{"id":26995,"date":"2021-11-09T20:07:00","date_gmt":"2021-11-09T20:07:00","guid":{"rendered":"https:\/\/accumulatenetwork.io\/?p=26995"},"modified":"2021-11-16T01:58:20","modified_gmt":"2021-11-16T01:58:20","slug":"identity-hierarchies-technical-guide","status":"publish","type":"post","link":"https:\/\/accumulate.org\/2021\/11\/identity-hierarchies-technical-guide\/","title":{"rendered":"Identity Hierarchies: Technical Guide"},"content":{"rendered":"\n<p><strong>1. Introduction<\/strong><\/p>\n\n\n\n<p>Accumulate Digital Identifiers (ADIs) are URL-based digital identities with hierarchical key sets that can manage data, tokens, and other identities. They can also be used to govern more complicated operations such as token issuance, off-chain consensus building, and multisignature transactions. While key hierarchies are useful for organizing priorities, identity hierarchies are useful for organizing objects. Objects might include different token types held by a user, different departments within an organization, or different data types collected by an array of IoT sensors. How a company organizes its departments, financial records, or data structures can be reproduced in the organization of objects on the Accumulate network.<\/p>\n\n\n\n<p>We introduced ADIs and Lite Accounts in previous technical guides and differentiated their URL-based addresses from the addresses typically encountered in other blockchains. In this guide, we\u2019ll take a deeper look at how URLs are constructed in the Accumulate protocol with a particular focus on the identity hierarchy. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>2. Nomenclature<\/strong><\/p>\n\n\n\n<p>The identity hierarchy refers to the organization of tokens, data, and identities under an ADI or Lite Account. It is useful to know the following terms to better understand how identities are organized.<\/p>\n\n\n\n<ul><li><strong>ADI<\/strong>: A digital identifier that governs data, tokens, and identities on the Accumulate network. An ADI manages these assets using a set of hierarchical keys that it owns or shares with other ADIs.<\/li><li><strong>Sub-ADI<\/strong>: A digital identifier that performs the same functions as an ADI but with slightly less autonomy due to its management by a parent ADI.<\/li><li><strong>Account<\/strong>: A terminal data or token sub-chain of an ADI or sub-ADI that is initially specified by the user but fixed in function after its creation.<\/li><li><strong>Lite Account<\/strong>: A simplified version of an ADI that can only manage tokens. Unlike a token account, which managed by an ADI and named by the user, a Lite Account manages itself and is addressed by the hash of its public key.<\/li><li><strong>Directory<\/strong>: An optional cataloging structure that references the location of sub-ADIs and accounts but does not manage their contents.<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>3. Architecture<\/strong><\/p>\n\n\n\n<p>Any number of data accounts or sub-ADIs can be nested within an ADI. Accounts and sub-ADIs are independent from each other and possess their own sets of keys with which they can manage their assets, while the parent ADI possesses an administrative key set that can add, delete, transfer, or modify the security of its account or sub-ADI. Data and token accounts are terminal, meaning that sub-accounts cannot exist. However, sub-ADIs and accounts can be nested within another sub-ADI.<\/p>\n\n\n\n<p>This architecture is illustrated in the figure below, where a hypothetical ADI is managing a sub-ADI, token account, and data account. The sub-ADI manages two different token accounts, as well as a data account and second level sub-ADI which in turn manages several data accounts. While not shown, multiple sibling sub-ADIs can be nested within a parent sub-ADI. Lite Accounts are excluded because their architecture only includes the Lite Account and its associated token accounts.