Roles and permissions

The protocol uses OpenZeppelin's AccessControl mechanism. The roles and delegations are managed by the AccesManager smart contract.

In some operations, both global roles and component roles are accepted. Component roles are special roles that are restricted to a specific component (eToken, RiskModule, or PremiumsAccount).

Common Roles

These roles are defined at the protocol level and are used across its components. They form the core of the access control structure.

Component roles

Besides the general use roles described above, each contract can have its own defined roles for specific operations. For components of the protocol these roles are called Component Roles and a detailed description of each can be found in each contract's documentation:

Common Operations


Ensuro contracts are upgradeable, following the UUPS pattern and implemented based on OpenZeppelin implementation.

Only users with the roles LEVEL1_ROLE or GUARDIAN_ROLE can execute upgrades. For global contracts such as PolicyPool and AccessManager, the role granted has to be global. For other components it can be a component role.

Pause / Unpause

Also, most of the contracts support pause() and unpause() operations. The behavior changes from one contract to the other, but in general, most of the critical operations are rejected when the contract is paused. Check the source code for more details.

Only users with the role GUARDIAN_ROLE can pause contracts. To resume (unpause) a contract, the transaction needs to be executed by a user with either GUARDIAN_ROLE or LEVEL1_ROLE.

Last updated