Before we delve into the implementation of Chaincode functions, we need to first define our access control mechanism.

A key feature of a secure and permissioned blockchain is access control. In Fabric, the Membership Services Provider (MSP) plays a pivotal role in enabling access control. Each organization of a Fabric network can have one or more MSP providers. The MSP is implemented as a Certificate Authority (Fabric CA). More information on Fabric CA, including its documentation, is available at: https://hyperledger-fabric-ca.readthedocs.io/.

Fabric CA issues Enrollment Certificates (ecerts) for network users. The ecert represents the identity of the user and is used as a signed transaction when a user submits to Fabric. Prior to invoking a transaction, the user must therefore first register and obtain an ecert from the Fabric CA.

Fabric supports an Attribute-based Access Control (ABAC) mechanism that can be used by the chaincode to control access to its functions and data. The ABAC allows the chaincode to make access control decisions based on attributes associated with user identity. Users with an ecert can also access a series of additional attributes (that is, name/value pairs).

During invocation, the chaincode will extract the attributes and make an access control decision. We will take a closer look at the ABAC mechanism in the upcoming chapters.