From 070a951dd3c68addd2ccb2cfd2655159be6a44ee Mon Sep 17 00:00:00 2001
From: runtianz <runtian@aptoslabs.com>
Date: Thu, 29 Aug 2024 16:06:00 -0700
Subject: [PATCH] create permissioned signer example

---
 .../aptos-framework/doc/aptos_account.md      |   1 +
 .../doc/dispatchable_fungible_asset.md        |   1 +
 .../aptos-framework/doc/fungible_asset.md     | 167 +++++++
 .../framework/aptos-framework/doc/overview.md |   1 +
 .../doc/permissioned_signer.md                | 407 ++++++++++++++++++
 .../sources/aptos_account.move                |   1 +
 .../sources/dispatchable_fungible_asset.move  |   1 +
 .../sources/fungible_asset.move               |  98 ++++-
 .../sources/permissioned_signer.move          | 213 +++++++++
 .../tests/permissioned_signer_tests.move      | 104 +++++
 10 files changed, 993 insertions(+), 1 deletion(-)
 create mode 100644 aptos-move/framework/aptos-framework/doc/permissioned_signer.md
 create mode 100644 aptos-move/framework/aptos-framework/sources/permissioned_signer.move
 create mode 100644 aptos-move/framework/aptos-framework/tests/permissioned_signer_tests.move

