Access Control

Role	Available actions	Authentication and other requirements
Protocol administrator (Market Manager admin)	Deploy new lending markets Read the list of markets (read-only)	Must be authenticated as the manager admin for deploys and upgrades Deploys and upgrades require approval from the Market Manager admin multisig (no single signer can act alone) Reading the market list is public (no auth)
Market admin	Queue, apply, or cancel pool config updates and new pool creation via time-locked queue_in_pool_set → apply_pool_set (owned markets) Queue, apply, or cancel market config updates via queue_in_market_update → apply_market_update (owned markets) Change market status with update_market_status — supports 7 statuses including *ByAdmin variants that the Insurance Fund cannot override Update per-pool status flags with update_pool_status (owned markets) Configure fee beneficiaries with set_take_rate_fees_beneficiaries, set_operation_fees_beneficiaries Update swap provider with update_swap_provider Transfer admin role via propose_new_admin → accept_proposed_admin	Must be authenticated as the market admin Pool config updates and market config updates require the market to be owned
Proposed admin	Accept the admin role via accept_proposed_admin (completes the 2-step admin transfer)	Must be authenticated as the proposed admin address
Insurance Fund	Freeze or change market status via fund_update_market_status Cannot set or clear *ByAdmin status variants Process bad debt cover requests	Must be authenticated as the Insurance Fund contract address
Protocol deployer	Upgrade the market contract with upgrade (no time-lock)	Must authenticate as the deployer address
Lender (User)	Deposit to earn yield (receive jTokens) Withdraw from any obligation type All user functions use ObligationKey — different seeds target different obligation types (standard, earn, pair)	User authentication required (via ObligationKey.user) Sufficient balance Token transfer approval to the contract
Borrower (User)	Borrow against existing collateral Repay borrowed amounts with accrued interest Note: supplied tokens that yield interest are also considered as collateral, and borrows are made against them as well	User authentication required Must have collateral to borrow Must have sufficient tokens to repay
Collateral manager (User)	Add collateral (no interest earned) Remove collateral while maintaining required health/limits	User authentication required Token approval needed to add Existing collateral required to remove
Batch operator (User)	Compose complex strategies via submit_requests_batch (e.g., flash borrow → swap → deposit → borrow in one atomic transaction)	User authentication required Oracle price must be fresh All operations in the batch must individually satisfy their constraints
Liquidator (anyone)	Repay part of an unhealthy borrower's debt Seize discounted collateral (subject to limits/incentive) Can also liquidate within batch operations via LiquidateRequest	Must authenticate as the liquidator address Cannot be the borrower (no self-liquidation)
Bad-debt coverer (anyone)	Issue bad debt cover requests to the Insurance Fund via issue_cover_bad_debt Claim results from the Insurance Fund via claim_cover_bad_debt_results Two-phase permissionless process	Permissionless caller (no privileged auth)
Fee distributor (anyone)	Distribute accumulated pool fees to beneficiaries via distribute_pool_fees or distribute_all_pools_fees	Permissionless caller (no privileged auth)
Reader (anyone)	View user obligations (all types via ObligationKey) View pool state, utilization, fees, liquidity Retrieve oracle prices and decimals List pools and obligations View APR/APY Retrieve global market state View queued updates	Public (no authentication)
Flash loan taker (contract)	Execute atomic flash loans for arbitrage, liquidations, collateral swaps, or refinancing	Contract authentication required Callback must implement the flash-loan client interface Must repay principal + fee in the same transaction