Permissions

Permissions let you control access to the API at a granular level following the principle of least privilege.

For example, you might have an employee who must initiate payments but must not modify policies. To implement this, you create a Permission that contains the required Operations and assign that Permission to a User.

Terminology

Permission
A Permission contains a set of Operations and can be assigned to Users or Service Accounts. When a Permission is assigned, it grants access to the defined Operations in the API. Each Permission has a unique name and a unique ID. A Permission can be assigned to one or many Users based on your operational requirements.
Operation
An Operation represents a single action in the API. Permissions contain one or more Operations. Each API endpoint requires specific Operations to use it. For example, the Create Wallet endpoint requires the Operation Wallets:Create
Assignment
A Permission Assignment links a Permission to a User or Service Account. Assignments can be granted or revoked at any time.

IBM Digital Asset Haven‑managed Permissions

When your IBM Digital Asset Haven Organization is created, several Permissions are included by default. Some are automatically assigned, and some are immutable, meaning they cannot be updated or archived.

ManagedFullAdminAccess
This Permission is automatically assigned to the first User in the Organization. It includes all existing and future Operations in the IBM Digital Asset Haven API. This Permission is immutable. It can be assigned or revoked, but it cannot be modified or archived.
ManagedDefaultEndUserAccess
This Permission is automatically assigned to all new EndUsers. It includes a default set of Operations that allow EndUsers to use their delegated wallets. You can add or remove Operations in this Permission at any time. EndUsers can only access wallets delegated to them. This Permission does not allow EndUsers to access Organization‑managed wallets. This Permission simplifies end‑user management because changes to this Permission apply to all EndUsers in your Organization.

User types

IBM Digital Asset Haven supports three identity types, each designed for specific use cases.

Type Description Typical use
CustomerEmployee Your internal team members Dashboard access, wallet management
EndUser Your end customers Non‑custodial delegated wallets
Service Account Machine identity Automation and server‑to‑server API calls