# Multi-Tier Permissioning ### Protocol Permissions System NashPoint implements a multi-tiered permissioning system where protocol-level governance controls which contracts can be used, routers control which components can be integrated, and Node owners select from these approved options. This ensures security while maintaining Node owner autonomy over their strategy. #### Registry Level (Top) Registry Owner controls global whitelist of valid contracts: ```solidity function setRegistryType(address addr, RegistryType type_, bool status) external onlyOwner { if (type_ == RegistryType.UNUSED) revert ErrorsLib.InvalidRole(); if (type_ == RegistryType.NODE) revert ErrorsLib.NotFactory(); roles[addr][type_] = status; } ``` Types: ROUTER, QUOTER, REBALANCER, FACTORY #### Router Level (Middle) Registry owner controls which components each router can use: ```solidity function setWhitelistStatus(address component, bool status) external onlyRegistryOwner { isWhitelisted[component] = status; } ``` #### Node Level (Bottom) Node owners can only add protocol-whitelisted services: ```solidity function addRouter(address router) external onlyOwner { if (!protocol.isRouterWhitelisted(router)) revert ErrorsLib.NotWhitelisted(); if (routers[router]) revert ErrorsLib.AlreadySet(); routers[router] = true; } function addRebalancer(address newRebalancer) external onlyOwner { if (!registry.isRegistryType(newRebalancer, RegistryType.REBALANCER)) { revert ErrorsLib.NotWhitelisted(); } } ``` ### No Forced Upgrades The Registry Owner can revoke protocol-level permissions for routers, rebalancers, quoters, and components. However, these changes only affect future additions - any Node's existing configuration continues to function normally. This ensures Node owners maintain full control over their strategy and cannot be forced to upgrade or change their Node's setup. 1. Node operations don't check current registry status: ```solidity function execute(address target, bytes calldata data) external onlyRouter { // Only checks router is added to Node, not registry status if (!isRouter[msg.sender]) revert ErrorsLib.InvalidSender(); } ``` 2. Router operations don't re-check registry status: ```solidity modifier onlyNodeRebalancer(address node) { // Only checks Node's rebalancer list, not registry if (!INode(node).isRebalancer(msg.sender)) revert ErrorsLib.NotRebalancer(); } ``` 3. Component operations continue after whitelist removal: ```solidity function invest(address node, address component) external { // Only checks Node's component list, not router whitelist if (!INode(node).isComponent(component)) revert ErrorsLib.InvalidComponent(); } ``` ### Adding Components & Routers To correctly configure a Node to use new Routers and Components follow this guide: [Adding Routers and Components - Step by Step Guide](/nashpoint/adding-routers-and-components-step-by-step-guide.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nashpoint.gitbook.io/nashpoint/upgrading-a-node/multi-tier-permissioning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.