Управление доступом

Программа разрешений

Управление разрешениями на блокчейне (Скоро!)

SDK для Ephemeral Rollups

SDK для Private Ephemeral Rollups (PER)

Обзор

Приватные Эфемер Роллапы — это Эфемер Роллапы которые обеспечивают детализированный контроль доступа к аккаунтам с ограниченными правами в среде Среды доверенного исполнения (СДИ) с соблюдением требований комплаенса. Каждый аккаунт с разрешениями хранит список участников с конкретными флагами, определяющими, какие действия они могут выполнять. Ключевые концепции

Permission Account: PDA, который хранит правила контроля доступа для конкретного аккаунта
Members: Адреса, которым предоставлены определённые права через флаги
Flags: Битовые маски, определяющие, что может делать участник (управление, просмотр логов, балансов и т.д.)
Public Permissions: Если для участников установлено значение None, аккаунт с ограниченным доступом становится временно видимым

Флаги участников Флаги участников определяют детализированные права каждого участника. Флаги можно комбинировать с помощью побитового OR, чтобы предоставить несколько прав одновременно. Описание флагов:

AUTHORITY: Позволяет участнику обновлять и делегировать настройки разрешений, добавлять/удалять других участников и изменять их флаги
TX_LOGS: Позволяет участнику просматривать логи выполнения транзакций
TX_BALANCES: Позволяет участнику видеть изменения баланса аккаунта
TX_MESSAGE: Позволяет участнику просматривать данные сообщений транзакций
ACCOUNT_SIGNATURES: Позволяет участнику просматривать подписи аккаунтов

Rust SDK
Pinocchio
Web3.js
Kit

use ephemeral_rollups_sdk::access_control::structs::{
    Member,
    AUTHORITY_FLAG,
    TX_LOGS_FLAG,
    TX_BALANCES_FLAG,
    TX_MESSAGE_FLAG,
    ACCOUNT_SIGNATURES_FLAG,
};

// Set flags by combining them with bitwise OR
let flags = AUTHORITY_FLAG | TX_LOGS_FLAG;

// Create a member with combined flags
let mut member = Member {
    flags,
    pubkey: user_pubkey,
};

// Check if member has a specific flag using bitwise AND
let is_authority = (member.flags & AUTHORITY_FLAG) != 0;
let can_see_logs = (member.flags & TX_LOGS_FLAG) != 0;

// Use helper methods to set/remove flags
member.set_flags(TX_BALANCES_FLAG); // Add a flag
member.remove_flags(TX_LOGS_FLAG);  // Remove a flag

use ephemeral_rollups_pinocchio::types::{Member, MemberFlags};
use pinocchio::Address;

// Create and set flags using individual methods
let mut flags = MemberFlags::new();
flags.set(MemberFlags::AUTHORITY);
flags.set(MemberFlags::TX_LOGS);
flags.set(MemberFlags::TX_BALANCES);

// Create a member with flags
let member = Member {
    flags,
    pubkey: user_address,
};

// Remove a flag
flags.remove(MemberFlags::TX_LOGS);

// Create flags from individual boolean values
let flags = MemberFlags::from_acl_flags(
    true,  // authority
    true,  // tx_logs
    false, // tx_balances
    true,  // tx_message
    false, // account_signatures
);

// Convert flags to byte value
let flag_byte = flags.to_acl_flag_byte();

// Create flags from byte value
let flags = MemberFlags::from_acl_flag_byte(flag_byte);

import { PublicKey } from "@solana/web3.js";
import {
  AUTHORITY_FLAG,
  TX_LOGS_FLAG,
  TX_BALANCES_FLAG,
  TX_MESSAGE_FLAG,
  ACCOUNT_SIGNATURES_FLAG,
  type Member,
} from "@magicblock-labs/ephemeral-rollups-sdk";

// Set flags by combining them with bitwise OR
const flags = AUTHORITY_FLAG | TX_LOGS_FLAG;

// Create a member with combined flags
const member: Member = {
  flags,
  pubkey: new PublicKey(userAddress),
};

// Check if a flag is present using bitwise AND
const isAuthority = (member.flags & AUTHORITY_FLAG) !== 0;
const canSeeLogs = (member.flags & TX_LOGS_FLAG) !== 0;
const canSeeBalances = (member.flags & TX_BALANCES_FLAG) !== 0;

// Add a flag to existing flags
const updatedFlags = member.flags | TX_BALANCES_FLAG;

// Remove a flag from existing flags
const removedFlags = member.flags & ~TX_LOGS_FLAG;

import {
  AUTHORITY_FLAG,
  TX_LOGS_FLAG,
  TX_BALANCES_FLAG,
  TX_MESSAGE_FLAG,
  ACCOUNT_SIGNATURES_FLAG,
  isAuthority,
  canSeeTxLogs,
  canSeeTxBalances,
  canSeeTxMessages,
  canSeeAccountSignatures,
  type Member,
} from "@magicblock-labs/ephemeral-rollups-sdk";

// Set flags by combining them with bitwise OR
const flags = AUTHORITY_FLAG | TX_LOGS_FLAG | TX_BALANCES_FLAG;

// Create a member with combined flags
const member: Member = {
  flags,
  pubkey: userAddress,
};

// Use helper functions to check specific permissions
const canModifyPermission = isAuthority(member, userAddress);
const canViewLogs = canSeeTxLogs(member, userAddress);
const canViewBalances = canSeeTxBalances(member, userAddress);
const canViewMessages = canSeeTxMessages(member, userAddress);
const canViewSignatures = canSeeAccountSignatures(member, userAddress);

// Add a flag to existing member
const updatedFlags = member.flags | TX_MESSAGE_FLAG;

// Remove a flag from existing member
const removedFlags = member.flags & ~TX_LOGS_FLAG;

Жизненный цикл разрешений

Типичный жизненный цикл аккаунта с разрешениями требует взаимодействия с Permission Program от MagicBlock ACLseoPoyC3cBqoUtkbjZ4aDrkurZW86v19pXz2XQnp1 и Delegation Program DELeGGvXpWV2fqJUhqcF5ZSYMS4JTLjteaAMARRSaeSh:

Инициализируйте новый аккаунт с разрешениями с начальными участниками и их флагами.

Делегируйте разрешение в Приватном Эфемер Роллапе для обеспечения его применения и управления доступом в реальном времени.

These public validators are supported for development. Make sure to add the specific ER validator in your instruction when delegating:

Asia (devnet-as.magicblock.app): MAS1Dt9qreoRMQ14YQuhg8UTZMMzDdKhmkZMECCzk57
EU (devnet-eu.magicblock.app): MEUGGrYPxKk17hCr7wpT6s8dtNokZj5U2L57vjYMS8e
US (devnet-us.magicblock.app): MUS3hc9TCw4cGC12vHNoYcCGzJG1txjgQLZWVoeNHNd
TEE (tee.magicblock.app): FnE6VJT5QNZdedZPnCoLsARgBwoE6DeJNjBs2H1gySXA
Local ER (localhost): mAGicPQYBMvcYveUZA5F5UNNwyHvfYh5xkLS2Fr1mev

Добавляйте, удаляйте или изменяйте разрешения участников по необходимости. Обновления можно выполнять в реальном времени на Приватном Эфемер Роллапе

Перед выполнением запросов проверьте целостность СДИ RPC и получите токен авторизации. Доступ к состоянию аккаунта или его изменение имеют только участники с соответствующими флагами.

Синхронизируйте окончательное состояние обратно на Solana и передайте аккаунт под контроль базового слоя.

Закройте аккаунт с разрешениями и верните его лампорты, когда он больше не нужен.

Операции с разрешениями

После того как вы создали программу, вы можете добавить хуки разрешений и делегирования для управления доступом к вашим аккаунтам. Например, см. Быстрый старт .Создайте новый аккаунт с разрешениями с начальными участниками и их флагами через Permission Program от MagicBlock ACLseoPoyC3cBqoUtkbjZ4aDrkurZW86v19pXz2XQnp1.