diff --git a/aptos-move/framework/aptos-framework/doc/aptos_account.md b/aptos-move/framework/aptos-framework/doc/aptos_account.md
index 33cd0ff87e5a1..6b4c97226eece 100644
--- a/aptos-move/framework/aptos-framework/doc/aptos_account.md
+++ b/aptos-move/framework/aptos-framework/doc/aptos_account.md
@@ -605,6 +605,7 @@ to transfer APT) - if we want to allow APT PFS without account itself
     // <b>as</b> APT cannot be frozen or have dispatch, and PFS cannot be transfered
     // (PFS could potentially be burned. regular transfer would permanently unburn the store.
     // Ignoring the check here <b>has</b> the equivalent of unburning, transfers, and then burning again)
+    <a href="fungible_asset.md#0x1_fungible_asset_withdraw_permission_check_by_address">fungible_asset::withdraw_permission_check_by_address</a>(source, @aptos_fungible_asset, amount);
     <a href="fungible_asset.md#0x1_fungible_asset_deposit_internal">fungible_asset::deposit_internal</a>(recipient_store, <a href="fungible_asset.md#0x1_fungible_asset_withdraw_internal">fungible_asset::withdraw_internal</a>(sender_store, amount));
 }
 </code></pre>
diff --git a/aptos-move/framework/aptos-framework/doc/dispatchable_fungible_asset.md b/aptos-move/framework/aptos-framework/doc/dispatchable_fungible_asset.md
index b3b76f108128c..da71484cc0c00 100644
--- a/aptos-move/framework/aptos-framework/doc/dispatchable_fungible_asset.md
+++ b/aptos-move/framework/aptos-framework/doc/dispatchable_fungible_asset.md
@@ -220,6 +220,7 @@ The semantics of deposit will be governed by the function specified in DispatchF
     amount: u64,
 ): FungibleAsset <b>acquires</b> <a href="dispatchable_fungible_asset.md#0x1_dispatchable_fungible_asset_TransferRefStore">TransferRefStore</a> {
     <a href="fungible_asset.md#0x1_fungible_asset_withdraw_sanity_check">fungible_asset::withdraw_sanity_check</a>(owner, store, <b>false</b>);
+    <a href="fungible_asset.md#0x1_fungible_asset_withdraw_permission_check">fungible_asset::withdraw_permission_check</a>(owner, store, amount);
     <b>let</b> func_opt = <a href="fungible_asset.md#0x1_fungible_asset_withdraw_dispatch_function">fungible_asset::withdraw_dispatch_function</a>(store);
     <b>if</b> (<a href="../../aptos-stdlib/../move-stdlib/doc/option.md#0x1_option_is_some">option::is_some</a>(&func_opt)) {
         <b>assert</b>!(
diff --git a/aptos-move/framework/aptos-framework/doc/fungible_asset.md b/aptos-move/framework/aptos-framework/doc/fungible_asset.md
index f12ee14942b4f..1b35c009125da 100644
--- a/aptos-move/framework/aptos-framework/doc/fungible_asset.md
+++ b/aptos-move/framework/aptos-framework/doc/fungible_asset.md
@@ -20,6 +20,7 @@ metadata object can be any object that equipped with <code><a href="fungible_ass
 -  [Struct `TransferRef`](#0x1_fungible_asset_TransferRef)
 -  [Struct `BurnRef`](#0x1_fungible_asset_BurnRef)
 -  [Struct `MutateMetadataRef`](#0x1_fungible_asset_MutateMetadataRef)
+-  [Struct `WithdrawPermission`](#0x1_fungible_asset_WithdrawPermission)
 -  [Struct `Deposit`](#0x1_fungible_asset_Deposit)
 -  [Struct `Withdraw`](#0x1_fungible_asset_Withdraw)
 -  [Struct `Frozen`](#0x1_fungible_asset_Frozen)
@@ -75,6 +76,8 @@ metadata object can be any object that equipped with <code><a href="fungible_ass
 -  [Function `create_store`](#0x1_fungible_asset_create_store)
 -  [Function `remove_store`](#0x1_fungible_asset_remove_store)
 -  [Function `withdraw`](#0x1_fungible_asset_withdraw)
+-  [Function `withdraw_permission_check`](#0x1_fungible_asset_withdraw_permission_check)
+-  [Function `withdraw_permission_check_by_address`](#0x1_fungible_asset_withdraw_permission_check_by_address)
 -  [Function `withdraw_sanity_check`](#0x1_fungible_asset_withdraw_sanity_check)
 -  [Function `deposit_sanity_check`](#0x1_fungible_asset_deposit_sanity_check)
 -  [Function `deposit`](#0x1_fungible_asset_deposit)
@@ -105,6 +108,8 @@ metadata object can be any object that equipped with <code><a href="fungible_ass
 -  [Function `upgrade_to_concurrent`](#0x1_fungible_asset_upgrade_to_concurrent)
 -  [Function `upgrade_store_to_concurrent`](#0x1_fungible_asset_upgrade_store_to_concurrent)
 -  [Function `ensure_store_upgraded_to_concurrent_internal`](#0x1_fungible_asset_ensure_store_upgraded_to_concurrent_internal)
+-  [Function `grant_permission`](#0x1_fungible_asset_grant_permission)
+-  [Function `revoke_permission`](#0x1_fungible_asset_revoke_permission)
 -  [Specification](#@Specification_1)
     -  [High-level Requirements](#high-level-req)
     -  [Module-level Specification](#module-level-spec)
@@ -118,6 +123,7 @@ metadata object can be any object that equipped with <code><a href="fungible_ass
 <b>use</b> <a href="function_info.md#0x1_function_info">0x1::function_info</a>;
 <b>use</b> <a href="object.md#0x1_object">0x1::object</a>;
 <b>use</b> <a href="../../aptos-stdlib/../move-stdlib/doc/option.md#0x1_option">0x1::option</a>;
+<b>use</b> <a href="permissioned_signer.md#0x1_permissioned_signer">0x1::permissioned_signer</a>;
 <b>use</b> <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">0x1::signer</a>;
 <b>use</b> <a href="../../aptos-stdlib/../move-stdlib/doc/string.md#0x1_string">0x1::string</a>;
 </code></pre>
@@ -557,6 +563,33 @@ MutateMetadataRef can be used to directly modify the fungible asset's Metadata.
 </dl>
 
