Use Tagged Records
This guide demonstrates how to use record tags to categorize records and restrict which roles can write to each category. Tags enforce separation of concerns — for example, a finance writer cannot create legal records, even if both tags exist on the same trail.
Prerequisites
- Familiarity with Role-Based Access Control
Steps
1. Set Up Multiple Wallets
Create an admin wallet and a finance-writer wallet that will receive a tag-scoped capability.
Used Utility Functions
2. Create a Trail with a Tag Registry
Define the available tags at trail creation. Only tags in the registry can be used on records.
3. Create a Tag-Scoped Role
Create a role restricted to specific tags using RoleTags. A holder of this role can only add records with one of the allowed tags.
4. Issue a Capability Bound to a Specific Address
Bind the capability to a particular wallet so only that address can use it.
5. Add a Record with a Matching Tag
The finance writer adds a record tagged as "finance" — this succeeds because the tag matches the role's restriction.
6. Verify Tag Enforcement
Attempting to add a record with a non-matching tag (e.g., "legal") fails.
Expected Behavior
- A role with
RoleTags(["finance"])can only add records tagged"finance". - Attempts to write records with other tags (even valid ones in the registry) are rejected.
- Tags provide fine-grained access control beyond permission-level restrictions.
Running Examples Locally
In order to run the examples, you will need to run an IOTA network locally. See the local network setup guide.
Full Example Code
- Rust
- Typescript (Node.js)
loading...
loading...