Rust SDK
Pinocchio
Kit
Web3.js

use ephemeral_rollups_pinocchio::instruction::create_permission;
use ephemeral_rollups_pinocchio::types::{
    Member,
    MemberFlags,
    MembersArgs,
};
use pinocchio::AccountView;

// Create members with specific flags
// AUTHORITY - Member can directly modify the permission
// TX_LOGS - Member can view transaction logs
// TX_BALANCES - Member can view account balances
// TX_MESSAGE - Member can view transaction messages
// ACCOUNT_SIGNATURES - Member can view account signatures

let mut flags = MemberFlags::new();
flags.set(MemberFlags::AUTHORITY);
flags.set(MemberFlags::TX_LOGS);

let member = Member {
    flags,
    pubkey: payer_address,
};

let members = vec![member];
let members_args = MembersArgs {
    members: Some(&members),
};

// Prepare accounts: [permissioned_account, permission, payer, system_program]
let accounts: &[&AccountView] = &[
    &permissioned_account,
    &permission,
    &payer,
    &system_program,
];

// Create the permission
// Pass signer_seeds if permissioned_account is a PDA owned by your program
// Pass None if permissioned_account is an on-curve signer
create_permission(
    accounts,
    &permission_program_id,
    members_args,
    pda_signer_seeds, // Or None if permissioned_account is on-curve
)?;

import {
  createCreatePermissionInstruction,
  type Member,
  AUTHORITY_FLAG,        // Member can directly modify the permission
  TX_LOGS_FLAG,          // Member can view transaction logs
  TX_BALANCES_FLAG,      // Member can view account balances
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { transaction, sendAndConfirmTransaction } from "@solana/kit";

const members: Member[] = [
  {
    // AUTHORITY_FLAG allows this member to modify permission settings
    // TX_LOGS_FLAG allows viewing transaction logs
    flags: AUTHORITY_FLAG | TX_LOGS_FLAG,
    pubkey: payer.address,
  },
];

// Either the authority or permissioned_account can sign the transaction
// The signer depends on who has AUTHORITY_FLAG in the members list
const createPermissionIx = await createCreatePermissionInstruction(
  {
    permissionedAccount: permissionedAccount.address,
    payer: payer.address,
  },
  {
    members,
  }
);

const tx = transaction([createPermissionIx]);
const signature = await sendAndConfirmTransaction(
  client,
  tx,
  [payer]
);
console.log("TX:", signature);

import {
  Member,
  AUTHORITY_FLAG,        // Member can directly modify the permission
  TX_LOGS_FLAG,          // Member can view transaction logs
  TX_BALANCES_FLAG,      // Member can view account balances
  createCreatePermissionInstruction,
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { Transaction, sendAndConfirmTransaction } from "@solana/web3.js";

const members: Member[] = [
  {
    // AUTHORITY_FLAG allows this member to modify permission settings
    // TX_LOGS_FLAG allows viewing transaction logs
    flags: AUTHORITY_FLAG | TX_LOGS_FLAG,
    pubkey: payer.publicKey,
  },
];

// Either the authority or permissioned_account can sign the transaction
// The signer depends on who has AUTHORITY_FLAG in the members list
const createPermissionIx = createCreatePermissionInstruction(
  {
    permissionedAccount: permissionedAccount.publicKey,
    payer: payer.publicKey,
  },
  {
    members,
  }
);

const tx = new Transaction().add(createPermissionIx);
const txSig = await sendAndConfirmTransaction(connection, tx, [payer]);
console.log("TX:", txSig);

Сценарии использования:

Инициализация контроля доступа для нового делегированного аккаунта
Настройка участников с полномочиями и их разрешений
Определение, кто может просматривать детали транзакций

⬆️ Вернуться к началу

Делегируйте аккаунт с разрешениями для обеспечения выполнения с низкой задержкой на Private Ephemeral Rollup через Delegation Program от MagicBlock DELeGGvXpWV2fqJUhqcF5ZSYMS4JTLjteaAMARRSaeSh.

