Supported Access Control Lists (ACLs)
Configure your DIDComm Mediator with different Access Control Lists (ACLs) for better control and privacy for users.
Important Note
You can only update DID-level Access Control Lists (ACLs) on self-hosted DIDComm Mediators.Mediator-level ACLs
| ACL Flag | Description |
|---|---|
| explicit_deny | Mediator will allow any DID to connect and forward/deliver messages unless explicitly denied. |
| explicit_allow | Mediator will deny all DIDs except for what has been explicitly allowed. |
| local_direct_delivery_allowed | If set to true, you can either message the mediator or to a local DID directly. If false, the DIDComm message must be addressed to the mediator, and the mediator will handle the delivery. |
To configure the mediator-level ACL, edit conf/mediator.toml and restart the mediator.
DID-level ACLs
DID-level ACLs define whether a DID can store, send, or receive messages. Mediator-level ACLs apply by default to all DIDs added to the mediator.
Send and Receive Messages
ACL flags provide granular control over whether a DID can send or receive messages.
| ACL Flag | Description |
|---|---|
| ALLOW_ALL | Default ACL Allow all operations (sets ACL mode to explicit_deny per DID, DID can self manage their own ACLs). |
| DENY_ALL | Deny all operations (sets ACL mode to explicit_allow per DID) |
| MODE_EXPLICIT_ALLOW | Per DID Access Control List (ACL) will only allow what is explicitly allowed. |
| MODE_EXPLICIT_DENY | Per DID Access Control List (ACL) will only allow everyone except for those explicitly denied. |
| LOCAL | Will store messages for a DID on the mediator. |
| SEND_MESSAGES | DID Can receive messages from others. |
| RECEIVE_MESSAGES | DID Can receive messages from others. |
| SEND_FORWARDED | DID can send forwarded messages. |
| RECEIVE_FORWARDED | DID can receive forwarded messages. |
| ANON_RECEIVE | DID can receive anonymous messages. |
| CREATE_INVITES | DID can create OOB invites. |
Self-change Flags
These allow users to update ACLs for their own DID without administrator intervention. Useful in open network modes where users need control over their permissions.
This flag is useful if you want to provide a level of control for the user to update their ACL when needed - for example, in the Public Mediator - Open Network operating mode.
| ACL Flag | Description |
|---|---|
| MODE_SELF_CHANGE | Allows the DID owner to change the ACL Mode for their own DID Access Control List. |
| ALLOW_ALL_SELF_CHANGE | Allows all *_SELF_CHANGE flags (explicitly set when ALLOW_ALL is set). |
| DENY_ALL_SELF_CHANGE | Denies all *_SELF_CHANGE flags (explicitly set when DENY_ALL is set). |
| SEND_MESSAGES_CHANGE | Allows the DID owner to change the send_messages ACL for their own DID. |
| RECEIVE_MESSAGES_CHANGE | Allows the DID owner to change the receive_messages ACL for their own DID. |
| SEND_FORWARDED_CHANGE | Allows the DID owner to change the send_forwarded ACL for their own DID. |
| RECEIVE_FORWARDED_CHANGE | Allows the DID owner to change the receive_forwarded ACL for their own DID. |
| CREATE_INVITES_CHANGE | Allows the DID owner to change the create_invites ACL for their own DID. |
| ANON_RECEIVE_CHANGE | Allows the DID owner to change the anon_receive ACL for their own DID. |
| SELF_MANAGE_LIST | DID can self manage their own ACL list (add/remove). |
| SELF_MANAGE_SEND_QUEUE_LIMIT | DID can set their send queue limits (between the queued_messages_soft and queued_messages_hard). |
| SELF_MANAGE_RECEIVE_QUEUE_LIMIT | DID can set their receive queue limits (between the queued_messages_soft and queued_messages_hard). |
What’s Next
Glad to hear it! Please tell us how we can improve more.
Sorry to hear that. Please tell us how we can improve.
Thank you for sharing your feedback so we can improve your experience.