Building a Library for Managing Access Control in Solidity

By Alessandro D.P.4 min readMarch 28, 2026

Overview of Access Control in Solidity

Access control in Solidity can be achieved using modifiers and state variables to restrict function execution based on the caller's address. By creating a library, we can encapsulate this logic, making it easier to implement across multiple contracts. Our library will support multiple roles, allowing for flexible permission management.

Key Features of the Access Control Library

Role-based permissions for multiple user roles.
Functions to add, remove, and check roles.
Events for logging changes in roles.

Implementation of the Access Control Library

Step 1: Define the Library

Let's start by defining our library, AccessControlLib.sol. This library will manage roles and provide functions to interact with them.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

library AccessControlLib {
    struct RoleData {
        mapping(address => bool) members;
        bytes32 adminRole;
    }

    struct AccessControl {
        mapping(bytes32 => RoleData) roles;
    }

    event RoleGranted(bytes32 indexed role, address indexed account, address indexed sender);
    event RoleRevoked(bytes32 indexed role, address indexed account, address indexed sender);

    function grantRole(AccessControl storage accessControl, bytes32 role, address account) internal {
        require(!hasRole(accessControl, role, account), "Account already has role");
        accessControl.roles[role].members[account] = true;
        emit RoleGranted(role, account, msg.sender);
    }

    function revokeRole(AccessControl storage accessControl, bytes32 role, address account) internal {
        require(hasRole(accessControl, role, account), "Account does not have role");
        accessControl.roles[role].members[account] = false;
        emit RoleRevoked(role, account, msg.sender);
    }

    function hasRole(AccessControl storage accessControl, bytes32 role, address account) internal view returns (bool) {
        return accessControl.roles[role].members[account];
    }
}

Step 2: Integrate the Library into a Contract

Now that we have our library defined, we can create a contract that utilizes it. We will create a simple contract called RoleBasedAccess that demonstrates how to use the AccessControlLib.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "./AccessControlLib.sol";

contract RoleBasedAccess {
    using AccessControlLib for AccessControlLib.AccessControl;

    AccessControlLib.AccessControl private accessControl;

    bytes32 public constant ADMIN_ROLE = keccak256("ADMIN_ROLE");
    bytes32 public constant USER_ROLE = keccak256("USER_ROLE");

    constructor() {
        accessControl.grantRole(ADMIN_ROLE, msg.sender);
    }

    modifier onlyRole(bytes32 role) {
        require(accessControl.hasRole(role, msg.sender), "Access denied: caller does not have the required role");
        _;
    }

    function grantUserRole(address account) external onlyRole(ADMIN_ROLE) {
        accessControl.grantRole(USER_ROLE, account);
    }

    function revokeUserRole(address account) external onlyRole(ADMIN_ROLE) {
        accessControl.revokeRole(USER_ROLE, account);
    }

    function performAdminAction() external onlyRole(ADMIN_ROLE) {
        // Admin-specific action
    }

    function performUserAction() external onlyRole(USER_ROLE) {
        // User-specific action
    }
}

Step 3: Testing the Library

To ensure our library works as intended, we need to write tests. Below is an example of how to test the RoleBasedAccess contract using the Truffle framework.

const RoleBasedAccess = artifacts.require("RoleBasedAccess");

contract("RoleBasedAccess", accounts => {
    let instance;

    beforeEach(async () => {
        instance = await RoleBasedAccess.new();
    });

    it("should grant USER_ROLE to an address by ADMIN_ROLE", async () => {
        await instance.grantUserRole(accounts[1], { from: accounts[0] });
        const hasRole = await instance.accessControl.hasRole.call(instance.USER_ROLE(), accounts[1]);
        assert.isTrue(hasRole, "Account should have USER_ROLE");
    });

    it("should revert when non-admin tries to grant USER_ROLE", async () => {
        try {
            await instance.grantUserRole(accounts[1], { from: accounts[1] });
            assert.fail("Expected revert not received");
        } catch (error) {
            assert(error.message.includes("Access denied"), "Expected access denied error");
        }
    });

    it("should allow USER_ROLE to perform user action", async () => {
        await instance.grantUserRole(accounts[1], { from: accounts[0] });
        await instance.performUserAction({ from: accounts[1] }); // should succeed
    });
});

Best Practices for Access Control Libraries

Use Events: Always emit events when roles are granted or revoked. This allows for better tracking and transparency.
Role Hierarchies: Consider implementing role hierarchies where certain roles can manage other roles. This can simplify management in larger contracts.
Testing: Thoroughly test your access control logic to prevent unauthorized access. Use various scenarios to ensure robustness.

Conclusion

Creating an access control library in Solidity can significantly enhance the security and maintainability of your smart contracts. By encapsulating access management logic, you can easily reuse it across multiple contracts, ensuring consistent permission handling.

Learn more with useful resources: