Access Control Data Facet

Manages roles and permissions within a diamond

Key Features

• Exposes external view functions for role checks.
• Utilizes diamond storage for role data.
• Includes a custom error AccessControlUnauthorizedAccount for failed role checks.
• Provides exportSelectors to identify its exposed functions.

Overview

This facet provides core access control data and validation functions for a diamond. It exposes external view functions to check role assignments and role hierarchies, enabling other facets or off-chain applications to query permissions. It accesses shared diamond storage to retrieve role information.

Storage

AccessControlStorage

Definition

struct AccessControlStorage {
  mapping(address account => mapping(bytes32 role => bool hasRole)) hasRole;
  mapping(bytes32 role => bytes32 adminRole) adminRole;
}

State Variables

Property	Type	Description
STORAGE_POSITION	bytes32	Diamond storage slot position for this module (Value: keccak256("compose.accesscontrol"))

Functions

hasRole

Returns if an account has a role.

function hasRole(bytes32 _role, address _account) external view returns (bool);

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check the role for.

Returns:

Property	Type	Description
-	bool	True if the account has the role, false otherwise.

---

requireRole

Checks if an account has a required role. Reverts with AccessControlUnauthorizedAccount If the account does not have the role.

function requireRole(bytes32 _role, address _account) external view;

Parameters:

Property	Type	Description
_role	bytes32	The role to check.
_account	address	The account to check the role for.

---

getRoleAdmin

Returns the admin role for a role.

function getRoleAdmin(bytes32 _role) external view returns (bytes32);

Parameters:

Property	Type	Description
_role	bytes32	The role to get the admin for.

Returns:

Property	Type	Description
-	bytes32	The admin role for the role.

---

exportSelectors

Exports the selectors that are exposed by the facet.

function exportSelectors() external pure returns (bytes memory);

Returns:

Property	Type	Description
-	bytes	Selectors that are exported by the facet.

Errors

Thrown when the account does not have a specific role.

Signature:

error AccessControlUnauthorizedAccount(address _account, bytes32 _role);

Best Practices

Best Practice

• Query role information using the external view functions exposed by the diamond.
• Use requireRole to enforce access control within other facets before executing sensitive operations.
• Understand the role hierarchy by calling getRoleAdmin.

Security Considerations

Security

The hasRole, requireRole, and getRoleAdmin functions are view functions and do not pose reentrancy risks. requireRole reverts with AccessControlUnauthorizedAccount if the specified account does not possess the required role, providing input validation for access control checks. Developers should ensure correct role assignments in diamond initialization.

Was this helpful?

Last updated:March 13, 2026