 
+</details>
+
+<a id="0x1_fungible_asset_WithdrawPermission"></a>
+
+## Struct `WithdrawPermission`
+
+
+
+<pre><code><b>struct</b> <a href="fungible_asset.md#0x1_fungible_asset_WithdrawPermission">WithdrawPermission</a> <b>has</b> <b>copy</b>, drop, store
+</code></pre>
+
+
+
+<details>
+<summary>Fields</summary>
+
+
+<dl>
+<dt>
+<code>metadata_address: <b>address</b></code>
+</dt>
+<dd>
+
+</dd>
+</dl>
+
+
 </details>
 
 <a id="0x1_fungible_asset_Deposit"></a>
@@ -1135,6 +1168,16 @@ Provided withdraw function type doesn't meet the signature requirement.
 
 
 
+<a id="0x1_fungible_asset_EWITHDRAW_PERMISSION_DENIED"></a>
+
+signer don't have the permission to perform withdraw operation
+
+
+<pre><code><b>const</b> <a href="fungible_asset.md#0x1_fungible_asset_EWITHDRAW_PERMISSION_DENIED">EWITHDRAW_PERMISSION_DENIED</a>: u64 = 34;
+</code></pre>
+
+
+
 <a id="0x1_fungible_asset_MAX_DECIMALS"></a>
 
 
@@ -2675,12 +2718,75 @@ Withdraw <code>amount</code> of the fungible asset from <code>store</code> by th
     amount: u64,
 ): <a href="fungible_asset.md#0x1_fungible_asset_FungibleAsset">FungibleAsset</a> <b>acquires</b> <a href="fungible_asset.md#0x1_fungible_asset_FungibleStore">FungibleStore</a>, <a href="fungible_asset.md#0x1_fungible_asset_DispatchFunctionStore">DispatchFunctionStore</a>, <a href="fungible_asset.md#0x1_fungible_asset_ConcurrentFungibleBalance">ConcurrentFungibleBalance</a> {
     <a href="fungible_asset.md#0x1_fungible_asset_withdraw_sanity_check">withdraw_sanity_check</a>(owner, store, <b>true</b>);
+    <a href="fungible_asset.md#0x1_fungible_asset_withdraw_permission_check">withdraw_permission_check</a>(owner, store, amount);
     <a href="fungible_asset.md#0x1_fungible_asset_withdraw_internal">withdraw_internal</a>(<a href="object.md#0x1_object_object_address">object::object_address</a>(&store), amount)
 }
 </code></pre>
 
 
 
+</details>
+
+<a id="0x1_fungible_asset_withdraw_permission_check"></a>
+
+## Function `withdraw_permission_check`
+
+Check the permission for withdraw operation.
+
+
+<pre><code><b>public</b>(<b>friend</b>) <b>fun</b> <a href="fungible_asset.md#0x1_fungible_asset_withdraw_permission_check">withdraw_permission_check</a>&lt;T: key&gt;(owner: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, store: <a href="object.md#0x1_object_Object">object::Object</a>&lt;T&gt;, amount: u64)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b>(<b>friend</b>) <b>fun</b> <a href="fungible_asset.md#0x1_fungible_asset_withdraw_permission_check">withdraw_permission_check</a>&lt;T: key&gt;(
+    owner: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    store: Object&lt;T&gt;,
+    amount: u64,
+) <b>acquires</b> <a href="fungible_asset.md#0x1_fungible_asset_FungibleStore">FungibleStore</a> {
+    <b>assert</b>!(<a href="permissioned_signer.md#0x1_permissioned_signer_check_permission">permissioned_signer::check_permission</a>(owner, amount <b>as</b> u256, <a href="fungible_asset.md#0x1_fungible_asset_WithdrawPermission">WithdrawPermission</a> {
+        metadata_address: <a href="object.md#0x1_object_object_address">object::object_address</a>(&<a href="fungible_asset.md#0x1_fungible_asset_borrow_store_resource">borrow_store_resource</a>(&store).metadata)
+    }), <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="fungible_asset.md#0x1_fungible_asset_EWITHDRAW_PERMISSION_DENIED">EWITHDRAW_PERMISSION_DENIED</a>));
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_fungible_asset_withdraw_permission_check_by_address"></a>
+
+## Function `withdraw_permission_check_by_address`
+
+Check the permission for withdraw operation.
+
+
+<pre><code><b>public</b>(<b>friend</b>) <b>fun</b> <a href="fungible_asset.md#0x1_fungible_asset_withdraw_permission_check_by_address">withdraw_permission_check_by_address</a>(owner: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, metadata_address: <b>address</b>, amount: u64)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b>(<b>friend</b>) <b>fun</b> <a href="fungible_asset.md#0x1_fungible_asset_withdraw_permission_check_by_address">withdraw_permission_check_by_address</a>(
+    owner: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    metadata_address: <b>address</b>,
+    amount: u64,
+) {
+    <b>assert</b>!(<a href="permissioned_signer.md#0x1_permissioned_signer_check_permission">permissioned_signer::check_permission</a>(owner, amount <b>as</b> u256, <a href="fungible_asset.md#0x1_fungible_asset_WithdrawPermission">WithdrawPermission</a> {
+        metadata_address,
+    }), <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="fungible_asset.md#0x1_fungible_asset_EWITHDRAW_PERMISSION_DENIED">EWITHDRAW_PERMISSION_DENIED</a>));
+}
+</code></pre>
+
+
+
 </details>
 
