Role System

Role system

Privilege separation

AZERO.ID introduces privilege separation for domains to increase their security, ownership guarantees, and flexibility. Each domain has three core roles with a different set of permissions and attributes:

  1. Owner
  2. Controller
  3. Resolving address

Upon registration of a domain, the owner, controller, and resolving address are set to default to the same address (the account that registered the domain).

Then, each of these roles can then be assigned to a different independent wallet address (see our user guide). An example use case for this is a valuable domain that can be owned by a hardware wallet, controlled by a multisig, and resolving to a hot wallet.


Signing transactions in our dApp with a Ledger is now officially supported. Make sure to update your Ledger firmware and Aleph Zero app to the latest version and connect it to a supported wallet of your choice.

⚠️ Ledger Nano S is not supported (see support table).


The Owner of a domain is the wallet address that holds full custody and control of the domain. The full set of permissions includes:

  • Transferring the domain (and all associated roles) to another address
  • Releasing the domain
  • Updating the domain's operator
  • Updating the domain's controller
  • Updating the domain's resolving address
  • Updating the domain's metadata

The "address of a domain" points towards its resolving address, which is not always the owner. These addresses are equal upon registration but can diverge later.


The Controller of a domain is the wallet address that can manage certain aspects of the domain, but cannot transfer or release it. The full set of permissions includes:

  • Updating the domain's controller
  • Updating the domain's resolving address
  • Updating the domain's metadata

Resolving address

The Resolving address of a domain is the wallet address that the domain points to, e.g. when a user enters the domain in an input field of a wallet that integrates AZERO.ID. This role does not come with other specific permissions.

Each wallet address is allowed to clear all resolving addresses of domains pointing to it without further approval.

The resolving address is the actual wallet address a domain is pointing towards. It's not a separate smart contract like the "Resolver" in ENSIP-1 (opens in a new tab).


The Operator is a special role that can be assigned by the owner, giving custody over the domain to a different address. For example, when a domain is listed on an NFT marketplace, the operator role is assigned to the respective marketplace contract. Read more here.

Primary domains

The Primary domain of a wallet address is the domain that is used as an on-chain identity for the address. For example, it can be shown instead of a wallet address within a blockchain's transaction history of a block explorer that integrates AZERO.ID.

A domain can only be set as the primary domain of an address if it is resolving to that address. It will be cleared automatically if this is no longer the case.