Access Control Admin Facet
Allows setting administrative roles for specific roles within a diamond.
Key Features
- Manages role-to-admin-role mappings in diamond storage.
- Guards admin updates by checking the caller has the role's current admin role.
- Exposes selector export for diamond cuts.
Initialization Requirement
setRoleAdmin checks the caller against adminRole[_role] before updating it.
If a role has never had an admin set, adminRole[_role] is bytes32(0), so the caller must already hold role bytes32(0).
Storage
State Variables
| Property | Type | Description |
|---|---|---|
STORAGE_POSITION | bytes32 | Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol")) |
Access Control Storage
Functions
setRoleAdmin
Updates the admin role for _role.
Authorization flow:
- Require caller has the previous admin role over the
_role - Update the admin role
- Emit
RoleAdminChanged(_role, previousAdminRole, _adminRole)
Parameters:
| Property | Type | Description |
|---|---|---|
_role | bytes32 | The role to set the admin for. |
_adminRole | bytes32 | The new admin role to set. |
Events
Errors
Best Practices
- Bootstrap role ownership/admins at initialization so trusted accounts can pass the first admin checks.
- Treat
bytes32(0)as a privileged role in your access model when relying on default admin mappings. - When rotating admin roles, grant the new admin role first, then switch
adminRole, then revoke old permissions. - Keep facet storage layout compatible (
erc8042:compose.accesscontrol) across upgrades.
Was this helpful?
Last updated:
