openzeppelin-contracts/docs/modules/api/pages/access.adoc

:github-icon: pass:[<svg class="icon"><use href="#github-icon"/></svg>]
:AccessControl: pass:normal[xref:access.adoc#AccessControl[`AccessControl`]]
:Ownable: pass:normal[xref:access.adoc#Ownable[`Ownable`]]
:xref-Ownable-onlyOwner--: xref:access.adoc#Ownable-onlyOwner--
:xref-Ownable-constructor--: xref:access.adoc#Ownable-constructor--
:xref-Ownable-owner--: xref:access.adoc#Ownable-owner--
:xref-Ownable-_checkOwner--: xref:access.adoc#Ownable-_checkOwner--
:xref-Ownable-renounceOwnership--: xref:access.adoc#Ownable-renounceOwnership--
:xref-Ownable-transferOwnership-address-: xref:access.adoc#Ownable-transferOwnership-address-
:xref-Ownable-_transferOwnership-address-: xref:access.adoc#Ownable-_transferOwnership-address-
:xref-Ownable-OwnershipTransferred-address-address-: xref:access.adoc#Ownable-OwnershipTransferred-address-address-
:xref-IAccessControl-hasRole-bytes32-address-: xref:access.adoc#IAccessControl-hasRole-bytes32-address-
:xref-IAccessControl-getRoleAdmin-bytes32-: xref:access.adoc#IAccessControl-getRoleAdmin-bytes32-
:xref-IAccessControl-grantRole-bytes32-address-: xref:access.adoc#IAccessControl-grantRole-bytes32-address-
:xref-IAccessControl-revokeRole-bytes32-address-: xref:access.adoc#IAccessControl-revokeRole-bytes32-address-
:xref-IAccessControl-renounceRole-bytes32-address-: xref:access.adoc#IAccessControl-renounceRole-bytes32-address-
:xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-: xref:access.adoc#IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-
:xref-IAccessControl-RoleGranted-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleGranted-bytes32-address-address-
:xref-IAccessControl-RoleRevoked-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleRevoked-bytes32-address-address-
:AccessControl-_setRoleAdmin: pass:normal[xref:access.adoc#AccessControl-_setRoleAdmin-bytes32-bytes32-[`AccessControl._setRoleAdmin`]]
:AccessControl-_setupRole: pass:normal[xref:access.adoc#AccessControl-_setupRole-bytes32-address-[`AccessControl._setupRole`]]
:AccessControlEnumerable: pass:normal[xref:access.adoc#AccessControlEnumerable[`AccessControlEnumerable`]]
:xref-AccessControl-onlyRole-bytes32-: xref:access.adoc#AccessControl-onlyRole-bytes32-
:xref-AccessControl-supportsInterface-bytes4-: xref:access.adoc#AccessControl-supportsInterface-bytes4-
:xref-AccessControl-hasRole-bytes32-address-: xref:access.adoc#AccessControl-hasRole-bytes32-address-
:xref-AccessControl-_checkRole-bytes32-: xref:access.adoc#AccessControl-_checkRole-bytes32-
:xref-AccessControl-_checkRole-bytes32-address-: xref:access.adoc#AccessControl-_checkRole-bytes32-address-
:xref-AccessControl-getRoleAdmin-bytes32-: xref:access.adoc#AccessControl-getRoleAdmin-bytes32-
:xref-AccessControl-grantRole-bytes32-address-: xref:access.adoc#AccessControl-grantRole-bytes32-address-
:xref-AccessControl-revokeRole-bytes32-address-: xref:access.adoc#AccessControl-revokeRole-bytes32-address-
:xref-AccessControl-renounceRole-bytes32-address-: xref:access.adoc#AccessControl-renounceRole-bytes32-address-
:xref-AccessControl-_setupRole-bytes32-address-: xref:access.adoc#AccessControl-_setupRole-bytes32-address-
:xref-AccessControl-_setRoleAdmin-bytes32-bytes32-: xref:access.adoc#AccessControl-_setRoleAdmin-bytes32-bytes32-
:xref-AccessControl-_grantRole-bytes32-address-: xref:access.adoc#AccessControl-_grantRole-bytes32-address-
:xref-AccessControl-_revokeRole-bytes32-address-: xref:access.adoc#AccessControl-_revokeRole-bytes32-address-
:xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-: xref:access.adoc#IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-
:xref-IAccessControl-RoleGranted-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleGranted-bytes32-address-address-
:xref-IAccessControl-RoleRevoked-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleRevoked-bytes32-address-address-
:IERC165-supportsInterface: pass:normal[xref:utils.adoc#IERC165-supportsInterface-bytes4-[`IERC165.supportsInterface`]]
:AccessControl: pass:normal[xref:access.adoc#AccessControl[`AccessControl`]]
:AccessControl: pass:normal[xref:access.adoc#AccessControl[`AccessControl`]]
:xref-AccessControlCrossChain-_checkRole-bytes32-: xref:access.adoc#AccessControlCrossChain-_checkRole-bytes32-
:xref-AccessControlCrossChain-_crossChainRoleAlias-bytes32-: xref:access.adoc#AccessControlCrossChain-_crossChainRoleAlias-bytes32-
:xref-CrossChainEnabled-_isCrossChain--: xref:crosschain.adoc#CrossChainEnabled-_isCrossChain--
:xref-CrossChainEnabled-_crossChainSender--: xref:crosschain.adoc#CrossChainEnabled-_crossChainSender--
:xref-AccessControl-supportsInterface-bytes4-: xref:access.adoc#AccessControl-supportsInterface-bytes4-
:xref-AccessControl-hasRole-bytes32-address-: xref:access.adoc#AccessControl-hasRole-bytes32-address-
