# deny (restricted) ### Overview The `deny` RPC method revokes a tenant's authorization from the Lynx blockchain storage system. This command allows the blockchain manager to remove storage privileges from existing tenants, preventing them from further authentication and data storage operations. The revocation is recorded on the blockchain as a permanent record, ensuring the network consistently enforces access controls. ### Syntax ``` deny ``` ### Description When you invoke the `deny` method as the blockchain manager, the Lynx daemon creates and broadcasts a special revocation transaction that removes a tenant from the authorized list. Similar to the authorization process, this revocation is implemented as a blockchain transaction containing a timestamped payload with the tenant's identifier and a revocation flag. Once this transaction is confirmed, the specified tenant can no longer authenticate or perform storage operations. This command is the counterpart to the `allow` command and completes the lifecycle management of tenant authorizations. Together, these commands provide the blockchain manager with complete control over who can utilize the blockchain storage system. ### Parameters | Parameter | Type | Required | Description | | --------- | ------ | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `hash160` | string | Yes | The RIPEMD-160 hash of the tenant's public key in hexadecimal format. This is a 40-character hexadecimal string (e.g., `00112233445566778899aabbccddeeff00112233`) that uniquely identifies the tenant to be removed. | ### Returns The method returns a string indicating the result of the operation: * `success` - The tenant has been successfully removed from the system * `hash160-wrong-size` - The provided hash is not the correct length (must be 40 hexadecimal characters) * `Role-based restriction: Current role cannot perform this action` - The authenticated user is not the blockchain manager * `error-generating-authpayload` - An error occurred while generating the authentication payload * `error-generating-authtransaction` - An error occurred while creating the authentication transaction * `failure` - A general failure occurred, which typically indicates an authentication problem ### Access Control The `deny` command has strict access control requirements: * Only the blockchain manager (initial authentication user defined in consensus parameters) can execute this command * The manager must be authenticated via the `auth` command before using `deny` * Regular tenants cannot revoke access for themselves or other tenants * This role-based restriction ensures centralized control over tenant authorization management ### Revocation Transaction When a tenant's access is revoked, the system: 1. Generates a special authentication payload containing: * Operation type (1 for revoking a tenant, as opposed to 0 for adding) * Current timestamp * The tenant's hash160 identifier 2. Creates a blockchain transaction with this payload embedded as an OP\_RETURN output 3. Broadcasts this transaction to the network, where it will be mined into a block This transaction serves as a permanent, immutable record of tenant revocation that all nodes can verify. ### Examples #### Revoke a tenant's access As the blockchain manager: ``` lynx-cli deny 00112233445566778899aabbccddeeff00112233 ``` Output: ``` success ``` Using JSON-RPC: ``` curl --user manager:password --data-binary '{"jsonrpc": "1.0", "id": "curltest", "method": "deny", "params": ["00112233445566778899aabbccddeeff00112233"]}' -H 'content-type: text/plain;' http://127.0.0.1:9332/ ``` ### Error Handling The method will return a failure message in the following scenarios: * The provided hash160 is not exactly 40 characters long (20 bytes in hexadecimal) * The user is not authenticated or is not authenticated as the blockchain manager * There is an error in generating the authentication payload or transaction * The authentication system cannot validate the current user's credentials ### Implementation Notes * The command verifies the user's authentication status using the `is_auth_member` function * It validates that the authenticated user is the blockchain manager using consensus parameters * The operation type is set to 1 (for revocation), as opposed to 0 (for authorization) * The current timestamp is obtained using `TicksSinceEpoch(GetAdjustedTime())` * The authentication payload is generated with the `generate_auth_payload` function * The authentication transaction is created and broadcast with the `generate_auth_transaction` function * Unlike the `allow` command which returns an array, this command returns a simple string response ### Tenant Access After Revocation When a tenant's access is revoked: * The tenant can no longer authenticate using the `auth` command * Any existing authentication sessions will continue until they expire (approximately 6 hours) * Existing files stored by the tenant remain on the blockchain and can still be retrieved * The tenant will no longer appear in the list returned by the `tenants` command This behavior ensures that revocation prevents future access while preserving existing data integrity. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.getlynx.io/lynx-core/data-storage/deny-restricted.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.