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/accumulatenetwork.io\/wp-content\/uploads\/2021\/11\/ADI-hierarchy6.svg\" alt=\"\" class=\"wp-image-26996\" width=\"651\" height=\"337\"\/><\/figure>\n\n\n\n<p><strong>4. Accounts<\/strong><\/p>\n\n\n\n<p>Account URLs have the general format &lt;prefix&gt;:\/\/&lt;ADI&gt;\/&lt;directory&gt;\/&lt;account&gt; where the prefix acc:\/\/ specifies the Accumulate blockchain, ADI specifies the top-level identity in control of the URL, directory specifies a particular type of account, and account specifies data or tokens. Several examples of data and token accounts are provided in the table below for the hypothetical ADI \u2018bank\u2019. Note that both cryptocurrencies and tokenized assets may be considered token sub-chains.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/accumulatenetwork.io\/wp-content\/uploads\/2021\/11\/excel-1-big-1.svg\" alt=\"\" class=\"wp-image-27005\" width=\"562\" height=\"203\"\/><\/figure>\n\n\n\n<p>Directories are optional, and we anticipate that their utility will be mostly confined to enterprise applications where greater organization of large numbers of accounts and sub-ADIs is needed. The directory label is defined by the user and can be single or multi-character. For the sake of clarity, data, tokens, and identities are given the labels <em>d<\/em>, <em>t<\/em>, and <em>i<\/em>. However, an investment firm with ADI \u2018firm\u2019 may create data accounts with directories <em>r<\/em> and <em>c<\/em> for residential and commercial properties, while a cryptocurrency trader and non-fungible token (NFT) art collector may create token accounts with directories <em>nft<\/em> and <em>stable<\/em> to denote NFTs and stablecoins. Any label can be used so long as the object type is specified&nbsp;within the wallet. However, a directory label cannot be changed after it is created.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/accumulatenetwork.io\/wp-content\/uploads\/2021\/11\/excel-2-big.svg\" alt=\"\" class=\"wp-image-27007\" width=\"549\" height=\"149\"\/><\/figure>\n\n\n\n<p><strong>5. Sub-ADIs<\/strong> <\/p>\n\n\n\n<p>The structure of identity subchains for sub-ADIs is similar to those of an account, where any number of sub-ADIs can be nested under a directory that a user defines in their wallet as an identity. However, sub-ADIs can also be nested under other sub-ADIs. The format of an identity chain with multiple sub-ADIs is &lt;prefix&gt;:\/\/&lt;ADI&gt;\/{&lt; directory&gt;\/&lt; sub<sub>N<\/sub>-ADI&gt;}<sub>N<\/sub> where N refers to an arbitrary number of sub-ADIs each with the same identity directory. In the example below, different departments within a bank are represented by different Sub-ADIs. The human resources department is further subdivided into sub-ADIs that specify different roles within the department.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/accumulatenetwork.io\/wp-content\/uploads\/2021\/11\/excel-3-big.svg\" alt=\"\" class=\"wp-image-27015\" width=\"714\" height=\"208\"\/><\/figure>\n\n\n\n<p><strong>6. Combining Accounts and Sub-ADIs<\/strong><\/p>\n\n\n\n<p>Data and token accounts may also be nested within sub-ADIs. This offers an alternative strategy for organizing large numbers of data and token accounts without needing to create multiple directories. Using the example of an investment firm that manages different types of properties, we can imagine that a team specializing in residential homes may be given a different sub-ADI than a team specializing in commercial real-estate. For simplicity, we refer to these combined addresses as URLs below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/accumulatenetwork.io\/wp-content\/uploads\/2021\/11\/excel-4-big.svg\" alt=\"\" class=\"wp-image-27017\" width=\"509\" height=\"168\"\/><\/figure>\n\n\n\n<p>Since accounts are terminal, it is not possible to nest sub-ADIs within accounts. While acc:\/\/firm\/i\/residential\/d\/properties is permitted, acc:\/\/firm\/d\/properties\/i\/residential is not.<\/p>\n\n\n\n<p><strong>7. Development Timeline<\/strong> <\/p>\n\n\n\n<p>For Testnet 1.0, users will only be able to create top-level ADIs and ADI token accounts. However, directories and sub-ADIs will be introduced in Testnet 2.0 to allow an organization to create identity hierarchies and manage keys held by sub-ADIs. Multiple accounts can be managed by a single ADI in Testnet 1.0, and multiple ADIs will be able to manage a single data or token account in Testnet 2.0. For example, a consortium of banks with different ADIs will be able to manage a tokenized asset like a bundle of real-estate.