:xref-AccessControl-_checkRole-bytes32-address-: xref:access.adoc#AccessControl-_checkRole-bytes32-address-
:xref-AccessControl-getRoleAdmin-bytes32-: xref:access.adoc#AccessControl-getRoleAdmin-bytes32-
:xref-AccessControl-grantRole-bytes32-address-: xref:access.adoc#AccessControl-grantRole-bytes32-address-
:xref-AccessControl-revokeRole-bytes32-address-: xref:access.adoc#AccessControl-revokeRole-bytes32-address-
:xref-AccessControl-renounceRole-bytes32-address-: xref:access.adoc#AccessControl-renounceRole-bytes32-address-
:xref-AccessControl-_setupRole-bytes32-address-: xref:access.adoc#AccessControl-_setupRole-bytes32-address-
:xref-AccessControl-_setRoleAdmin-bytes32-bytes32-: xref:access.adoc#AccessControl-_setRoleAdmin-bytes32-bytes32-
:xref-AccessControl-_grantRole-bytes32-address-: xref:access.adoc#AccessControl-_grantRole-bytes32-address-
:xref-AccessControl-_revokeRole-bytes32-address-: xref:access.adoc#AccessControl-_revokeRole-bytes32-address-
:xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-: xref:access.adoc#IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-
:xref-IAccessControl-RoleGranted-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleGranted-bytes32-address-address-
:xref-IAccessControl-RoleRevoked-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleRevoked-bytes32-address-address-
:AccessControl-_checkRole: pass:normal[xref:access.adoc#AccessControl-_checkRole-bytes32-address-[`AccessControl._checkRole`]]
:xref-IAccessControlEnumerable-getRoleMember-bytes32-uint256-: xref:access.adoc#IAccessControlEnumerable-getRoleMember-bytes32-uint256-
:xref-IAccessControlEnumerable-getRoleMemberCount-bytes32-: xref:access.adoc#IAccessControlEnumerable-getRoleMemberCount-bytes32-
:xref-IAccessControl-hasRole-bytes32-address-: xref:access.adoc#IAccessControl-hasRole-bytes32-address-
:xref-IAccessControl-getRoleAdmin-bytes32-: xref:access.adoc#IAccessControl-getRoleAdmin-bytes32-
:xref-IAccessControl-grantRole-bytes32-address-: xref:access.adoc#IAccessControl-grantRole-bytes32-address-
:xref-IAccessControl-revokeRole-bytes32-address-: xref:access.adoc#IAccessControl-revokeRole-bytes32-address-
:xref-IAccessControl-renounceRole-bytes32-address-: xref:access.adoc#IAccessControl-renounceRole-bytes32-address-
:xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-: xref:access.adoc#IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-
:xref-IAccessControl-RoleGranted-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleGranted-bytes32-address-address-
:xref-IAccessControl-RoleRevoked-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleRevoked-bytes32-address-address-
:AccessControl: pass:normal[xref:access.adoc#AccessControl[`AccessControl`]]
:xref-AccessControlEnumerable-supportsInterface-bytes4-: xref:access.adoc#AccessControlEnumerable-supportsInterface-bytes4-
:xref-AccessControlEnumerable-getRoleMember-bytes32-uint256-: xref:access.adoc#AccessControlEnumerable-getRoleMember-bytes32-uint256-
:xref-AccessControlEnumerable-getRoleMemberCount-bytes32-: xref:access.adoc#AccessControlEnumerable-getRoleMemberCount-bytes32-
:xref-AccessControlEnumerable-_grantRole-bytes32-address-: xref:access.adoc#AccessControlEnumerable-_grantRole-bytes32-address-
:xref-AccessControlEnumerable-_revokeRole-bytes32-address-: xref:access.adoc#AccessControlEnumerable-_revokeRole-bytes32-address-
:xref-AccessControl-hasRole-bytes32-address-: xref:access.adoc#AccessControl-hasRole-bytes32-address-
:xref-AccessControl-_checkRole-bytes32-: xref:access.adoc#AccessControl-_checkRole-bytes32-
:xref-AccessControl-_checkRole-bytes32-address-: xref:access.adoc#AccessControl-_checkRole-bytes32-address-
:xref-AccessControl-getRoleAdmin-bytes32-: xref:access.adoc#AccessControl-getRoleAdmin-bytes32-
:xref-AccessControl-grantRole-bytes32-address-: xref:access.adoc#AccessControl-grantRole-bytes32-address-
:xref-AccessControl-revokeRole-bytes32-address-: xref:access.adoc#AccessControl-revokeRole-bytes32-address-
:xref-AccessControl-renounceRole-bytes32-address-: xref:access.adoc#AccessControl-renounceRole-bytes32-address-
:xref-AccessControl-_setupRole-bytes32-address-: xref:access.adoc#AccessControl-_setupRole-bytes32-address-
:xref-AccessControl-_setRoleAdmin-bytes32-bytes32-: xref:access.adoc#AccessControl-_setRoleAdmin-bytes32-bytes32-
:xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-: xref:access.adoc#IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-
:xref-IAccessControl-RoleGranted-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleGranted-bytes32-address-address-
:xref-IAccessControl-RoleRevoked-bytes32-address-address-: xref:access.adoc#IAccessControl-RoleRevoked-bytes32-address-address-
:IERC165-supportsInterface: pass:normal[xref:utils.adoc#IERC165-supportsInterface-bytes4-[`IERC165.supportsInterface`]]
= Access Control