These public validators are supported for development. Make sure to add the specific ER validator in your instruction when delegating:

Asia (devnet-as.magicblock.app): MAS1Dt9qreoRMQ14YQuhg8UTZMMzDdKhmkZMECCzk57
EU (devnet-eu.magicblock.app): MEUGGrYPxKk17hCr7wpT6s8dtNokZj5U2L57vjYMS8e
US (devnet-us.magicblock.app): MUS3hc9TCw4cGC12vHNoYcCGzJG1txjgQLZWVoeNHNd
TEE (tee.magicblock.app): FnE6VJT5QNZdedZPnCoLsARgBwoE6DeJNjBs2H1gySXA
Local ER (localhost): mAGicPQYBMvcYveUZA5F5UNNwyHvfYh5xkLS2Fr1mev

Rust SDK
Pinocchio
Kit
Web3.js

use ephemeral_rollups_pinocchio::instruction::delegate_permission;
use pinocchio::AccountView;

pub fn process_delegate_permission(
    accounts: &[&AccountView],
    permission_program: &pinocchio::Address,
    authority_is_signer: bool,
    permissioned_account_is_signer: bool,
) -> pinocchio::ProgramResult {
    // Accounts: [payer, authority, permissioned_account, permission, system_program,
    //           owner_program, delegation_buffer, delegation_record, 
    //           delegation_metadata, delegation_program, validator (optional)]
    
    // Pass signer_seeds if permissioned_account is a PDA owned by your program
    delegate_permission(
        accounts,
        permission_program,
        authority_is_signer,
        permissioned_account_is_signer,
        signer_seeds, // Or None if permissioned_account is on-curve
    )?;
    
    Ok(())
}

import {
  createDelegatePermissionInstruction,
  PERMISSION_PROGRAM_ID,
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { transaction, sendAndConfirmTransaction } from "@solana/kit";

// Delegate the permission to enable low-latency Ephemeral Rollup execution
// Either authority (with AUTHORITY_FLAG) or permissioned_account can authorize
const delegatePermissionIx = await createDelegatePermissionInstruction(
  {
    payer: payer.address,  // Pays for account creation
    authority: [payer.address, true],  // Authority signer (has AUTHORITY_FLAG)
    permissionedAccount: [permissionedAccount.address, false],  // or permissioned_account can sign
    ownerProgram: PERMISSION_PROGRAM_ID,
    validator,  // Validator that will execute the delegated state
  }
);

const tx = transaction([delegatePermissionIx]);
const signature = await sendAndConfirmTransaction(
  client,
  tx,
  [payer]
);
console.log("TX:", signature);

import {
  PERMISSION_PROGRAM_ID,
  createDelegatePermissionInstruction,
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { Transaction, sendAndConfirmTransaction } from "@solana/web3.js";

// Delegate the permission to enable low-latency Ephemeral Rollup execution
// Either authority (with AUTHORITY_FLAG) or permissioned_account can authorize
const delegatePermissionIx = createDelegatePermissionInstruction({
  payer: payer.publicKey,  // Pays for account creation
  authority: [payer.publicKey, true],  // Authority signer (has AUTHORITY_FLAG)
  permissionedAccount: [permissionedAccount.publicKey, false],  // or permissioned_account can sign
  ownerProgram: PERMISSION_PROGRAM_ID,
  validator,  // Validator that will execute the delegated state
});

const tx = new Transaction().add(delegatePermissionIx);
const txSig = await sendAndConfirmTransaction(connection, tx, [payer]);
console.log("TX:", txSig);

Use Cases:

Enable ER execution for a permissioned account
Designate a specific validator to execute state changes
Set up delegation for real-time transaction processing

Important:

Either the authority or permissioned_account must sign based on AUTHORITY_FLAG
The validator processes transactions at ER speed
Commit frequency determines how often state syncs to Solana
Once delegated to Private Ephemeral Rollup, the permission is enforced - only members with appropriate flags can access or modify the account state

⬆️ Back to Top

Изменяйте существующих участников или их флаги в аккаунте с разрешениями через Permission Program от MagicBlock ACLseoPoyC3cBqoUtkbjZ4aDrkurZW86v19pXz2XQnp1.

