Change admin roles
Update platform administrator role assignments through the API when operating responsibilities, least-privilege reviews, or provisioning workflows change.
Platform administrator roles control who can manage system configuration, identities, compliance settings, token creation, feeds, gas sponsorship, and audit visibility. Use the access manager API when role changes must be automated, reviewed, or coordinated with provisioning workflows. Role updates take effect on-chain immediately: the affected wallet gains or loses capabilities for every subsequent operation.
For the web interface approach, see the user guide. Both paths write the same on-chain role record.
Prerequisites
You need a platform URL, an API key with the Admin role, and wallet verification enabled (pincode or 2FA). For API key setup, see Getting Started.
When to change admin roles
Common scenarios
Use the access manager API to add permissions after initial platform setup, adjust roles when responsibilities shift, or remove permissions to follow least privilege. Use it also to grant temporary access for a specific task or to integrate role management into a provisioning workflow.
Security considerations
Follow the principle of least privilege. Remove roles when they are no longer needed. Record role changes for audit purposes and coordinate updates with affected admins.
Available system roles
Grant only the roles each account needs.
| Role | Description | Common use cases |
|---|---|---|
admin | Root authority that can grant or revoke all other system roles | Platform ops account, initial setup |
systemManager | Core system configuration (upgrades, registering factories/modules) | Deployment team, rarely granted to EOAs |
auditor | Read-only inspection of operational and security-sensitive surfaces | Audit users who need visibility without operator rights |
identityManager | Identity registry maintenance (register/recover identities, onboarding) | Compliance/onboarding teams managing identities |
tokenManager | Token factory calls such as /api/token/create | Every wallet that deploys assets |
complianceManager | Global compliance module setup, bypass lists, enforcement toggles | Custom compliance flows, allowlists |
claimPolicyManager | Trusted issuer and claim topic management | Workflows that check collateral/KYC claims before minting |
claimIssuer | Permission to create claims on identities | Auditors, service providers issuing attestations |
feedsManager | Feed registration, updates, and removal | Teams operating pricing or market data feeds |
gasManager | Paymaster funding and sponsorship configuration | Teams operating advanced accounts gas sponsorship |
Changing roles
List current roles
Check existing role assignments before making changes. This prevents duplicate-role errors and confirms the target account is correct:
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles" \
-H "X-Api-Key: YOUR_API_KEY"Response:
[
{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"roles": ["admin", "tokenManager"]
},
{
"account": "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890",
"roles": ["identityManager"]
}
]Add ?excludeContracts=true when you only want externally owned accounts in the list. This filters out smart-contract accounts and returns only externally owned accounts.
To check roles for a specific wallet:
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles/0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb" \
-H "X-Api-Key: YOUR_API_KEY"Grant a role
Grant a single system role to a wallet address. The platform writes the role on-chain and the change takes effect immediately.
curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": "tokenManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Response:
{
"accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"],
"roles": ["tokenManager"]
}Grant multiple roles
To assign multiple roles to one wallet, pass an array for the role field. The platform writes all roles in one on-chain transaction.
curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": ["tokenManager", "identityManager"],
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Batch grant to multiple wallets
To grant the same role to multiple wallets, pass an array for the account field. Use separate requests when you need different roles per wallet.
curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb", "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890"],
"role": "tokenManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Revoke a role
Remove a system role from a wallet address. The platform removes the role on-chain immediately. The affected wallet loses the capability for all subsequent operations.
curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": "tokenManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Response:
{
"accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"],
"roles": ["tokenManager"]
}Revoke multiple roles
To remove multiple roles from one wallet, pass an array for the role field. The platform removes all listed roles in one on-chain transaction.
curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": ["tokenManager", "identityManager"],
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Batch revoke from multiple wallets
To revoke the same role from multiple wallets, pass an array for the account field. Use separate requests when you need different roles per wallet.
curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb", "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890"],
"role": "tokenManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Verify changes
Confirm role changes by listing updated roles:
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles" \
-H "X-Api-Key: YOUR_API_KEY"The response shows all current role assignments. Verify the changes were applied correctly.
Request parameters
All three parameters are required.
| Parameter | Type | Required | Description |
|---|---|---|---|
account | string or array | Yes | Wallet address(es) to grant/revoke role |
role | string or array | Yes | Role(s) to grant/revoke |
walletVerification | object | Yes | Your wallet verification to authorize the blockchain transaction |
Wallet verification object
The walletVerification object authorizes the on-chain transaction. Pass the code that matches your account's configured method. The platform rejects the request if the code is missing or incorrect.
| Field | Type | Description |
|---|---|---|
secretVerificationCode | string | 6-digit pincode or TOTP code |
verificationType | string | "PINCODE" (default), "SECRET_CODES", or "OTP" |
Response fields
Both grant and revoke operations return the wallet addresses and roles affected by the operation. Use the response to confirm which accounts and roles the platform wrote or removed on-chain.
| Field | Type | Description |
|---|---|---|
accounts | array | Wallet addresses that were modified |
roles | array | Roles that were granted/revoked |
Role dependencies and conflicts
Some functions require multiple roles working together. The combinations below represent the minimum set needed for each operating function. Grant the full combination, not just one role:
- Compliance Manager + Identity Manager: Complete compliance setup
- Token Manager: Full token lifecycle management
- Identity Manager + Claim Issuer: Complete user onboarding
Best practices
Apply these practices before changing roles in a production environment. They reduce the blast radius of a compromised account and make periodic access reviews easier to complete.
Role assignment
Grant only the permissions each account needs. Divide critical functions among multiple admins to enforce separation of duties. Review and update role assignments periodically and record the reason for each change. A clear record makes audits faster and reduces ambiguity during access reviews.
Security
Limit exposure from a compromised account.
- Restrict
adminto platform ops accounts - Use separate wallets per function
- Keep backup administrators for critical roles
- Monitor role changes through event logs
Operations
Coordinate live role changes with these practices.
- Test role changes in a staging environment first
- Coordinate role changes with affected administrators
- Plan for administrator unavailability with backup coverage
- Define clear escalation paths for requesting permissions
Troubleshooting
| Issue | Solution |
|---|---|
| Permission denied | Verify you have the admin system role. Only admins can grant/revoke roles. |
| Role not found | Check the role name matches exactly (case-sensitive). See available roles table above. |
| Transaction fails | Ensure wallet has sufficient gas. Verify PIN/OTP is correct. Check network connectivity. |
| Duplicate role error | The wallet already has this role. Check current roles before granting. |
| Cannot revoke own admin | Smart contract prevents self-revocation of admin role. Another admin must revoke it. |
| Batch operation fails | Cannot grant multiple roles to multiple addresses in one call. Split into separate requests. |
Related guides
- Change Asset Admin Roles: Manage token-level permissions
- API Integration: Getting started with the Platform API
- Change Admin Roles (UI): Web interface guide
Add DALP platform administrators through the API
Grant DALP platform administrator roles through the API when provisioning operators, compliance teams, auditors, or automation accounts.
DALP SSO sign-in with OpenID Connect
Configure an external OpenID Connect identity provider as the sign-in method for a DALP deployment, with FusionAuth as the worked example.