[.readme-notice]
NOTE: This document is better viewed at https://docs.openzeppelin.com/contracts/api/access

This directory provides ways to restrict who can access the functions of a contract or when they can do it.

- {AccessControl} provides a general role based access control mechanism. Multiple hierarchical roles can be created and assigned each to multiple accounts.
- {Ownable} is a simpler mechanism with a single owner "role" that can be assigned to a single account. This simpler mechanism can be useful for quick tests but projects with production concerns are likely to outgrow it.

== Authorization

:_owner: pass:normal[xref:#Ownable-_owner-address[`++_owner++`]]
:OwnershipTransferred: pass:normal[xref:#Ownable-OwnershipTransferred-address-address-[`++OwnershipTransferred++`]]
:constructor: pass:normal[xref:#Ownable-constructor--[`++constructor++`]]
:onlyOwner: pass:normal[xref:#Ownable-onlyOwner--[`++onlyOwner++`]]
:owner: pass:normal[xref:#Ownable-owner--[`++owner++`]]
:_checkOwner: pass:normal[xref:#Ownable-_checkOwner--[`++_checkOwner++`]]
:renounceOwnership: pass:normal[xref:#Ownable-renounceOwnership--[`++renounceOwnership++`]]
:transferOwnership: pass:normal[xref:#Ownable-transferOwnership-address-[`++transferOwnership++`]]
:_transferOwnership: pass:normal[xref:#Ownable-_transferOwnership-address-[`++_transferOwnership++`]]

[.contract]
[[Ownable]]
=== `++Ownable++` link:https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.8.0/contracts/access/Ownable.sol[{github-icon},role=heading-link]

[.hljs-theme-light.nopadding]
```solidity
import "@openzeppelin/contracts/access/Ownable.sol";
```

Contract module which provides a basic access control mechanism, where
there is an account (an owner) that can be granted exclusive access to
specific functions.

By default, the owner account will be the one that deploys the contract. This
can later be changed with {transferOwnership}.

This module is used through inheritance. It will make available the modifier
`onlyOwner`, which can be applied to your functions to restrict their use to
the owner.

[.contract-index]
.Modifiers
--
* {xref-Ownable-onlyOwner--}[`++onlyOwner()++`]
--

[.contract-index]
.Functions
--
* {xref-Ownable-constructor--}[`++constructor()++`]
* {xref-Ownable-owner--}[`++owner()++`]
* {xref-Ownable-_checkOwner--}[`++_checkOwner()++`]
* {xref-Ownable-renounceOwnership--}[`++renounceOwnership()++`]
* {xref-Ownable-transferOwnership-address-}[`++transferOwnership(newOwner)++`]
* {xref-Ownable-_transferOwnership-address-}[`++_transferOwnership(newOwner)++`]

--

[.contract-index]
.Events
--
* {xref-Ownable-OwnershipTransferred-address-address-}[`++OwnershipTransferred(previousOwner, newOwner)++`]

--

[.contract-item]
[[Ownable-onlyOwner--]]
==== `[.contract-item-name]#++onlyOwner++#++()++` [.item-kind]#modifier#

Throws if called by any account other than the owner.

[.contract-item]
[[Ownable-constructor--]]
==== `[.contract-item-name]#++constructor++#++()++` [.item-kind]#internal#

Initializes the contract setting the deployer as the initial owner.

[.contract-item]
[[Ownable-owner--]]
==== `[.contract-item-name]#++owner++#++() → address++` [.item-kind]#public#

Returns the address of the current owner.

[.contract-item]
[[Ownable-_checkOwner--]]
==== `[.contract-item-name]#++_checkOwner++#++()++` [.item-kind]#internal#

Throws if the sender is not the owner.

[.contract-item]
[[Ownable-renounceOwnership--]]
==== `[.contract-item-name]#++renounceOwnership++#++()++` [.item-kind]#public#

Leaves the contract without owner. It will not be possible to call
`onlyOwner` functions anymore. Can only be called by the current owner.

NOTE: Renouncing ownership will leave the contract without an owner,
thereby removing any functionality that is only available to the owner.

[.contract-item]
[[Ownable-transferOwnership-address-]]
==== `[.contract-item-name]#++transferOwnership++#++(address newOwner)++` [.item-kind]#public#

Transfers ownership of the contract to a new account (`newOwner`).
Can only be called by the current owner.

[.contract-item]
[[Ownable-_transferOwnership-address-]]
==== `[.contract-item-name]#++_transferOwnership++#++(address newOwner)++` [.item-kind]#internal#

Transfers ownership of the contract to a new account (`newOwner`).
Internal function without access restriction.

[.contract-item]
[[Ownable-OwnershipTransferred-address-address-]]
==== `[.contract-item-name]#++OwnershipTransferred++#++(address previousOwner, address newOwner)++` [.item-kind]#event#

:RoleAdminChanged: pass:normal[xref:#IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-[`++RoleAdminChanged++`]]
:RoleGranted: pass:normal[xref:#IAccessControl-RoleGranted-bytes32-address-address-[`++RoleGranted++`]]
:RoleRevoked: pass:normal[xref:#IAccessControl-RoleRevoked-bytes32-address-address-[`++RoleRevoked++`]]
:hasRole: pass:normal[xref:#IAccessControl-hasRole-bytes32-address-[`++hasRole++`]]
:getRoleAdmin: pass:normal[xref:#IAccessControl-getRoleAdmin-bytes32-[`++getRoleAdmin++`]]
:grantRole: pass:normal[xref:#IAccessControl-grantRole-bytes32-address-[`++grantRole++`]]
:revokeRole: pass:normal[xref:#IAccessControl-revokeRole-bytes32-address-[`++revokeRole++`]]
:renounceRole: pass:normal[xref:#IAccessControl-renounceRole-bytes32-address-[`++renounceRole++`]]

[.contract]
[[IAccessControl]]
=== `++IAccessControl++` link:https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.8.0/contracts/access/IAccessControl.sol[{github-icon},role=heading-link]

[.hljs-theme-light.nopadding]
```solidity
import "@openzeppelin/contracts/access/IAccessControl.sol";
```

External interface of AccessControl declared to support ERC165 detection.

[.contract-index]
.Functions
--
* {xref-IAccessControl-hasRole-bytes32-address-}[`++hasRole(role, account)++`]
* {xref-IAccessControl-getRoleAdmin-bytes32-}[`++getRoleAdmin(role)++`]
* {xref-IAccessControl-grantRole-bytes32-address-}[`++grantRole(role, account)++`]
* {xref-IAccessControl-revokeRole-bytes32-address-}[`++revokeRole(role, account)++`]
* {xref-IAccessControl-renounceRole-bytes32-address-}[`++renounceRole(role, account)++`]

--

[.contract-index]
.Events
--
* {xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-}[`++RoleAdminChanged(role, previousAdminRole, newAdminRole)++`]
* {xref-IAccessControl-RoleGranted-bytes32-address-address-}[`++RoleGranted(role, account, sender)++`]
* {xref-IAccessControl-RoleRevoked-bytes32-address-address-}[`++RoleRevoked(role, account, sender)++`]

--

[.contract-item]
[[IAccessControl-hasRole-bytes32-address-]]
==== `[.contract-item-name]#++hasRole++#++(bytes32 role, address account) → bool++` [.item-kind]#external#

Returns `true` if `account` has been granted `role`.

[.contract-item]
[[IAccessControl-getRoleAdmin-bytes32-]]
==== `[.contract-item-name]#++getRoleAdmin++#++(bytes32 role) → bytes32++` [.item-kind]#external#

Returns the admin role that controls `role`. See {grantRole} and
{revokeRole}.

To change a role's admin, use {AccessControl-_setRoleAdmin}.

[.contract-item]
[[IAccessControl-grantRole-bytes32-address-]]
==== `[.contract-item-name]#++grantRole++#++(bytes32 role, address account)++` [.item-kind]#external#

Grants `role` to `account`.

If `account` had not been already granted `role`, emits a {RoleGranted}
event.

Requirements:

- the caller must have ``role``'s admin role.

[.contract-item]
[[IAccessControl-revokeRole-bytes32-address-]]
==== `[.contract-item-name]#++revokeRole++#++(bytes32 role, address account)++` [.item-kind]#external#

Revokes `role` from `account`.

If `account` had been granted `role`, emits a {RoleRevoked} event.

Requirements:

- the caller must have ``role``'s admin role.

[.contract-item]
[[IAccessControl-renounceRole-bytes32-address-]]
==== `[.contract-item-name]#++renounceRole++#++(bytes32 role, address account)++` [.item-kind]#external#

Revokes `role` from the calling account.

Roles are often managed via {grantRole} and {revokeRole}: this function's
purpose is to provide a mechanism for accounts to lose their privileges
if they are compromised (such as when a trusted device is misplaced).

If the calling account had been granted `role`, emits a {RoleRevoked}
event.

Requirements:

- the caller must be `account`.

[.contract-item]
[[IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-]]
==== `[.contract-item-name]#++RoleAdminChanged++#++(bytes32 role, bytes32 previousAdminRole, bytes32 newAdminRole)++` [.item-kind]#event#

Emitted when `newAdminRole` is set as ``role``'s admin role, replacing `previousAdminRole`

`DEFAULT_ADMIN_ROLE` is the starting admin for all roles, despite
{RoleAdminChanged} not being emitted signaling this.

_Available since v3.1._

[.contract-item]
[[IAccessControl-RoleGranted-bytes32-address-address-]]
==== `[.contract-item-name]#++RoleGranted++#++(bytes32 role, address account, address sender)++` [.item-kind]#event#

Emitted when `account` is granted `role`.

`sender` is the account that originated the contract call, an admin role
bearer except when using {AccessControl-_setupRole}.

[.contract-item]
[[IAccessControl-RoleRevoked-bytes32-address-address-]]
==== `[.contract-item-name]#++RoleRevoked++#++(bytes32 role, address account, address sender)++` [.item-kind]#event#

Emitted when `account` is revoked `role`.

`sender` is the account that originated the contract call:
  - if using `revokeRole`, it is the admin role bearer
  - if using `renounceRole`, it is the role bearer (i.e. `account`)

:RoleData: pass:normal[xref:#AccessControl-RoleData[`++RoleData++`]]
:_roles: pass:normal[xref:#AccessControl-_roles-mapping-bytes32----struct-AccessControl-RoleData-[`++_roles++`]]
:DEFAULT_ADMIN_ROLE: pass:normal[xref:#AccessControl-DEFAULT_ADMIN_ROLE-bytes32[`++DEFAULT_ADMIN_ROLE++`]]
:onlyRole: pass:normal[xref:#AccessControl-onlyRole-bytes32-[`++onlyRole++`]]
:supportsInterface: pass:normal[xref:#AccessControl-supportsInterface-bytes4-[`++supportsInterface++`]]
:hasRole: pass:normal[xref:#AccessControl-hasRole-bytes32-address-[`++hasRole++`]]
:_checkRole: pass:normal[xref:#AccessControl-_checkRole-bytes32-[`++_checkRole++`]]
:_checkRole: pass:normal[xref:#AccessControl-_checkRole-bytes32-address-[`++_checkRole++`]]
:getRoleAdmin: pass:normal[xref:#AccessControl-getRoleAdmin-bytes32-[`++getRoleAdmin++`]]
:grantRole: pass:normal[xref:#AccessControl-grantRole-bytes32-address-[`++grantRole++`]]
:revokeRole: pass:normal[xref:#AccessControl-revokeRole-bytes32-address-[`++revokeRole++`]]
:renounceRole: pass:normal[xref:#AccessControl-renounceRole-bytes32-address-[`++renounceRole++`]]
:_setupRole: pass:normal[xref:#AccessControl-_setupRole-bytes32-address-[`++_setupRole++`]]
:_setRoleAdmin: pass:normal[xref:#AccessControl-_setRoleAdmin-bytes32-bytes32-[`++_setRoleAdmin++`]]
:_grantRole: pass:normal[xref:#AccessControl-_grantRole-bytes32-address-[`++_grantRole++`]]
:_revokeRole: pass:normal[xref:#AccessControl-_revokeRole-bytes32-address-[`++_revokeRole++`]]

[.contract]
[[AccessControl]]
=== `++AccessControl++` link:https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.8.0/contracts/access/AccessControl.sol[{github-icon},role=heading-link]

[.hljs-theme-light.nopadding]
```solidity
import "@openzeppelin/contracts/access/AccessControl.sol";
```

Contract module that allows children to implement role-based access
control mechanisms. This is a lightweight version that doesn't allow enumerating role
members except through off-chain means by accessing the contract event logs. Some
applications may benefit from on-chain enumerability, for those cases see
{AccessControlEnumerable}.

Roles are referred to by their `bytes32` identifier. These should be exposed
in the external API and be unique. The best way to achieve this is by
using `public constant` hash digests:

```
bytes32 public constant MY_ROLE = keccak256("MY_ROLE");
```

Roles can be used to represent a set of permissions. To restrict access to a
function call, use {hasRole}:

```
function foo() public {
    require(hasRole(MY_ROLE, msg.sender));
    ...
}
```

Roles can be granted and revoked dynamically via the {grantRole} and
{revokeRole} functions. Each role has an associated admin role, and only
accounts that have a role's admin role can call {grantRole} and {revokeRole}.

By default, the admin role for all roles is `DEFAULT_ADMIN_ROLE`, which means
that only accounts with this role will be able to grant or revoke other
roles. More complex role relationships can be created by using
{_setRoleAdmin}.

WARNING: The `DEFAULT_ADMIN_ROLE` is also its own admin: it has permission to
grant and revoke this role. Extra precautions should be taken to secure
accounts that have been granted it.

[.contract-index]
.Modifiers
--
* {xref-AccessControl-onlyRole-bytes32-}[`++onlyRole(role)++`]
--

[.contract-index]
.Functions
--
* {xref-AccessControl-supportsInterface-bytes4-}[`++supportsInterface(interfaceId)++`]
* {xref-AccessControl-hasRole-bytes32-address-}[`++hasRole(role, account)++`]
* {xref-AccessControl-_checkRole-bytes32-}[`++_checkRole(role)++`]
* {xref-AccessControl-_checkRole-bytes32-address-}[`++_checkRole(role, account)++`]
* {xref-AccessControl-getRoleAdmin-bytes32-}[`++getRoleAdmin(role)++`]
* {xref-AccessControl-grantRole-bytes32-address-}[`++grantRole(role, account)++`]
* {xref-AccessControl-revokeRole-bytes32-address-}[`++revokeRole(role, account)++`]
* {xref-AccessControl-renounceRole-bytes32-address-}[`++renounceRole(role, account)++`]
* {xref-AccessControl-_setupRole-bytes32-address-}[`++_setupRole(role, account)++`]
* {xref-AccessControl-_setRoleAdmin-bytes32-bytes32-}[`++_setRoleAdmin(role, adminRole)++`]
* {xref-AccessControl-_grantRole-bytes32-address-}[`++_grantRole(role, account)++`]
* {xref-AccessControl-_revokeRole-bytes32-address-}[`++_revokeRole(role, account)++`]

[.contract-subindex-inherited]
.ERC165

[.contract-subindex-inherited]
.IERC165

[.contract-subindex-inherited]
.IAccessControl

--

[.contract-index]
.Events
--

[.contract-subindex-inherited]
.ERC165

[.contract-subindex-inherited]
.IERC165

[.contract-subindex-inherited]
.IAccessControl
* {xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-}[`++RoleAdminChanged(role, previousAdminRole, newAdminRole)++`]
* {xref-IAccessControl-RoleGranted-bytes32-address-address-}[`++RoleGranted(role, account, sender)++`]
* {xref-IAccessControl-RoleRevoked-bytes32-address-address-}[`++RoleRevoked(role, account, sender)++`]

--

[.contract-item]
[[AccessControl-onlyRole-bytes32-]]
==== `[.contract-item-name]#++onlyRole++#++(bytes32 role)++` [.item-kind]#modifier#

Modifier that checks that an account has a specific role. Reverts
with a standardized message including the required role.

The format of the revert reason is given by the following regular expression:

 /^AccessControl: account (0x[0-9a-f]{40}) is missing role (0x[0-9a-f]{64})$/

_Available since v4.1._

[.contract-item]
[[AccessControl-supportsInterface-bytes4-]]
==== `[.contract-item-name]#++supportsInterface++#++(bytes4 interfaceId) → bool++` [.item-kind]#public#

See {IERC165-supportsInterface}.

[.contract-item]
[[AccessControl-hasRole-bytes32-address-]]
==== `[.contract-item-name]#++hasRole++#++(bytes32 role, address account) → bool++` [.item-kind]#public#

Returns `true` if `account` has been granted `role`.

[.contract-item]
[[AccessControl-_checkRole-bytes32-]]
==== `[.contract-item-name]#++_checkRole++#++(bytes32 role)++` [.item-kind]#internal#

Revert with a standard message if `_msgSender()` is missing `role`.
Overriding this function changes the behavior of the {onlyRole} modifier.

Format of the revert message is described in {_checkRole}.

_Available since v4.6._

[.contract-item]
[[AccessControl-_checkRole-bytes32-address-]]
==== `[.contract-item-name]#++_checkRole++#++(bytes32 role, address account)++` [.item-kind]#internal#

Revert with a standard message if `account` is missing `role`.

The format of the revert reason is given by the following regular expression:

 /^AccessControl: account (0x[0-9a-f]{40}) is missing role (0x[0-9a-f]{64})$/

[.contract-item]
[[AccessControl-getRoleAdmin-bytes32-]]
==== `[.contract-item-name]#++getRoleAdmin++#++(bytes32 role) → bytes32++` [.item-kind]#public#

Returns the admin role that controls `role`. See {grantRole} and
{revokeRole}.

To change a role's admin, use {_setRoleAdmin}.

[.contract-item]
[[AccessControl-grantRole-bytes32-address-]]
==== `[.contract-item-name]#++grantRole++#++(bytes32 role, address account)++` [.item-kind]#public#

Grants `role` to `account`.

If `account` had not been already granted `role`, emits a {RoleGranted}
event.

Requirements:

- the caller must have ``role``'s admin role.

May emit a {RoleGranted} event.

[.contract-item]
[[AccessControl-revokeRole-bytes32-address-]]
==== `[.contract-item-name]#++revokeRole++#++(bytes32 role, address account)++` [.item-kind]#public#

Revokes `role` from `account`.

If `account` had been granted `role`, emits a {RoleRevoked} event.

Requirements:

- the caller must have ``role``'s admin role.

May emit a {RoleRevoked} event.

[.contract-item]
[[AccessControl-renounceRole-bytes32-address-]]
==== `[.contract-item-name]#++renounceRole++#++(bytes32 role, address account)++` [.item-kind]#public#

Revokes `role` from the calling account.

Roles are often managed via {grantRole} and {revokeRole}: this function's
purpose is to provide a mechanism for accounts to lose their privileges
if they are compromised (such as when a trusted device is misplaced).

If the calling account had been revoked `role`, emits a {RoleRevoked}
event.

Requirements:

- the caller must be `account`.

May emit a {RoleRevoked} event.

[.contract-item]
[[AccessControl-_setupRole-bytes32-address-]]
==== `[.contract-item-name]#++_setupRole++#++(bytes32 role, address account)++` [.item-kind]#internal#

Grants `role` to `account`.

If `account` had not been already granted `role`, emits a {RoleGranted}
event. Note that unlike {grantRole}, this function doesn't perform any
checks on the calling account.

May emit a {RoleGranted} event.

[WARNING]
====
This function should only be called from the constructor when setting
up the initial roles for the system.

Using this function in any other way is effectively circumventing the admin
system imposed by {AccessControl}.
====

NOTE: This function is deprecated in favor of {_grantRole}.

[.contract-item]
[[AccessControl-_setRoleAdmin-bytes32-bytes32-]]
==== `[.contract-item-name]#++_setRoleAdmin++#++(bytes32 role, bytes32 adminRole)++` [.item-kind]#internal#

Sets `adminRole` as ``role``'s admin role.

Emits a {RoleAdminChanged} event.

[.contract-item]
[[AccessControl-_grantRole-bytes32-address-]]
==== `[.contract-item-name]#++_grantRole++#++(bytes32 role, address account)++` [.item-kind]#internal#

Grants `role` to `account`.

Internal function without access restriction.

May emit a {RoleGranted} event.

[.contract-item]
[[AccessControl-_revokeRole-bytes32-address-]]
==== `[.contract-item-name]#++_revokeRole++#++(bytes32 role, address account)++` [.item-kind]#internal#

Revokes `role` from `account`.

Internal function without access restriction.

May emit a {RoleRevoked} event.

:CROSSCHAIN_ALIAS: pass:normal[xref:#AccessControlCrossChain-CROSSCHAIN_ALIAS-bytes32[`++CROSSCHAIN_ALIAS++`]]
:_checkRole: pass:normal[xref:#AccessControlCrossChain-_checkRole-bytes32-[`++_checkRole++`]]
:_crossChainRoleAlias: pass:normal[xref:#AccessControlCrossChain-_crossChainRoleAlias-bytes32-[`++_crossChainRoleAlias++`]]

[.contract]
[[AccessControlCrossChain]]
=== `++AccessControlCrossChain++` link:https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.8.0/contracts/access/AccessControlCrossChain.sol[{github-icon},role=heading-link]

[.hljs-theme-light.nopadding]
```solidity
import "@openzeppelin/contracts/access/AccessControlCrossChain.sol";
```

An extension to {AccessControl} with support for cross-chain access management.
For each role, is extension implements an equivalent "aliased" role that is used for
restricting calls originating from other chains.

For example, if a function `myFunction` is protected by `onlyRole(SOME_ROLE)`, and
if an address `x` has role `SOME_ROLE`, it would be able to call `myFunction` directly.
A wallet or contract at the same address on another chain would however not be able
to call this function. In order to do so, it would require to have the role
`_crossChainRoleAlias(SOME_ROLE)`.

This aliasing is required to protect against multiple contracts living at the same
address on different chains but controlled by conflicting entities.

_Available since v4.6._

[.contract-index]
.Functions
--
* {xref-AccessControlCrossChain-_checkRole-bytes32-}[`++_checkRole(role)++`]
* {xref-AccessControlCrossChain-_crossChainRoleAlias-bytes32-}[`++_crossChainRoleAlias(role)++`]

[.contract-subindex-inherited]
.CrossChainEnabled
* {xref-CrossChainEnabled-_isCrossChain--}[`++_isCrossChain()++`]
* {xref-CrossChainEnabled-_crossChainSender--}[`++_crossChainSender()++`]

[.contract-subindex-inherited]
.AccessControl
* {xref-AccessControl-supportsInterface-bytes4-}[`++supportsInterface(interfaceId)++`]
* {xref-AccessControl-hasRole-bytes32-address-}[`++hasRole(role, account)++`]
* {xref-AccessControl-_checkRole-bytes32-address-}[`++_checkRole(role, account)++`]
* {xref-AccessControl-getRoleAdmin-bytes32-}[`++getRoleAdmin(role)++`]
* {xref-AccessControl-grantRole-bytes32-address-}[`++grantRole(role, account)++`]
* {xref-AccessControl-revokeRole-bytes32-address-}[`++revokeRole(role, account)++`]
* {xref-AccessControl-renounceRole-bytes32-address-}[`++renounceRole(role, account)++`]
* {xref-AccessControl-_setupRole-bytes32-address-}[`++_setupRole(role, account)++`]
* {xref-AccessControl-_setRoleAdmin-bytes32-bytes32-}[`++_setRoleAdmin(role, adminRole)++`]
* {xref-AccessControl-_grantRole-bytes32-address-}[`++_grantRole(role, account)++`]
* {xref-AccessControl-_revokeRole-bytes32-address-}[`++_revokeRole(role, account)++`]

[.contract-subindex-inherited]
.ERC165

[.contract-subindex-inherited]
.IERC165

[.contract-subindex-inherited]
.IAccessControl

--

[.contract-index]
.Events
--

[.contract-subindex-inherited]
.CrossChainEnabled

[.contract-subindex-inherited]
.AccessControl

[.contract-subindex-inherited]
.ERC165

[.contract-subindex-inherited]
.IERC165

[.contract-subindex-inherited]
.IAccessControl
* {xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-}[`++RoleAdminChanged(role, previousAdminRole, newAdminRole)++`]
* {xref-IAccessControl-RoleGranted-bytes32-address-address-}[`++RoleGranted(role, account, sender)++`]
* {xref-IAccessControl-RoleRevoked-bytes32-address-address-}[`++RoleRevoked(role, account, sender)++`]

--

[.contract-item]
[[AccessControlCrossChain-_checkRole-bytes32-]]
==== `[.contract-item-name]#++_checkRole++#++(bytes32 role)++` [.item-kind]#internal#

See {AccessControl-_checkRole}.

[.contract-item]
[[AccessControlCrossChain-_crossChainRoleAlias-bytes32-]]
==== `[.contract-item-name]#++_crossChainRoleAlias++#++(bytes32 role) → bytes32++` [.item-kind]#internal#

Returns the aliased role corresponding to `role`.

:getRoleMember: pass:normal[xref:#IAccessControlEnumerable-getRoleMember-bytes32-uint256-[`++getRoleMember++`]]
:getRoleMemberCount: pass:normal[xref:#IAccessControlEnumerable-getRoleMemberCount-bytes32-[`++getRoleMemberCount++`]]

[.contract]
[[IAccessControlEnumerable]]
=== `++IAccessControlEnumerable++` link:https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.8.0/contracts/access/IAccessControlEnumerable.sol[{github-icon},role=heading-link]

[.hljs-theme-light.nopadding]
```solidity
import "@openzeppelin/contracts/access/IAccessControlEnumerable.sol";
```

External interface of AccessControlEnumerable declared to support ERC165 detection.

[.contract-index]
.Functions
--
* {xref-IAccessControlEnumerable-getRoleMember-bytes32-uint256-}[`++getRoleMember(role, index)++`]
* {xref-IAccessControlEnumerable-getRoleMemberCount-bytes32-}[`++getRoleMemberCount(role)++`]

[.contract-subindex-inherited]
.IAccessControl
* {xref-IAccessControl-hasRole-bytes32-address-}[`++hasRole(role, account)++`]
* {xref-IAccessControl-getRoleAdmin-bytes32-}[`++getRoleAdmin(role)++`]
* {xref-IAccessControl-grantRole-bytes32-address-}[`++grantRole(role, account)++`]
* {xref-IAccessControl-revokeRole-bytes32-address-}[`++revokeRole(role, account)++`]
* {xref-IAccessControl-renounceRole-bytes32-address-}[`++renounceRole(role, account)++`]

--

[.contract-index]
.Events
--

[.contract-subindex-inherited]
.IAccessControl
* {xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-}[`++RoleAdminChanged(role, previousAdminRole, newAdminRole)++`]
* {xref-IAccessControl-RoleGranted-bytes32-address-address-}[`++RoleGranted(role, account, sender)++`]
* {xref-IAccessControl-RoleRevoked-bytes32-address-address-}[`++RoleRevoked(role, account, sender)++`]

--

[.contract-item]
[[IAccessControlEnumerable-getRoleMember-bytes32-uint256-]]
==== `[.contract-item-name]#++getRoleMember++#++(bytes32 role, uint256 index) → address++` [.item-kind]#external#

Returns one of the accounts that have `role`. `index` must be a
value between 0 and {getRoleMemberCount}, non-inclusive.

Role bearers are not sorted in any particular way, and their ordering may
change at any point.

WARNING: When using {getRoleMember} and {getRoleMemberCount}, make sure
you perform all queries on the same block. See the following
https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post]
for more information.

[.contract-item]
[[IAccessControlEnumerable-getRoleMemberCount-bytes32-]]
==== `[.contract-item-name]#++getRoleMemberCount++#++(bytes32 role) → uint256++` [.item-kind]#external#

Returns the number of accounts that have `role`. Can be used
together with {getRoleMember} to enumerate all bearers of a role.

:_roleMembers: pass:normal[xref:#AccessControlEnumerable-_roleMembers-mapping-bytes32----struct-EnumerableSet-AddressSet-[`++_roleMembers++`]]
:supportsInterface: pass:normal[xref:#AccessControlEnumerable-supportsInterface-bytes4-[`++supportsInterface++`]]
:getRoleMember: pass:normal[xref:#AccessControlEnumerable-getRoleMember-bytes32-uint256-[`++getRoleMember++`]]
:getRoleMemberCount: pass:normal[xref:#AccessControlEnumerable-getRoleMemberCount-bytes32-[`++getRoleMemberCount++`]]
:_grantRole: pass:normal[xref:#AccessControlEnumerable-_grantRole-bytes32-address-[`++_grantRole++`]]
:_revokeRole: pass:normal[xref:#AccessControlEnumerable-_revokeRole-bytes32-address-[`++_revokeRole++`]]

[.contract]
[[AccessControlEnumerable]]
=== `++AccessControlEnumerable++` link:https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v4.8.0/contracts/access/AccessControlEnumerable.sol[{github-icon},role=heading-link]

[.hljs-theme-light.nopadding]
```solidity
import "@openzeppelin/contracts/access/AccessControlEnumerable.sol";
```

Extension of {AccessControl} that allows enumerating the members of each role.

[.contract-index]
.Functions
--
* {xref-AccessControlEnumerable-supportsInterface-bytes4-}[`++supportsInterface(interfaceId)++`]
* {xref-AccessControlEnumerable-getRoleMember-bytes32-uint256-}[`++getRoleMember(role, index)++`]
* {xref-AccessControlEnumerable-getRoleMemberCount-bytes32-}[`++getRoleMemberCount(role)++`]
* {xref-AccessControlEnumerable-_grantRole-bytes32-address-}[`++_grantRole(role, account)++`]
* {xref-AccessControlEnumerable-_revokeRole-bytes32-address-}[`++_revokeRole(role, account)++`]

[.contract-subindex-inherited]
.AccessControl
* {xref-AccessControl-hasRole-bytes32-address-}[`++hasRole(role, account)++`]
* {xref-AccessControl-_checkRole-bytes32-}[`++_checkRole(role)++`]
* {xref-AccessControl-_checkRole-bytes32-address-}[`++_checkRole(role, account)++`]
* {xref-AccessControl-getRoleAdmin-bytes32-}[`++getRoleAdmin(role)++`]
* {xref-AccessControl-grantRole-bytes32-address-}[`++grantRole(role, account)++`]
* {xref-AccessControl-revokeRole-bytes32-address-}[`++revokeRole(role, account)++`]
* {xref-AccessControl-renounceRole-bytes32-address-}[`++renounceRole(role, account)++`]
* {xref-AccessControl-_setupRole-bytes32-address-}[`++_setupRole(role, account)++`]
* {xref-AccessControl-_setRoleAdmin-bytes32-bytes32-}[`++_setRoleAdmin(role, adminRole)++`]

[.contract-subindex-inherited]
.ERC165

[.contract-subindex-inherited]
.IERC165

[.contract-subindex-inherited]
.IAccessControlEnumerable

[.contract-subindex-inherited]
.IAccessControl

--

[.contract-index]
.Events
--

[.contract-subindex-inherited]
.AccessControl

[.contract-subindex-inherited]
.ERC165

[.contract-subindex-inherited]
.IERC165

[.contract-subindex-inherited]
.IAccessControlEnumerable

[.contract-subindex-inherited]
.IAccessControl
* {xref-IAccessControl-RoleAdminChanged-bytes32-bytes32-bytes32-}[`++RoleAdminChanged(role, previousAdminRole, newAdminRole)++`]
* {xref-IAccessControl-RoleGranted-bytes32-address-address-}[`++RoleGranted(role, account, sender)++`]
* {xref-IAccessControl-RoleRevoked-bytes32-address-address-}[`++RoleRevoked(role, account, sender)++`]

--

[.contract-item]
[[AccessControlEnumerable-supportsInterface-bytes4-]]
==== `[.contract-item-name]#++supportsInterface++#++(bytes4 interfaceId) → bool++` [.item-kind]#public#

See {IERC165-supportsInterface}.

[.contract-item]
[[AccessControlEnumerable-getRoleMember-bytes32-uint256-]]
==== `[.contract-item-name]#++getRoleMember++#++(bytes32 role, uint256 index) → address++` [.item-kind]#public#

Returns one of the accounts that have `role`. `index` must be a
value between 0 and {getRoleMemberCount}, non-inclusive.

Role bearers are not sorted in any particular way, and their ordering may
change at any point.

WARNING: When using {getRoleMember} and {getRoleMemberCount}, make sure
you perform all queries on the same block. See the following
https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post]
for more information.

[.contract-item]
[[AccessControlEnumerable-getRoleMemberCount-bytes32-]]
==== `[.contract-item-name]#++getRoleMemberCount++#++(bytes32 role) → uint256++` [.item-kind]#public#

Returns the number of accounts that have `role`. Can be used
together with {getRoleMember} to enumerate all bearers of a role.

[.contract-item]
[[AccessControlEnumerable-_grantRole-bytes32-address-]]
==== `[.contract-item-name]#++_grantRole++#++(bytes32 role, address account)++` [.item-kind]#internal#

Overload {_grantRole} to track enumerable memberships

[.contract-item]
[[AccessControlEnumerable-_revokeRole-bytes32-address-]]
==== `[.contract-item-name]#++_revokeRole++#++(bytes32 role, address account)++` [.item-kind]#internal#

Overload {_revokeRole} to track enumerable memberships