SettleMint
Platform setup

Change admin roles

Update platform administrator role assignments through the API when operating responsibilities, least-privilege reviews, or provisioning workflows change.

Platform administrator roles control who can manage system configuration, identities, compliance settings, token creation, feeds, gas sponsorship, and audit visibility. Use the access manager API when role changes must be automated, reviewed, or coordinated with provisioning workflows. Role updates take effect on-chain immediately: the affected wallet gains or loses capabilities for every subsequent operation.

Rendering diagram...

For the web interface approach, see the user guide. Both paths write the same on-chain role record.

Prerequisites

You need a platform URL, an API key with the Admin role, and wallet verification enabled (pincode or 2FA). For API key setup, see Getting Started.

When to change admin roles

Common scenarios

Use the access manager API to add permissions after initial platform setup, adjust roles when responsibilities shift, or remove permissions to follow least privilege. Use it also to grant temporary access for a specific task or to integrate role management into a provisioning workflow.

Security considerations

Follow the principle of least privilege. Remove roles when they are no longer needed. Record role changes for audit purposes and coordinate updates with affected admins.

Available system roles

Grant only the roles each account needs.

RoleDescriptionCommon use cases
adminRoot authority that can grant or revoke all other system rolesPlatform ops account, initial setup
systemManagerCore system configuration (upgrades, registering factories/modules)Deployment team, rarely granted to EOAs
auditorRead-only inspection of operational and security-sensitive surfacesAudit users who need visibility without operator rights
identityManagerIdentity registry maintenance (register/recover identities, onboarding)Compliance/onboarding teams managing identities
tokenManagerToken factory calls such as /api/token/createEvery wallet that deploys assets
complianceManagerGlobal compliance module setup, bypass lists, enforcement togglesCustom compliance flows, allowlists
claimPolicyManagerTrusted issuer and claim topic managementWorkflows that check collateral/KYC claims before minting
claimIssuerPermission to create claims on identitiesAuditors, service providers issuing attestations
feedsManagerFeed registration, updates, and removalTeams operating pricing or market data feeds
gasManagerPaymaster funding and sponsorship configurationTeams operating advanced accounts gas sponsorship

Changing roles

List current roles

Check existing role assignments before making changes. This prevents duplicate-role errors and confirms the target account is correct:

curl -X GET "https://your-platform.example.com/api/system/access-manager/roles" \
  -H "X-Api-Key: YOUR_API_KEY"

Response:

[
  {
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "roles": ["admin", "tokenManager"]
  },
  {
    "account": "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890",
    "roles": ["identityManager"]
  }
]

Add ?excludeContracts=true when you only want externally owned accounts in the list. This filters out smart-contract accounts and returns only externally owned accounts.

To check roles for a specific wallet:

curl -X GET "https://your-platform.example.com/api/system/access-manager/roles/0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb" \
  -H "X-Api-Key: YOUR_API_KEY"

Grant a role

Grant a single system role to a wallet address. The platform writes the role on-chain and the change takes effect immediately.

curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "role": "tokenManager",
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Response:

{
  "accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"],
  "roles": ["tokenManager"]
}

Grant multiple roles

To assign multiple roles to one wallet, pass an array for the role field. The platform writes all roles in one on-chain transaction.

curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "role": ["tokenManager", "identityManager"],
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Batch grant to multiple wallets

To grant the same role to multiple wallets, pass an array for the account field. Use separate requests when you need different roles per wallet.

curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb", "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890"],
    "role": "tokenManager",
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Revoke a role

Remove a system role from a wallet address. The platform removes the role on-chain immediately. The affected wallet loses the capability for all subsequent operations.

curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "role": "tokenManager",
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Response:

{
  "accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"],
  "roles": ["tokenManager"]
}

Revoke multiple roles

To remove multiple roles from one wallet, pass an array for the role field. The platform removes all listed roles in one on-chain transaction.

curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "role": ["tokenManager", "identityManager"],
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Batch revoke from multiple wallets

To revoke the same role from multiple wallets, pass an array for the account field. Use separate requests when you need different roles per wallet.

curl -X DELETE "https://your-platform.example.com/api/system/access-manager/revoke-roles" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb", "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890"],
    "role": "tokenManager",
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Verify changes

Confirm role changes by listing updated roles:

curl -X GET "https://your-platform.example.com/api/system/access-manager/roles" \
  -H "X-Api-Key: YOUR_API_KEY"

The response shows all current role assignments. Verify the changes were applied correctly.

Request parameters

All three parameters are required.

ParameterTypeRequiredDescription
accountstring or arrayYesWallet address(es) to grant/revoke role
rolestring or arrayYesRole(s) to grant/revoke
walletVerificationobjectYesYour wallet verification to authorize the blockchain transaction

Wallet verification object

The walletVerification object authorizes the on-chain transaction. Pass the code that matches your account's configured method. The platform rejects the request if the code is missing or incorrect.

FieldTypeDescription
secretVerificationCodestring6-digit pincode or TOTP code
verificationTypestring"PINCODE" (default), "SECRET_CODES", or "OTP"

Response fields

Both grant and revoke operations return the wallet addresses and roles affected by the operation. Use the response to confirm which accounts and roles the platform wrote or removed on-chain.

FieldTypeDescription
accountsarrayWallet addresses that were modified
rolesarrayRoles that were granted/revoked

Role dependencies and conflicts

Some functions require multiple roles working together. The combinations below represent the minimum set needed for each operating function. Grant the full combination, not just one role:

  • Compliance Manager + Identity Manager: Complete compliance setup
  • Token Manager: Full token lifecycle management
  • Identity Manager + Claim Issuer: Complete user onboarding

Best practices

Apply these practices before changing roles in a production environment. They reduce the blast radius of a compromised account and make periodic access reviews easier to complete.

Role assignment

Grant only the permissions each account needs. Divide critical functions among multiple admins to enforce separation of duties. Review and update role assignments periodically and record the reason for each change. A clear record makes audits faster and reduces ambiguity during access reviews.

Security

Limit exposure from a compromised account.

  • Restrict admin to platform ops accounts
  • Use separate wallets per function
  • Keep backup administrators for critical roles
  • Monitor role changes through event logs

Operations

Coordinate live role changes with these practices.

  • Test role changes in a staging environment first
  • Coordinate role changes with affected administrators
  • Plan for administrator unavailability with backup coverage
  • Define clear escalation paths for requesting permissions

Troubleshooting

IssueSolution
Permission deniedVerify you have the admin system role. Only admins can grant/revoke roles.
Role not foundCheck the role name matches exactly (case-sensitive). See available roles table above.
Transaction failsEnsure wallet has sufficient gas. Verify PIN/OTP is correct. Check network connectivity.
Duplicate role errorThe wallet already has this role. Check current roles before granting.
Cannot revoke own adminSmart contract prevents self-revocation of admin role. Another admin must revoke it.
Batch operation failsCannot grant multiple roles to multiple addresses in one call. Split into separate requests.

On this page