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. Introduction Accumulate Digital Identifiers (ADIs) are URL-based digital identities with hierarchical key sets that can manage data, tokens, and other identities. They can also be used to govern more complicated operations such as token issuance, off-chain consensus building, and multisignature transactions. While key hierarchies are useful for organizing priorities, identity hierarchies are useful for [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":27031,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"<!-- wp:paragraph -->\n<p><strong>1. Introduction<\/strong><\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Accumulate Digital Identifiers (ADIs) are URL-based digital identities with hierarchical key sets that can manage data, tokens, and other identities. They can also be used to govern more complicated operations such as token issuance, off-chain consensus building, and multisignature transactions. While key hierarchies are useful for organizing priorities, identity hierarchies are useful for organizing objects. Objects might include different token types held by a user, different departments within an organization, or different data types collected by an array of IoT sensors. How a company organizes its departments, financial records, or data structures can be reproduced in the organization of objects on the Accumulate network.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>We introduced ADIs and Lite Accounts in previous technical guides and differentiated their URL-based addresses from the addresses typically encountered in other blockchains. In this guide, we\u2019ll take a deeper look at how URLs are constructed in the Accumulate protocol with a particular focus on the identity hierarchy.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p><\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p><strong>2. Nomenclature<\/strong><\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>The identity hierarchy refers to the organization of tokens, data, and identities under an ADI or Lite Account. It is useful to know the following terms to better understand how identities are organized.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul><li><strong>ADI<\/strong>: A digital identifier that governs data, tokens, and identities on the Accumulate network. An ADI manages these assets using a set of hierarchical keys that it owns or shares with other ADIs.<\/li><li><strong>Sub-ADI<\/strong>: A digital identifier that performs the same functions as an ADI but with slightly less autonomy due to its management by a parent ADI.<\/li><li><strong>Account<\/strong>: A terminal data or token sub-chain of an ADI or sub-ADI that is initially specified by the user but fixed in function after its creation.<\/li><li><strong>Lite Account<\/strong>: A simplified version of an ADI that can only manage tokens. Unlike a token account, which managed by an ADI and named by the user, a Lite Account manages itself and is addressed by the hash of its public key.<\/li><li><strong>Directory<\/strong>: An optional cataloging structure that references the location of sub-ADIs and accounts but does not manage their contents.<\/li><\/ul>\n<!-- \/wp:list -->\n\n<!-- wp:paragraph -->\n<p><\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p><strong>3. Architecture<\/strong><\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Any number of data accounts or sub-ADIs can be nested within an ADI. Accounts and sub-ADIs are independent from each other and possess their own sets of keys with which they can manage their assets, while the parent ADI possesses an administrative key set that can add, delete, transfer, or modify the security of its account or sub-ADI. Data and token accounts are terminal, meaning that sub-accounts cannot exist. However, sub-ADIs and accounts can be nested within another sub-ADI.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>This architecture is illustrated in the figure below, where a hypothetical ADI is managing a sub-ADI, token account, and data account. The sub-ADI manages two different token accounts, as well as a data account and second level sub-ADI which in turn manages several data accounts. While not shown, multiple sibling sub-ADIs can be nested within a parent sub-ADI. Lite Accounts are excluded because their architecture only includes the Lite Account and its associated token accounts.