Rust SDK
Pinocchio
Kit
Web3.js

use ephemeral_rollups_pinocchio::instruction::update_permission;
use ephemeral_rollups_pinocchio::types::{
    Member,
    MemberFlags,
    MembersArgs,
};
use pinocchio::AccountView;

// Update permission with new member flags
// Either authority or permissioned_account must sign based on AUTHORITY_FLAG
let mut new_flags = MemberFlags::new();
new_flags.set(MemberFlags::TX_LOGS);
new_flags.set(MemberFlags::TX_BALANCES);

let updated_member = Member {
    flags: new_flags,
    pubkey: user_address,
};

let members = vec![updated_member];
let members_args = MembersArgs {
    members: Some(&members),
};

// Prepare accounts: [authority, permissioned_account, permission]
let accounts: &[&AccountView] = &[
    &authority,
    &permissioned_account,
    &permission,
];

// Update the permission
// Setting members to None makes the permission public (temporarily visible)
// Pass signer_seeds if permissioned_account is a PDA owned by your program
update_permission(
    accounts,
    &permission_program_id,
    authority.is_signer(),
    permissioned_account.is_signer(),
    members_args,
    signer_seeds, // Or None if permissioned_account is on-curve
)?;

import {
  createUpdatePermissionInstruction,
  type Member,
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { transaction, sendAndConfirmTransaction } from "@solana/kit";

// Update permission and modify members
// Either authority or permissioned_account must sign based on AUTHORITY_FLAG
const updatePermissionIx = await createUpdatePermissionInstruction(
  {
    authority: [payer.address, true],  // authority can sign if they have AUTHORITY_FLAG
    permissionedAccount: [permissionedAccount.address, false],  // or permissioned_account can sign
  },
  {
    // Setting members to empty array or None makes the permission public (temporarily visible)
    // This is useful for transitional states during delegation/undeligation
    members: [],
  }
);

const tx = transaction([updatePermissionIx]);
const signature = await sendAndConfirmTransaction(
  client,
  tx,
  [payer]
);
console.log("TX:", signature);

import { createUpdatePermissionInstruction } from "@magicblock-labs/ephemeral-rollups-sdk";
import { Transaction, sendAndConfirmTransaction } from "@solana/web3.js";

// Update permission and modify members
// Either authority or permissioned_account must sign based on AUTHORITY_FLAG
const updatePermissionIx = createUpdatePermissionInstruction(
  {
    authority: [payer.publicKey, true],  // authority can sign if they have AUTHORITY_FLAG
    permissionedAccount: [permissionedAccount.publicKey, false],  // or permissioned_account can sign
  },
  {
    // Setting members to empty array or None makes the permission public (temporarily visible)
    // This is useful for transitional states during delegation/undeligation
    members: [],
  }
);

const tx = new Transaction().add(updatePermissionIx);
const txSig = await sendAndConfirmTransaction(connection, tx, [payer]);
console.log("TX:", txSig);

Use Cases:

Add new members to a permission group
Revoke permissions by removing members
Change member flags to grant/restrict access
Set members to None to make account temporarily visible

⬆️ Back to Top

При обращении к Private Ephemeral Rollup необходимо сначала получить авторизацию:

Private Ephemeral Rollup (devnet) endpoint: https://tee.magicblock.app?token= {authToken}. Replace {authToken} with your authorization token obtained from the TEE RPC to send requests.

