Access Control Grant Facet

Grants roles to accounts within a diamond

Key Features

• Exposes grantRole for programmatic role assignment.
• Emits RoleGranted event for state changes.
• Utilizes diamond storage for shared state management.
• Reverts with AccessControlUnauthorizedAccount for unauthorized calls.

Overview

This facet exposes functions to grant roles to specific accounts within a Compose diamond. It leverages shared diamond storage and emits events for off-chain monitoring. Developers integrate this facet to manage permissions programmatically.

Storage

AccessControlStorage

Definition

struct AccessControlStorage {
  mapping(address account => mapping(bytes32 role => bool hasRole)) hasRole;
  mapping(bytes32 role => bytes32 adminRole) adminRole;
}

State Variables

Property	Type	Description
STORAGE_POSITION	bytes32	Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol"))

Functions

grantRole

Grants a role to an account. Emits a RoleGranted event. Reverts with AccessControlUnauthorizedAccount If the caller is not the admin of the role.

function grantRole(bytes32 _role, address _account) external;

Parameters:

Property	Type	Description
_role	bytes32	The role to grant.
_account	address	The account to grant the role to.

---

exportSelectors

Exports the selectors that are exposed by the facet.

function exportSelectors() external pure returns (bytes memory);

Returns:

Property	Type	Description
-	bytes	Selectors that are exported by the facet.

Events

Emitted when a role is granted to an account.

Signature:

event RoleGranted(bytes32 indexed _role, address indexed _account, address indexed _sender);

Parameters:

Property	Type	Description
_role	bytes32	The role that was granted.
_account	address	The account that was granted the role.
_sender	address	The sender that granted the role.

Errors

Thrown when the account does not have a specific role.

Signature:

error AccessControlUnauthorizedAccount(address _account, bytes32 _role);

Best Practices

Best Practice

• Initialize roles and grant administrative permissions during diamond deployment.
• Ensure the caller of grantRole has the necessary administrative privileges.
• Monitor RoleGranted events for auditing and off-chain state tracking.

Security Considerations

Security

The grantRole function is protected by access control, reverting if the caller is not the admin of the role. Input validation on _role and _account is implicitly handled by the diamond's call routing and the facet's internal logic. No reentrancy risks are apparent as the function performs a role grant before any external calls.

Was this helpful?

Last updated:March 13, 2026