OpenZeppelin · ericnordelo · Jul 2, 2025 · May 13, 2025 · May 13, 2025 · Jun 9, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Added
+
+- AccessControlDefaultAdminRules interface and component (#1432)
+
 ## 2.0.0 (2025-06-18)
 
 ### Added

diff --git a/docs/modules/ROOT/pages/access.adoc b/docs/modules/ROOT/pages/access.adoc
@@ -357,6 +357,8 @@ security practice. Note that each account may still have more than one role, if
 
 === Granting and revoking roles
 
+:access-control-default-admin-rules: xref:api/access.adoc#AccessControlDefaultAdminRulesComponent[AccessControlDefaultAdminRules]
+
 The ERC20 token example above uses xref:api/access.adoc#AccessControlComponent-_grant_role[`_grant_role`],
 an `internal` function that is useful when programmatically assigning
 roles (such as during construction). But what if we later want to grant the 'minter' role to additional accounts?
@@ -378,6 +380,8 @@ of `0`, called `DEFAULT_ADMIN_ROLE`, which acts as the *default admin role for a
 An account with this role will be able to manage any other role, unless
 xref:api/access.adoc#AccessControlComponent-set_role_admin[`set_role_admin`] is used to select a new admin role.
 
+Since it is the admin for all roles by default, and in fact it is also its own admin, this role carries significant risk. To mitigate this risk we provide {access-control-default-admin-rules}, a recommended extension of AccessControl that adds a number of enforced security measures for this role: the admin is restricted to a single account, with a 2-step transfer procedure with a delay in between steps.
+
 Let's take a look at the ERC20 token example, this time taking advantage of the default admin role:
 
 [,cairo]

diff --git a/docs/modules/ROOT/pages/api/access.adoc b/docs/modules/ROOT/pages/api/access.adoc
diff --git a/packages/access/src/accesscontrol.cairo b/packages/access/src/accesscontrol.cairo
@@ -1,5 +1,6 @@
 pub mod accesscontrol;
 pub mod account_role_info;
+pub mod extensions;
 pub mod interface;
 
 pub use accesscontrol::AccessControlComponent;

diff --git a/packages/access/src/accesscontrol/accesscontrol.cairo b/packages/access/src/accesscontrol/accesscontrol.cairo
@@ -281,7 +281,7 @@ pub mod AccessControlComponent {
         ) -> bool {
             match self.resolve_role_status(role, account) {
                 RoleStatus::Effective => true,
-                RoleStatus::Delayed => false,
+                RoleStatus::Delayed(_) => false,
                 RoleStatus::NotGranted => false,
             }
         }
@@ -352,7 +352,7 @@ pub mod AccessControlComponent {
         ) {
             match self.resolve_role_status(role, account) {
                 RoleStatus::Effective => (),
-                RoleStatus::Delayed |
+                RoleStatus::Delayed(_) |
                 RoleStatus::NotGranted => {
                     let caller = starknet::get_caller_address();
                     let role_info = AccountRoleInfo { is_granted: true, effective_from: 0 };
@@ -386,7 +386,7 @@ pub mod AccessControlComponent {
             assert(delay > 0, Errors::INVALID_DELAY);
             match self.resolve_role_status(role, account) {
                 RoleStatus::Effective => panic_with_const_felt252::<Errors::ALREADY_EFFECTIVE>(),
-                RoleStatus::Delayed |
+                RoleStatus::Delayed(_) |
                 RoleStatus::NotGranted => {
                     let caller = starknet::get_caller_address();
                     let effective_from = starknet::get_block_timestamp() + delay;
@@ -408,7 +408,7 @@ pub mod AccessControlComponent {
             match self.resolve_role_status(role, account) {
                 RoleStatus::NotGranted => (),
                 RoleStatus::Effective |
-                RoleStatus::Delayed => {
+                RoleStatus::Delayed(_) => {
                     let caller = starknet::get_caller_address();
                     let role_info = AccountRoleInfo { is_granted: false, effective_from: 0 };
                     self.AccessControl_role_member.write((role, account), role_info);

diff --git a/packages/access/src/accesscontrol/extensions.cairo b/packages/access/src/accesscontrol/extensions.cairo
@@ -0,0 +1,6 @@
+pub mod accesscontrol_default_admin_rules;
+pub mod interface;
+pub mod pending_delay;
+
+pub use accesscontrol_default_admin_rules::AccessControlDefaultAdminRulesComponent::DEFAULT_ADMIN_ROLE;
+pub use accesscontrol_default_admin_rules::{AccessControlDefaultAdminRulesComponent, DefaultConfig};