Permissions

Understanding and properly configuring permissions is crucial for secure operation of Sand Framework.

Role-Based Access Control

Admin: Full system access
Developer: Code analysis and AI features
Analyst: Analytics and monitoring
Reader: Read-only access

API Permissions

from fastapi import Security
from sand.security import require_permissions

@router.post("/analyze")
@require_permissions(["contract:analyze"])
async def analyze_contract(
    contract: Contract,
    user: User = Security(get_current_user)
):
    pass

File System Permissions

# Recommended permissions
chmod 644 config.yaml
chmod 600 .env
chmod 755 scripts/*.sh

Database Permissions

-- Example database roles
CREATE ROLE sand_admin;
CREATE ROLE sand_developer;
CREATE ROLE sand_analyst;
CREATE ROLE sand_reader;

-- Grant permissions
GRANT ALL ON ALL TABLES IN SCHEMA public TO sand_admin;
GRANT SELECT, INSERT ON analysis_results TO sand_developer;
GRANT SELECT ON analytics_data TO sand_analyst;
GRANT SELECT ON public_data TO sand_reader;

Environment Security

Protect sensitive environment variables:

API keys
Database credentials
Private keys
Service tokens

Contact for Access

For permission-related inquiries or access requests, contact:

Twitter: @0xtuareg

Audit Logging

@router.post("/admin/grant-access")
@require_permissions(["admin:grant_access"])
async def grant_access(request: AccessRequest):
    # Log all permission changes
    audit_logger.info(
        f"Access granted to {request.user} "
        f"role={request.role} "
        f"by={current_user.id}"
    )

Best Practices

Follow principle of least privilege
Regularly audit permissions
Remove unused accounts
Monitor access patterns
Document all role changes

Regular security audits help maintain proper permission configuration.

PreviousSecurity Best Practices NextAcknowledgements

Last updated 7 months ago