 <a id="0x1_fungible_asset_withdraw_sanity_check"></a>
@@ -3672,6 +3778,67 @@ Ensure a known <code><a href="fungible_asset.md#0x1_fungible_asset_FungibleStore
 
 
 
+</details>
+
+<a id="0x1_fungible_asset_grant_permission"></a>
+
+## Function `grant_permission`
+
+Permission management
+
+Master signer grant permissioned signer ability to withdraw a given amount of fungible asset.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="fungible_asset.md#0x1_fungible_asset_grant_permission">grant_permission</a>(master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, token_type: <a href="object.md#0x1_object_Object">object::Object</a>&lt;<a href="fungible_asset.md#0x1_fungible_asset_Metadata">fungible_asset::Metadata</a>&gt;, amount: u64)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="fungible_asset.md#0x1_fungible_asset_grant_permission">grant_permission</a>(
+    master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>,
+    token_type: Object&lt;<a href="fungible_asset.md#0x1_fungible_asset_Metadata">Metadata</a>&gt;,
+    amount: u64
+) {
+    <a href="permissioned_signer.md#0x1_permissioned_signer_authorize">permissioned_signer::authorize</a>(permissioned, amount <b>as</b> u256, master, <a href="fungible_asset.md#0x1_fungible_asset_WithdrawPermission">WithdrawPermission</a> {
+        metadata_address: <a href="object.md#0x1_object_object_address">object::object_address</a>(&token_type),
+    })
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_fungible_asset_revoke_permission"></a>
+
+## Function `revoke_permission`
+
+Removing permissions from permissioned signer.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="fungible_asset.md#0x1_fungible_asset_revoke_permission">revoke_permission</a>(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, token_type: <a href="object.md#0x1_object_Object">object::Object</a>&lt;<a href="fungible_asset.md#0x1_fungible_asset_Metadata">fungible_asset::Metadata</a>&gt;)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="fungible_asset.md#0x1_fungible_asset_revoke_permission">revoke_permission</a>(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, token_type: Object&lt;<a href="fungible_asset.md#0x1_fungible_asset_Metadata">Metadata</a>&gt;) {
+    <a href="permissioned_signer.md#0x1_permissioned_signer_revoke_permission">permissioned_signer::revoke_permission</a>(permissioned, <a href="fungible_asset.md#0x1_fungible_asset_WithdrawPermission">WithdrawPermission</a> {
+        metadata_address: <a href="object.md#0x1_object_object_address">object::object_address</a>(&token_type),
+    })
+}
+</code></pre>
+
+
+
 </details>
 
