Hyperledger Fabric Difference between user's privileges

Question

If I have 1 organization orgA, and under this organization I have 2 user: user1 and user2, also there is 1 peer in orgA, lets call it peer0.

Now imagine, user1's certificate is in orgA's msp/admincerts forlder, that makes user1 admin for orgA. On the other hand lets say user2's certificate is in peer0's msp/admincerts folder, that makes user2 admin for peer0.

My question is what is the difference in privileges between user1 and user2, I mean what user1 can do and what user2 can't do and vice versa?

Also I am using fabic ca and node sdk to interact with network. In my example when I enroll fabric ca's bootstraped user (admin/adminpw) from nod sdk, and then make create channel request, it worked, but then when I make join channel request it failed (because this user don't have privileges). When I tried to understand why this happened, I discover that if I make join request from user that's certificate is not in peer's msp/admincerts folder, that kind of user don't have permission to make peer to join channel. So only way is I have to copy enrolled admin's certificate into peer0's msp/admincerts folder, then I think it will work, but is it an only way to make it work, or is there any other way to avoid copy/paste and to it from sdk, or create new configuration update transaction?

Also I can't understand what makes this user capable of creating channel? what permissions does bootsraped user from fabric ca has?

Answer 1

This is a very late reply but hope someone may find this helpful. The user roles and the permissions aren't directly linked, this is done through the policies set in the configtx.yaml.

Policies are defined for each Org and Orderer, marking each of the member and admin to a certain set of policy subgroup like Readers or Writers or Admins.These are the grassroot level policies used to construct ImplicitMeta policies like for chiancode query and write.

For example, an org defines policy like

# Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies: &org1Policies
            Readers:
                Type: Signature
                Rule: "OR('org1.example.com.member')"
                # If your MSP is configured with the new NodeOUs, you might
                # want to use a more specific rule like the following:
                # Rule: "OR('org1MSP.admin', 'org1MSP.peer')"
            Writers:
                Type: Signature
                Rule: "OR('org1.example.com.member')"
                # If your MSP is configured with the new NodeOUs, you might
                # want to use a more specific rule like the following:
                # Rule: "OR('org1MSP.admin', 'org1MSP.client'')"
            Admins:
                Type: Signature
                Rule: "OR('org1.example.com.admin')

The Policies for the consortium is defined like:

Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"

This references the org and orderer policies defined earlier.

Now in the system chaincode can have policies like:

Application: &ApplicationDefaults
    ACLs: &ACLsDefault
        #This section provides defaults for policies for various resources
        #in the system.
    #---Query System Chaincode (qscc) function to policy mapping for access control---#

        #ACL policy for qscc's "GetChainInfo" function
        qscc/GetChainInfo: /Channel/Application/Readers

        #ACL policy for qscc's "GetBlockByNumber" function
        qscc/GetBlockByNumber: /Channel/Application/Readers

Here the policies referenced point to consortium policies.

Please read docs for more detailed guidance on this.