _sender);

Parameters:

Property	Type	Description
_role	bytes32	The role that was granted.
_account	address	The account that was granted the role.
_sender	address	The sender that granted the role.

Emitted when a role is revoked from an account.

Signature:

event RoleRevoked(bytes32 indexed _role, address indexed _account, address indexed _sender);

Parameters:

Property	Type	Description
_role	bytes32	The role that was revoked.
_account	address	The account from which the role was revoked.
_sender	address	The account that revoked the role.

Errors

Thrown when the account does not have a specific role.

Signature:

error AccessControlUnauthorizedAccount(address _account, bytes32 _role);

Best Practices

Best Practice

• Call requireRole to enforce access control checks before executing sensitive functions.
• Ensure that your facet's storage layout is compatible with AccessControlStorage to prevent collisions.
• Handle the AccessControlUnauthorizedAccount error for predictable revert behavior.

Integration Notes

Shared Storage

This module uses diamond storage at the STORAGE_POSITION defined by keccak256("compose.accesscontrol"). All state modifications and reads are performed against the AccessControlStorage struct within this shared storage slot. Changes made by any facet using this module are immediately visible to all other facets accessing the same storage position.

Related Documentation

📦

OwnerTwoStepsMod

Related module in access

📦

AccessControlPausableMod

Related module in access

📦

AccessControlTemporalMod

Related module in access

📦

OwnerMod

Related module in access

Was this helpful?

Last updated:December 30, 2025