Permissions
Permissions let you control access to the API at a granular level following the principle of least privilege.
For example, you might have an employee who must initiate payments but must not modify policies. To implement this, you create a Permission that contains the required Operations and assign that Permission to a User.
Terminology
- Permission
- A Permission contains a set of Operations and can be assigned to Users or Service Accounts. When a Permission is assigned, it grants access to the defined Operations in the API. Each Permission has a unique name and a unique ID. A Permission can be assigned to one or many Users based on your operational requirements.
- Operation
- An Operation represents a single action in the API. Permissions contain one or more Operations. Each API endpoint requires specific Operations to use it. For example, the Create Wallet endpoint requires the Operation Wallets:Create
- Assignment
- A Permission Assignment links a Permission to a User or Service Account. Assignments can be granted or revoked at any time.
IBM Digital Asset Haven‑managed Permissions
When your IBM Digital Asset Haven Organization is created, several Permissions are included by default. Some are automatically assigned, and some are immutable, meaning they cannot be updated or archived.
- ManagedFullAdminAccess
- This Permission is automatically assigned to the first User in the Organization. It includes all existing and future Operations in the IBM Digital Asset Haven API. This Permission is immutable. It can be assigned or revoked, but it cannot be modified or archived.
- ManagedDefaultEndUserAccess
- This Permission is automatically assigned to all new EndUsers. It includes a default set of Operations that allow EndUsers to use their delegated wallets. You can add or remove Operations in this Permission at any time. EndUsers can only access wallets delegated to them. This Permission does not allow EndUsers to access Organization‑managed wallets. This Permission simplifies end‑user management because changes to this Permission apply to all EndUsers in your Organization.
User types
IBM Digital Asset Haven supports three identity types, each designed for specific use cases.
| Type | Description | Typical use |
| CustomerEmployee | Your internal team members | Dashboard access, wallet management |
| EndUser | Your end customers | Non‑custodial delegated wallets |
| Service Account | Machine identity | Automation and server‑to‑server API calls |