 <a id="@Specification_1"></a>
diff --git a/aptos-move/framework/aptos-framework/doc/overview.md b/aptos-move/framework/aptos-framework/doc/overview.md
index 314baa3612ba9..7ad32f3ea8ec0 100644
--- a/aptos-move/framework/aptos-framework/doc/overview.md
+++ b/aptos-move/framework/aptos-framework/doc/overview.md
@@ -46,6 +46,7 @@ This is the reference documentation of the Aptos framework.
 -  [`0x1::object`](object.md#0x1_object)
 -  [`0x1::object_code_deployment`](object_code_deployment.md#0x1_object_code_deployment)
 -  [`0x1::optional_aggregator`](optional_aggregator.md#0x1_optional_aggregator)
+-  [`0x1::permissioned_signer`](permissioned_signer.md#0x1_permissioned_signer)
 -  [`0x1::primary_fungible_store`](primary_fungible_store.md#0x1_primary_fungible_store)
 -  [`0x1::randomness`](randomness.md#0x1_randomness)
 -  [`0x1::randomness_api_v0_config`](randomness_api_v0_config.md#0x1_randomness_api_v0_config)
diff --git a/aptos-move/framework/aptos-framework/doc/permissioned_signer.md b/aptos-move/framework/aptos-framework/doc/permissioned_signer.md
new file mode 100644
index 0000000000000..7ce1dc5f35872
--- /dev/null
+++ b/aptos-move/framework/aptos-framework/doc/permissioned_signer.md
@@ -0,0 +1,407 @@
+
+<a id="0x1_permissioned_signer"></a>
+
+# Module `0x1::permissioned_signer`
+
+A _permissioned signer_ consists of a pair of the original signer and a generated
+signer which is used store information about associated permissions.
+
+A permissioned signer behaves compatible with the original signer as it comes to <code><b>move_to</b></code>, <code>address_of</code>, and
+existing basic signer functionality. However, the permissions can be queried to assert additional
+restrictions on the use of the signer.
+
+A client which is interested in restricting access granted via a signer can create a permissioned signer
+and pass on to other existing code without changes to existing APIs. Core functions in the framework, for
+example account functions, can then assert availability of permissions, effectively restricting
+existing code in a compatible way.
+
+After introducing the core functionality, examples are provided for withdraw limit on accounts, and
+for blind signing.
+
+
+-  [Struct `PermissionedHandle`](#0x1_permissioned_signer_PermissionedHandle)
+-  [Resource `PermStorage`](#0x1_permissioned_signer_PermStorage)
+-  [Constants](#@Constants_0)
+-  [Function `create_permissioned_signer`](#0x1_permissioned_signer_create_permissioned_signer)
+-  [Function `destroy_permissioned_signer`](#0x1_permissioned_signer_destroy_permissioned_signer)
+-  [Function `authorize`](#0x1_permissioned_signer_authorize)
+-  [Function `check_permission`](#0x1_permissioned_signer_check_permission)
+-  [Function `capacity`](#0x1_permissioned_signer_capacity)
+-  [Function `revoke_permission`](#0x1_permissioned_signer_revoke_permission)
+-  [Function `is_permissioned_signer`](#0x1_permissioned_signer_is_permissioned_signer)
+-  [Function `permission_signer`](#0x1_permissioned_signer_permission_signer)
+-  [Function `signer_from_permissioned`](#0x1_permissioned_signer_signer_from_permissioned)
+
+
+<pre><code><b>use</b> <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any">0x1::copyable_any</a>;
+<b>use</b> <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error">0x1::error</a>;
+<b>use</b> <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">0x1::signer</a>;
+<b>use</b> <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table">0x1::smart_table</a>;
+<b>use</b> <a href="transaction_context.md#0x1_transaction_context">0x1::transaction_context</a>;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_PermissionedHandle"></a>
+
+## Struct `PermissionedHandle`
+
+
+
+<pre><code><b>struct</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> <b>has</b> store
+</code></pre>
+
+
+
+<details>
+<summary>Fields</summary>
+
+
+<dl>
+<dt>
+<code>master_addr: <b>address</b></code>
+</dt>
+<dd>
+
+</dd>
+<dt>
+<code>permission_addr: <b>address</b></code>
+</dt>
+<dd>
+
+</dd>
+</dl>
+
+
+</details>
+
+<a id="0x1_permissioned_signer_PermStorage"></a>
+
+## Resource `PermStorage`
+
+=====================================================================================================
+Permission Management
+
+
+<pre><code><b>struct</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> <b>has</b> key
+</code></pre>
+
+
+
+<details>
+<summary>Fields</summary>
+
+
+<dl>
+<dt>
+<code>perms: <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_SmartTable">smart_table::SmartTable</a>&lt;<a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_Any">copyable_any::Any</a>, u256&gt;</code>
+</dt>
+<dd>
+
+</dd>
+</dl>
+
+
+</details>
+
+<a id="@Constants_0"></a>
+
+## Constants
+
+
