RPC user able to start a flow they don't have permissions to


From external contributors:

Corda Open Source 4.3

I connect to my node using the standalone shell:

The config file looks like this:

My RPC user, which I used to log in the standalone shell, doesn't have the permission to run CreateEvolvableShokenType flow:

Running flow list, shows that flow:

And the user is able to start the flow:


March 4, 2020, 9:59 AM

This is very likely already fixed in 4.5 with the work put in. But do we want to try fixing it in the earlier versions too? It’s raised against OS 4.3 but targeted against OS 4.5. Just checkng.

March 23, 2020, 11:17 AM

Bump. do you have any opinions on where this gets fixed?

March 30, 2020, 12:45 PM

could you shed some light on which version Niki should target?

April 2, 2020, 4:44 PM

It is fixed in 4.5. The versions involved in this issue, where I could reproduce the same bug are 4.3 and 4.4.

April 9, 2020, 12:41 PM

From: Rick Parker <rick.parker@r3.com>
Date: Thursday, 9 April 2020 at 13:28
To: Nikolett Nagy <nikolett.nagy@r3.com>, Matthew Nesbit <matthew.nesbit@r3.com>, Ryan Fowler <ryan.fowler@r3.com>
Subject: Re: Permission issue


Excellent. Can you comment on the JIRA (or cut and paste this email chain and add as comment).


Is there a SUP ticket linked from the CORDA ticket ? If so, you can comment on that with the simple solution (remove the overall ‘InvokeRpc.startTrackedFlowDynamic’)


From: Nikolett Nagy <nikolett.nagy@r3.com>
Date: Thursday, 9 April 2020 at 12:55
To: Rick Parker <rick.parker@r3.com>, Matthew Nesbit <matthew.nesbit@r3.com>, Ryan Fowler <ryan.fowler@r3.com>
Subject: Re: Permission issue


Yes, after removing ‘InvokeRpc.startTrackedFlowDynamic’, he will be able to start specific flows which are present in the permissions.


All 3 versions behave the same way. To be more precise 4.4 and 4.5 has the same code for the permissions, I checked that even with a merging tool.

I was only confused at the beginning, because I was not using the exact same configs for 4.5 and 4.4, 4.3 and realized it lately. But after I found out about this I did the testing again and made sure that I am using the same config for all 3 versions.


From: Rick Parker <rick.parker@r3.com>
Date: Thursday, 9 April 2020 at 11:31
To: Nikolett Nagy <nikolett.nagy@r3.com>, Matthew Nesbit <matthew.nesbit@r3.com>, Ryan Fowler <ryan.fowler@r3.com>
Subject: Re: Permission issue


So the fix is for the user is to remove ` InvokeRpc.startTrackedFlowDynamic` ? i.e. if they remove that, they can still start specific flows ?


Are we saying that 4.5 is inconsistent with that behaviour now? i.e. the super / wildcard permission does not override the individuals ?


From: Nikolett Nagy <nikolett.nagy@r3.com>
Date: Wednesday, 8 April 2020 at 10:43
To: Rick Parker <rick.parker@r3.com>, Matthew Nesbit <matthew.nesbit@r3.com>, Ryan Fowler <ryan.fowler@r3.com>
Subject: Permission issue




Looking at the issue, here’s what I found yesterday:

If you are having explicitly ‘ InvokeRpc.startTrackedFlowDynamic ‘ permission in your node.conf file, it will behave like a super permission because:

  1. For startTrackedFlowDynamic we will have a DomainPermission like this “rpc:starttrackedflowdynamic”

  2. For every flow we are creating a Permission with Shiro. In the AuthenticatedRpcOpsProxy.guard() method for every start flow we are passing “startTrackedFlowDynamic” as a String and Shiro’s DomainPermission class will create a Permission for us which looks like this: “rpc: starttrackedflowdynamic:net:corda:mypackage:myflow”

  3. After this, when we are checking if we have the permission to run a given flow, we are calling WildcardPermission’s implies method, which by default works like this:

// If this permission has less parts than the other permission, everything after the number of parts contained

// in this permission is automatically implied, so return true

“rpc:starttrackedflowdynamic” is shorter than the other one, but contains the same parts, so it will always return true for every flow! It works like a cascade, if you have permission for startTrackedFlowDynamic, you will have permission for everything under it.


If you are checking the JIRA (CORDA-3577) the reporter of the issue had startTrackedFlowDynamic in his config file.

I hope this will help to understand what is happening, if you have any further questions feel free to ask.








David Rapacchiale




Epic Link






CVSS Score


CVSS Vector


Due Date


Engineering Teams


Fix versions

Affects versions


Ported to...


Story Points / Dev Days