Developer guidesPlatform setup
Change admin roles
Update platform administrator role assignments through the API when operating responsibilities, least-privilege reviews, or provisioning workflows change.
Platform administrator roles control who can manage system configuration, identities, compliance settings, token creation, feeds, gas sponsorship, and audit visibility. Use the access manager API when role changes must be automated, reviewed, or coordinated with provisioning workflows.
Platform administrator role changes update who can operate DALP setup, compliance, identity, infrastructure, and evidence surfaces.
Rendering diagram...
For the web interface approach, see the user guide.
Prerequisites
- Platform URL (e.g.,
https://your-platform.example.com) - API key from a user with the Admin role (see Getting Started for API key setup)
- Wallet verification method enabled on your account (e.g., pincode or 2FA)
When to change admin roles
Common scenarios
- Initial setup: First admin needs additional roles after platform initialization
- Role expansion: Admin taking on new responsibilities
- Role reduction: Removing unnecessary permissions following least privilege
- Temporary delegation: Granting time-limited permissions for specific tasks
- Organizational changes: Restructuring administrative responsibilities
- Automation: Integrating role management into your provisioning workflows
Security considerations
- Follow principle of least privilege
- Remove roles when no longer needed
- Document role changes for audit purposes
- Coordinate with affected administrators
Available system roles
| Role | Description | Common use cases |
|---|---|---|
admin | Root authority that can grant or revoke all other system roles | Platform ops account, initial setup |
systemManager | Core system configuration (upgrades, registering factories/modules) | Deployment team, rarely granted to EOAs |
auditor | Read-only inspection of operational and security-sensitive surfaces | Audit users who need visibility without operator rights |
identityManager | Identity registry maintenance (register/recover identities, onboarding) | Compliance/onboarding teams managing identities |
tokenManager | Token factory calls such as /api/token/create | Every wallet that deploys assets |
complianceManager | Global compliance module setup, bypass lists, enforcement toggles | Custom compliance flows, allowlists |
claimPolicyManager | Trusted issuer and claim topic management | Workflows that check collateral/KYC claims before minting |
claimIssuer | Permission to create claims on identities | Auditors, service providers issuing attestations |
feedsManager | Feed registration, updates, and removal | Teams operating pricing or market data feeds |
gasManager | Paymaster funding and sponsorship configuration | Teams operating account abstraction gas sponsorship |
Changing roles
List current roles
Check existing role assignments before making changes:
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles" \
-H "X-Api-Key: YOUR_API_KEY"Response:
[
{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"roles": ["admin", "tokenManager"]
},
{
"account": "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890",
"roles": ["identityManager"]
}
]Add ?excludeContracts=true when you only want externally owned accounts in the list.
To check roles for a specific wallet:
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles/0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb" \
-H "X-Api-Key: YOUR_API_KEY"Grant a role
Grant a single system role to a wallet address:
curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": "tokenManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Response:
{
"accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"],
"roles": ["tokenManager"]
}Grant multiple roles
Assign multiple roles to one wallet in a single transaction:
curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": ["tokenManager", "identityManager"],
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Batch grant to multiple wallets
Grant the same role to multiple wallets efficiently:
curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb", "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890"],
"role": "tokenManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Batch limitations
You cannot grant multiple roles to multiple addresses in a single transaction. Use separate requests for each address or each role combination.
Revoke a role
Remove a system role from a wallet address:
curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": "tokenManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Response:
{
"accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"],
"roles": ["tokenManager"]
}Revoke multiple roles
Remove multiple roles from one wallet in a single transaction:
curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": ["tokenManager", "identityManager"],
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Batch revoke from multiple wallets
Revoke the same role from multiple wallets efficiently:
curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb", "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890"],
"role": "tokenManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Verify changes
Confirm role changes by listing updated roles:
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles" \
-H "X-Api-Key: YOUR_API_KEY"The response shows all current role assignments. Verify the changes were applied correctly.
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
account | string or array | Yes | Wallet address(es) to grant/revoke role |
role | string or array | Yes | Role(s) to grant/revoke |
walletVerification | object | Yes | Your wallet verification to authorize the blockchain transaction |
Wallet verification object
| Field | Type | Description |
|---|---|---|
secretVerificationCode | string | 6-digit pincode or TOTP code |
verificationType | string | "PINCODE" (default), "SECRET_CODES", or "OTP" |
Response fields
| Field | Type | Description |
|---|---|---|
accounts | array | Wallet addresses that were modified |
roles | array | Roles that were granted/revoked |
Role dependencies and conflicts
Common role combinations for specific functions:
- Compliance Manager + Identity Manager: Complete compliance setup
- Token Manager: Full token lifecycle management
- Identity Manager + Claim Issuer: Complete user onboarding
Best practices
Role assignment
- Principle of least privilege: Grant only necessary permissions
- Separation of duties: Divide critical functions among multiple admins
- Regular review: Audit and update roles periodically
- Documentation: Record role changes and rationale
Security
- Keep
adminrole restricted to platform ops accounts - Use separate wallets for different administrative functions
- Maintain backup administrators for critical roles
- Monitor role changes through event logs
Operations
- Test role changes in a staging environment first
- Coordinate role changes with affected administrators
- Plan for administrator unavailability with backup coverage
- Define clear escalation paths for requesting permissions
Troubleshooting
| Issue | Solution |
|---|---|
| Permission denied | Verify you have the admin system role. Only admins can grant/revoke roles. |
| Role not found | Check the role name matches exactly (case-sensitive). See available roles table above. |
| Transaction fails | Ensure wallet has sufficient gas. Verify PIN/OTP is correct. Check network connectivity. |
| Duplicate role error | The wallet already has this role. Check current roles before granting. |
| Cannot revoke own admin | Smart contract prevents self-revocation of admin role. Another admin must revoke it. |
| Batch operation fails | Cannot grant multiple roles to multiple addresses in one call. Split into separate requests. |
Related guides
- Change Asset Admin Roles: Manage token-level permissions
- API Integration: Getting started with the DALP API
- Change Admin Roles (UI): Web interface guide
Add administrators
Grant DALP platform administrator roles through the API when provisioning operators, compliance teams, auditors, or automation accounts.
Create users
Create platform users with automatic wallet and identity setup. Includes workflows for passive token holders and active users with API keys.