+<a id="0x1_permissioned_signer_ECANNOT_AUTHORIZE"></a>
+
+Cannot authorize a permission.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_ECANNOT_AUTHORIZE">ECANNOT_AUTHORIZE</a>: u64 = 2;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_ENOT_MASTER_SIGNER"></a>
+
+Trying to grant permission using master signer.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_MASTER_SIGNER">ENOT_MASTER_SIGNER</a>: u64 = 1;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_ENOT_PERMISSIONED_SIGNER"></a>
+
+Access permission information from a master signer.
+
+
+<pre><code><b>const</b> <a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_PERMISSIONED_SIGNER">ENOT_PERMISSIONED_SIGNER</a>: u64 = 3;
+</code></pre>
+
+
+
+<a id="0x1_permissioned_signer_create_permissioned_signer"></a>
+
+## Function `create_permissioned_signer`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_create_permissioned_signer">create_permissioned_signer</a>(master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">permissioned_signer::PermissionedHandle</a>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_create_permissioned_signer">create_permissioned_signer</a>(master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> {
+    <b>assert</b>!(!<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(master), <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_ENOT_MASTER_SIGNER">ENOT_MASTER_SIGNER</a>));
+    // Do we need <b>to</b> <b>move</b> sth similar <b>to</b> ObjectCore <b>to</b> register this <b>address</b> <b>as</b> permission <b>address</b>?
+    <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> {
+        master_addr: address_of(master),
+        permission_addr: generate_auid_address(),
+    }
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_destroy_permissioned_signer"></a>
+
+## Function `destroy_permissioned_signer`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_destroy_permissioned_signer">destroy_permissioned_signer</a>(p: <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">permissioned_signer::PermissionedHandle</a>)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_destroy_permissioned_signer">destroy_permissioned_signer</a>(p: <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a>) <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>let</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a> { master_addr: _, permission_addr } = p;
+    <b>let</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> { perms } = <b>move_from</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(permission_addr);
+    <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_destroy">smart_table::destroy</a>(perms);
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_authorize"></a>
+
+## Function `authorize`
+
+Authorizes <code>permissioned</code> with the given permission. This requires to have access to the <code>master</code>
+signer.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_authorize">authorize</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, capacity: u256, master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_authorize">authorize</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, capacity: u256, master: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey) <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>assert</b>!(
+        <a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(permissioned) &&
+        !<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(master) &&
+        address_of(master) == address_of(permissioned),
+        <a href="../../aptos-stdlib/../move-stdlib/doc/error.md#0x1_error_permission_denied">error::permission_denied</a>(<a href="permissioned_signer.md#0x1_permissioned_signer_ECANNOT_AUTHORIZE">ECANNOT_AUTHORIZE</a>)
+    );
+    <b>let</b> permission_signer = <a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(permissioned);
+    <b>let</b> permission_signer_addr = address_of(&permission_signer);
+    <b>if</b>(!<b>exists</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(permission_signer_addr)) {
+        <b>move_to</b>(&permission_signer, <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> { perms: <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_new">smart_table::new</a>()});
+    };
+    <b>let</b> perms = &<b>mut</b> <b>borrow_global_mut</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(permission_signer_addr).perms;
+    <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_add">smart_table::add</a>(perms, <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(perm), capacity);
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_check_permission"></a>
+
+## Function `check_permission`
+
+Asserts that the given signer has permission <code>PermKey</code>, and the capacity
