# Managing permissions¶

The Waves Enterprise blockchain platform implements a closed (permissioned) blockchain model that can only be available only for participants authorized by the administrator.

The platform also has a role model, where each role gives the participant specified permissions. For more information about roles in the Waves Enterprise blockchain network, see the next section.

## Roles description¶

permissioner

Permissioner participant is the network administrator and has the right to assign or delete any roles of network participants. As a rule, the permissioner role is assigned to participants when starting the blockchain network.

blacklister

Blacklister participant has the right to send assign or delete the banned role to other participants.

miner

Miner participant has the right to create blocks.

issuer

Issuer participant has the right to issue, reissue, and burn tokens.

contract_developer

Contract_developer participant has the right to install (to deploy) in the blockchain. For more information about smart contracts, see the section Docker smart contracts.

connection-manager

Connection-manager has the right to connect and disconnect blockchain nodes. For more information about new nodes connection, see the section Access managing.

banned

The banned role is given to that nodes, which are temporarily or permanently restricted in their actions in the blockchain network.

## Update the permission list¶

Only a permissioner node can change the list of permissions. To add or remove roles use the 102 Permission Transaction. When changing the list of permissions, the node performs the following checks:

1. 102 transaction sender is not in the blacklist.

2. Sender has the permissioner role.

3. The permissioner role is currently active for the transaction sender.

4. The role specified in the 102 transaction is inactive if it is added to the address, and active if it is removed from the address.

To place a selected node in the blacklist, a permissioner node assigns the banned role to the selected address by sending the 102 transaction to the blockchain with the appropriate parameters.

To assign any other roles (miner, contract developer, tokens managing node), a permissioner node issues a 102 transaction with the appropriate parameters. After the transaction enters the blockchain, changes to the permissions of the selected nodes will be completed.

## Blockchain access managing¶

Only a user with the “Connection Manager” role can add new participants to the Waves Enterprise blockchain. The 111 RegisterNode transaction is used to connect a new node to the network. This transaction contains the credentials of the connected node. Each node creates and updates the table, which includes all approved network participants.

A handshake-message accompanies each connection attempt. This message specifies service information and proof that the connecting user belongs to the connected network. More simply, it is a set of public keys with the electronic signature of the participant. Since the public key of the connected participant is already stored in the blockchain, the participant who received the handshake request can verify the signature and the public key within the blockchain. If the verification is successful, the participant generates a response to the handshake request, and the connection between parties is established. After successful connection, participants perform network synchronization as well as synchronization of the blockchain and network addresses of nodes, which is necessary in the process of sending private data.

The process of disconnecting a participant from the network is similar to the process of connection, except that the “Connection Manager” user sends the 111 RegisterNode transaction with the "opType": "remove" parameter. Since the handshake request is executed once every 30 seconds, the next request after the participant is removed from the network will be denied, as the connected participant would now lack credentials in the blockchain node table.