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:image {\"id\":26996,\"sizeSlug\":\"large\",\"linkDestination\":\"none\"} -->\n<figure class=\"wp-block-image size-large\"><img src=\"https:\/\/accumulatenetwork.io\/wp-content\/uploads\/2021\/11\/ADI-hierarchy6.svg\" alt=\"\" class=\"wp-image-26996\" \/><\/figure>\n<!-- \/wp:image -->\n\n<!-- wp:paragraph -->\n<p><strong>4. Accounts<\/strong><\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Account URLs have the general format &lt;prefix&gt;:\/\/&lt;ADI&gt;\/&lt;directory&gt;\/&lt;account&gt; where the prefix acc:\/\/ specifies the Accumulate blockchain, ADI specifies the top-level identity in control of the URL, directory specifies a particular type of account, and account specifies data or tokens. Several examples of data and token accounts are provided in the table below for the hypothetical ADI \u2018bank\u2019. Note that both cryptocurrencies and tokenized assets may be considered token sub-chains.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:table -->\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>ADI<\/strong><\/td><td><strong>acc:\/\/bank<\/strong><\/td><td><strong>acc:\/\/bank<\/strong><\/td><\/tr><tr><td><strong>Description<\/strong><\/td><td>Data<\/td><td>Tokens<\/td><\/tr><tr><td><strong>Directory<\/strong><\/td><td>d<\/td><td>t<\/td><\/tr><tr><td><strong>Account-1<\/strong><\/td><td>acc:\/\/bank\/d\/accounts<\/td><td>acc:\/\/bank\/t\/loans<\/td><\/tr><tr><td><strong>Account-2<\/strong><\/td><td>acc:\/\/bank\/d\/investments<\/td><td>acc:\/\/bank\/t\/securities<\/td><\/tr><tr><td><strong>Account-3<\/strong><\/td><td>acc:\/\/bank\/d\/transactions<\/td><td>acc:\/\/bank\/t\/realestate<\/td><\/tr><tr><td><strong>Account-N<\/strong><\/td><td>acc:\/\/bank\/d\/data<\/td><td>acc:\/\/bank\/t\/tokens<\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/wp:table -->\n\n<!-- wp:paragraph -->\n<p>Directories are optional, and we anticipate that their utility will be mostly confined to enterprise applications where greater organization of large numbers of accounts and sub-ADIs is needed. The directory label is defined by the user and can be single or multi-character. For the sake of clarity, data, tokens, and identities are given the labels <em>d<\/em>, <em>t<\/em>, and <em>i<\/em>. However, an investment firm with ADI \u2018firm\u2019 may create data accounts with directories <em>r<\/em> and <em>c<\/em> for residential and commercial properties, while a cryptocurrency trader and non-fungible token (NFT) art collector may create token accounts with directories <em>nft<\/em> and <em>stable<\/em> to denote NFTs and stablecoins. Any label can be used so long as the object type is specified\u00a0within the wallet. However, a directory label cannot be changed after it is created.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:table -->\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>ADI<\/strong><\/td><td><strong>acc:\/\/firm<\/strong><\/td><td><strong>acc:\/\/user<\/strong><\/td><\/tr><tr><td><strong>Description<\/strong><\/td><td>Data<\/td><td>Data<\/td><\/tr><tr><td><strong>Directory<\/strong><\/td><td>Variable<\/td><td>Variable<\/td><\/tr><tr><td><strong>Sub-ADI-1<\/strong><\/td><td>acc:\/\/firm\/r\/properties<\/td><td>acc:\/\/user\/nft\/art<\/td><\/tr><tr><td><strong>Sub-ADI-2<\/strong><\/td><td>acc:\/\/firm\/c\/sales<\/td><td>acc:\/\/user\/stable\/USDT<\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/wp:table -->\n\n<!-- wp:paragraph -->\n<p><strong>5. Sub-ADIs<\/strong> The structure of identity subchains for sub-ADIs is similar to those of an account, where any number of sub-ADIs can be nested under a directory that a user defines in their wallet as an identity. However, sub-ADIs can also be nested under other sub-ADIs. The format of an identity chain with multiple sub-ADIs is &lt;prefix&gt;:\/\/&lt;ADI&gt;\/{&lt; directory&gt;\/&lt; sub<sub>N<\/sub>-ADI&gt;}<sub>N<\/sub> where N refers to an arbitrary number of sub-ADIs each with the same identity directory. In the example below, different departments within a bank are represented by different Sub-ADIs. The human resources department is further subdivided into sub-ADIs that specify different roles within the department.