Authorization Steps:

Verify TEE RPC Integrity: Verify the TEE RPC server runs on genuine Intel TDX hardware using its TDX quote and Intel-issued attestation certificates
Request Authorization Token: Sign a challenge message to receive an authorization token
Create Connection: Pass the authorization token inside header or as query parameter

Kit
Web3.js

import {
  verifyTeeRpcIntegrity,
  getAuthToken,
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { Connection } from "@magicblock-labs/ephemeral-rollups-kit";
import * as nacl from "tweetnacl";

const teeUrl = "https://tee.magicblock.app";
const teeWsUrl = "wss://tee.magicblock.app";

// 1. Verify the integrity of TEE RPC
const isVerified = await verifyTeeRpcIntegrity(teeUrl);

// 2. Get AuthToken before making request to TEE
const authToken = await getAuthToken(
  teeUrl,
  userPubkey,
  (message: Uint8Array) =>
    Promise.resolve(nacl.sign.detached(message, userSecretKey))
);

// 3. Create connection with TEE using authorization token
const teeUserUrl = `${teeUrl}?token=${authToken.token}`;
const teeUserWsUrl = `${teeWsUrl}?token=${authToken.token}`;

const ephemeralConnection = await Connection.create(
  teeUserUrl,
  teeUserWsUrl
);

import {
  verifyTeeRpcIntegrity,
  getAuthToken,
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { Connection, Keypair } from "@solana/web3.js";
import * as nacl from "tweetnacl";

const teeUrl = "https://tee.magicblock.app";
const teeWsUrl = "wss://tee.magicblock.app";

// 1. Verify the integrity of TEE RPC
const isVerified = await verifyTeeRpcIntegrity(teeUrl);

// 2. Get AuthToken before making request to TEE
const authToken = await getAuthToken(
  teeUrl,
  userKeypair.publicKey,
  (message: Uint8Array) =>
    Promise.resolve(nacl.sign.detached(message, userKeypair.secretKey))
);

// 3. Create connection with TEE
const teeUserUrl = `${teeUrl}?token=${authToken.token}`;
const teeUserWsUrl = `${teeWsUrl}?token=${authToken.token}`;

const connection = new Connection(
  teeUserUrl,
  {
    wsEndpoint: teeUserWsUrl,
  }
);

Account Visibility:

By default: All accounts are transparent and accessible to any authorized user
With permissions: Once an account is permissioned through the permission system, access control rules are enforced during every request
Only members with appropriate flags can access or modify permissioned accounts and transactions

Key Points:

Requests are executed in real-time on the validator
Member flags determine what each user can do
Permissions can be updated dynamically during execution
Updates take effect immediately on the Private Ephemeral Rollup

⬆️ Back to Top

Последнее состояние разрешений на Private Ephemeral Rollup обеспечивает контроль доступа. Для закрытия аккаунта с разрешениями обновите участников разрешений перед отменой делегирования на Solana.

Rust SDK
Pinocchio
Kit
Web3.js

use ephemeral_rollups_pinocchio::instruction::commit_and_undelegate_permission;
use pinocchio::AccountView;

pub fn process_commit_and_undelegate_permission(
    accounts: &[&AccountView],
    permission_program: &pinocchio::Address,
    authority_is_signer: bool,
    permissioned_account_is_signer: bool,
) -> pinocchio::ProgramResult {
    // Accounts: [authority, permissioned_account, permission, magic_program, magic_context]
    
    // Pass signer_seeds if permissioned_account is a PDA owned by your program
    commit_and_undelegate_permission(
        accounts,
        permission_program,
        authority_is_signer,
        permissioned_account_is_signer,
        signer_seeds, // Or None if permissioned_account is on-curve
    )?;

    Ok(())
}

import {
  createCommitAndUndelegatePermissionInstruction,
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { transaction, sendAndConfirmTransaction } from "@solana/kit";

const commitAndUndelegatePermissionIx =
  await createCommitAndUndelegatePermissionInstruction({
    authority: [payer.address, true],
    permissionedAccount: [permissionedAccount.address, false],
  });

const tx = transaction([commitAndUndelegatePermissionIx]);
const signature = await sendAndConfirmTransaction(
  client,
  tx,
  [payer]
);
console.log("TX:", signature);

import { createCommitAndUndelegatePermissionInstruction } from "@magicblock-labs/ephemeral-rollups-sdk";
import { Transaction, sendAndConfirmTransaction } from "@solana/web3.js";

const commitAndUndelegatePermissionIx = 
  createCommitAndUndelegatePermissionInstruction({
    authority: [payer.publicKey, true],
    permissionedAccount: [permissionedAccount.publicKey, false],
  });

const tx = new Transaction().add(commitAndUndelegatePermissionIx);
const txSig = await sendAndConfirmTransaction(connection, tx, [payer]);
console.log("TX:", txSig);

⬆️ Back to Top

Закройте аккаунт с разрешениями и верните его лампорты на Solana.

