Access Control Admin Module

Provides internal functions for managing role administrators within a diamond.

Key Features

• Internal functions for role administration.
• Uses the diamond storage pattern for shared state.
• Guards updates by checking caller has the role's current admin role.
• Emits RoleAdminChanged on successful admin updates.

Initialization Requirement

setRoleAdmin reads adminRole[_role] before writing the new value.
If no admin role has been configured yet, that value is bytes32(0), so the caller must already hold role bytes32(0).

Storage

State Variables

Property	Type	Description
STORAGE_POSITION	bytes32	Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol"))

Access Control Storage

Definition

/** storage-location: erc8042:compose.accesscontrol */
struct AccessControlStorage {
  mapping(address account => mapping(bytes32 role => bool hasRole)) hasRole;
  mapping(bytes32 role => bytes32 adminRole) adminRole;
}

Functions

getStorage

Returns the storage for the AccessControl.

function getStorage() pure returns (AccessControlStorage storage s);

Returns:

Property	Type	Description
s	AccessControlStorage	The storage for the AccessControl.

---

setRoleAdmin

Updates the admin role for _role. Emits RoleAdminChanged.

function setRoleAdmin(bytes32 _role, bytes32 _adminRole) ;

Authorization flow:

1. Require caller has the previous admin role over the _role
2. Update the admin role
3. Emit RoleAdminChanged(_role, previousAdminRole, _adminRole)

Parameters:

Property	Type	Description
_role	bytes32	The role to set the admin for.
_adminRole	bytes32	The new admin role to set.

Events

Emitted when the admin role for a role is changed.

Signature:

event RoleAdminChanged(bytes32 indexed _role, bytes32 indexed _previousAdminRole, bytes32 indexed _newAdminRole);

Parameters:

Property	Type	Description
_role	bytes32	The role that was changed.
_previousAdminRole	bytes32	The previous admin role.
_newAdminRole	bytes32	The new admin role.

Errors

Thrown when the account does not have a specific role.

Signature:

error AccessControlUnauthorizedAccount(address _account, bytes32 _role);

Best Practices

• Bootstrap initial role/admin assignments during initialization so authorized accounts can pass the first checks.
• Treat bytes32(0) as a privileged role in your access model when relying on default admin mappings.
• For admin rotation: grant new admin role first, then call setRoleAdmin, then revoke the old admin role.
• Keep AccessControlStorage layout compatible across upgrades (erc8042:compose.accesscontrol).

Was this helpful?

Last updated:March 13, 2026