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:table -->\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>ADI<\/strong><\/td><td><strong>acc:\/\/bank<\/strong><\/td><\/tr><tr><td><strong>Description<\/strong><\/td><td>Identity<\/td><\/tr><tr><td><strong>Designator<\/strong><\/td><td>i<\/td><\/tr><tr><td><strong>Sub-ADI-1<\/strong><\/td><td>acc:\/\/bank\/i\/hr<\/td><\/tr><tr><td><strong>Sub-ADI-2<\/strong><\/td><td>acc:\/\/bank\/i\/legal<\/td><\/tr><tr><td><strong>Sub-ADI-3<\/strong><\/td><td>acc:\/\/bank\/i\/sales<\/td><\/tr><tr><td><strong>Sub-ADI-N<\/strong><\/td><td>acc:\/\/bank\/i\/tbd<\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/wp:table -->\n\n<!-- wp:table -->\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>ADI<\/strong><\/td><td><strong>acc:\/\/bank<\/strong><\/td><\/tr><tr><td><strong>Description<\/strong><\/td><td>Identity<\/td><\/tr><tr><td><strong>Designator<\/strong><\/td><td>i<\/td><\/tr><tr><td><strong>Sub<sub>1<\/sub>-ADI-1<\/strong><\/td><td>acc:\/\/bank\/i\/hr<\/td><\/tr><tr><td><strong>Sub<sub>2<\/sub>-ADI-1<\/strong><\/td><td>acc:\/\/bank\/i\/hr\/i\/cpo<\/td><\/tr><tr><td><strong>Sub<sub>3<\/sub>-ADI-1<\/strong><\/td><td>acc:\/\/bank\/i\/hr\/i\/cpo\/i\/director<\/td><\/tr><tr><td><strong>Sub<sub>N<\/sub>-ADI-1<\/strong><\/td><td>acc:\/\/bank\/i\/hr\/i\/cpo\/i\/director\/tbd<\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/wp:table -->\n\n<!-- wp:paragraph -->\n<p><strong>6. Combining Accounts and Sub-ADIs<\/strong><\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Data and token accounts may also be nested within sub-ADIs. This offers an alternative strategy for organizing large numbers of data and token accounts without needing to create multiple directories. Using the example of an investment firm that manages different types of properties, we can imagine that a team specializing in residential homes may be given a different sub-ADI than a team specializing in commercial real-estate. For simplicity, we refer to these combined addresses as URLs below.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:table -->\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>ADI<\/strong><\/td><td><strong>acc:\/\/firm<\/strong><\/td><\/tr><tr><td><strong>Description<\/strong><\/td><td>Variable<\/td><\/tr><tr><td><strong>Directory<\/strong><\/td><td>Variable<\/td><\/tr><tr><td><strong>URL-1<\/strong><\/td><td>acc:\/\/firm\/i\/residential\/d\/properties<\/td><\/tr><tr><td><strong>URL-2<\/strong><\/td><td>acc:\/\/firm\/i\/commercial\/i\/office\/d\/properties<\/td><\/tr><tr><td><strong>URL-3<\/strong><\/td><td>acc:\/\/firm\/i\/commercial\/t\/securities<\/td><\/tr><\/tbody><\/table><\/figure>\n<!-- \/wp:table -->\n\n<!-- wp:paragraph -->\n<p><strong>7. Development Timeline<\/strong> For Testnet 1.0, users will only be able to create top-level ADIs and ADI token accounts. However, directories and sub-ADIs will be introduced in Testnet 2.0 to allow an organization to create identity hierarchies and manage keys held by sub-ADIs. Multiple accounts can be managed by a single ADI in Testnet 1.0, and multiple ADIs will be able to manage a single data or token account in Testnet 2.0. For example, a consortium of banks with different ADIs will be able to manage a tokenized asset like a bundle of real-estate.<\/p>\n<!-- \/wp:paragraph -->","_et_gb_content_width":"","inline_featured_image":false},"categories":[14],"tags":[],"_links":{"self":[{"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/posts\/26995"}],"collection":[{"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/comments?post=26995"}],"version-history":[{"count":6,"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/posts\/26995\/revisions"}],"predecessor-version":[{"id":27044,"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/posts\/26995\/revisions\/27044"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/media\/27031"}],"wp:attachment":[{"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/media?parent=26995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/categories?post=26995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/accumulate.org\/wp-json\/wp\/v2\/tags?post=26995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}