Skip to content
You are reading Quorum Key Manager development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

User authorization

After Quorum Key Manager (QKM) authenticates an incoming request, it submits the request to the targeted service which performs authorization checks based on request context before performing service operations.

The authorization process restricts system access through role-based access control or resource-based access control.

Role-based access control

Role-based access control (RBAC) restricts actions over resources to authorized users. Access is specified by roles assigned to users, using a manifest file or an identity provider.

See the full list of RBAC permissions.

Resource-based access control

Resource-based access control restricts access to resources to authorized users. Access is specified by allowed tenants for each resource, using a manifest file.



An action is a functionality of your application to be restricted to authorized users. For example, read, create, sign, encrypt, delete, and destroy.


A resource represents a business entity to be managed by your application. Authorization restricts access over resources. QKM currently has the following resources:

Name Description
Secret A key-value element stored in a secure vault system.
Key A cryptographic key.
Ethereum account A cryptographic key allowing interaction with the Ethereum network.
Vault Vault client connector used to persist resources remotely.
Store A storage space for a set of secrets, keys, or Ethereum accounts.
Node A representation of an underlying blockchain node.
Alias A representation of an external public key. For example, a Tessera address.
Registry A storage space for clarifying a set of aliases


A tenant is a set of users with the highest access level to resources. In resource-based access control, you must pass a list of allowed tenants when defining a resource manifest file.


A permission is an authorization of an action over a resource, used in role-based access control (RBAC). Permissions take the form action:resource and are not mutually exclusive.


A role is a named set of permissions defined in a manifest file. Alternatively, you can use Auth0 to specify roles and attach permissions to your token.

Questions or feedback? You can discuss issues and obtain free support on Quorum Key Manager Discord channel.