Rust SDK
Pinocchio
Kit
Web3.js

use ephemeral_rollups_pinocchio::instruction::close_permission;
use pinocchio::AccountView;

pub fn process_close_permission(
    accounts: &[&AccountView],
    permission_program: &pinocchio::Address,
    authority_is_signer: bool,
    permissioned_account_is_signer: bool,
) -> pinocchio::ProgramResult {
    // Accounts: [payer, authority, permissioned_account, permission]
    // IMPORTANT: The permission must be undelegated to Solana first
    // If the permission is still delegated, this operation will fail
    
    // Pass signer_seeds if permissioned_account is a PDA owned by your program
    close_permission(
        accounts,
        permission_program,
        authority_is_signer,
        permissioned_account_is_signer,
        signer_seeds, // Or None if permissioned_account is on-curve
    )?;

    // The permission account lamports are transferred to the payer
    Ok(())
}

import {
  createClosePermissionInstruction,
} from "@magicblock-labs/ephemeral-rollups-sdk";
import { transaction, sendAndConfirmTransaction } from "@solana/kit";

// Close the permission account and reclaim lamports
// IMPORTANT: The permission must be undelegated to Solana first
// If delegated, call commit_and_undelegate before closing
const closePermissionIx = await createClosePermissionInstruction({
  payer: payer.address,  // Receives reclaimed lamports
  authority: [payer.address, true],  // Authority signer (has AUTHORITY_FLAG)
  permissionedAccount: [permissionedAccount.address, false],  // or permissioned_account can sign
});

const tx = transaction([closePermissionIx]);
const signature = await sendAndConfirmTransaction(
  client,
  tx,
  [payer]
);
console.log("TX:", signature);

import { createClosePermissionInstruction } from "@magicblock-labs/ephemeral-rollups-sdk";
import { Transaction, sendAndConfirmTransaction } from "@solana/web3.js";

// Close the permission account and reclaim lamports
// IMPORTANT: The permission must be undelegated to Solana first
// If delegated, call commit_and_undelegate before closing
const closePermissionIx = createClosePermissionInstruction({
  payer: payer.publicKey,  // Receives reclaimed lamports
  authority: [payer.publicKey, true],  // Authority signer (has AUTHORITY_FLAG)
  permissionedAccount: [permissionedAccount.publicKey, false],  // or permissioned_account can sign
});

const tx = new Transaction().add(closePermissionIx);
const txSig = await sendAndConfirmTransaction(connection, tx, [payer]);
console.log("TX:", txSig);

Use Cases:

Clean up unused permission accounts
Reclaim SOL from closed accounts

Important:

The permission must be undelegated to Solana first
If delegated, call commit_and_undelegate before closing
Lamports are returned to the payer

⬆️ Back to Top

Контроль доступа

Детализированный контроль доступа.

Конфиденциальность на блокчейне

Механизмы и концепции обеспечения конфиденциальности

Авторизация

Система авторизации

Система соответствия требованиям

Стандарты и руководства по соблюдению требований

Руководство пользователя

Справочные материалы

Программа разрешений

SDK для Ephemeral Rollups

Обзор

Жизненный цикл разрешений

Операции с разрешениями

Рекомендации по использованию

Контроль доступа

Конфиденциальность на блокчейне

Авторизация

Система соответствия требованиям

Руководство пользователя

Справочные материалы

Программа разрешений

SDK для Ephemeral Rollups

​Обзор

​Жизненный цикл разрешений

​Операции с разрешениями

​Рекомендации по использованию

Контроль доступа

Конфиденциальность на блокчейне

Авторизация

Система соответствия требованиям

Обзор

Жизненный цикл разрешений

Операции с разрешениями

Рекомендации по использованию