+to handle <code>weight</code>, which will be subtracted from capacity.
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_check_permission">check_permission</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, weight: u256, perm: PermKey): bool
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_check_permission">check_permission</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, weight: u256, perm: PermKey): bool <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>if</b> (!<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s)) {
+        // master <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a> <b>has</b> all permissions
+        <b>return</b> <b>true</b>
+    };
+    <b>let</b> addr = address_of(&<a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(s));
+    <b>if</b>(!<b>exists</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr)) {
+        <b>return</b> <b>false</b>
+    };
+    <b>let</b> perm = <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_borrow_mut">smart_table::borrow_mut</a>(&<b>mut</b> <b>borrow_global_mut</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr).perms, <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(perm));
+    <b>if</b>(*perm &lt; weight) {
+        <b>return</b> <b>false</b>
+    };
+    *perm = *perm - weight;
+    <b>return</b> <b>true</b>
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_capacity"></a>
+
+## Function `capacity`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_capacity">capacity</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey): u256
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_capacity">capacity</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey): u256 <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    *<a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_borrow">smart_table::borrow</a>(&<b>borrow_global</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(address_of(&<a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(s))).perms, <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(perm))
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_revoke_permission"></a>
+
+## Function `revoke_permission`
+
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_revoke_permission">revoke_permission</a>&lt;PermKey: <b>copy</b>, drop, store&gt;(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey)
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_revoke_permission">revoke_permission</a>&lt;PermKey: <b>copy</b> + drop + store&gt;(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>, perm: PermKey) <b>acquires</b> <a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a> {
+    <b>if</b>(!<a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(permissioned)) {
+        // Master <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a> <b>has</b> no permissions associated <b>with</b> it.
+        <b>return</b>
+    };
+    <b>let</b> addr = address_of(&<a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(permissioned));
+    <b>if</b>(!<b>exists</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr)) {
+        <b>return</b>
+    };
+    <a href="../../aptos-stdlib/doc/smart_table.md#0x1_smart_table_remove">smart_table::remove</a>(&<b>mut</b> <b>borrow_global_mut</b>&lt;<a href="permissioned_signer.md#0x1_permissioned_signer_PermStorage">PermStorage</a>&gt;(addr).perms, <a href="../../aptos-stdlib/doc/copyable_any.md#0x1_copyable_any_pack">copyable_any::pack</a>(perm));
+}
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_is_permissioned_signer"></a>
+
+## Function `is_permissioned_signer`
+
+Creates a permissioned signer from an existing universal signer. The function aborts if the
+given signer is already a permissioned signer.
+
+The implementation of this function requires to extend the value representation for signers in the VM.
+
+Check whether this is a permissioned signer.
+
+
+<pre><code><b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): bool
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>native</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_is_permissioned_signer">is_permissioned_signer</a>(s: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): bool;
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_permission_signer"></a>
+
+## Function `permission_signer`
+
+Return the signer used for storing permissions. Aborts if not a permissioned signer.
+
+
+<pre><code><b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>native</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_permission_signer">permission_signer</a>(permissioned: &<a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>;
+</code></pre>
+
+
+
+</details>
+
+<a id="0x1_permissioned_signer_signer_from_permissioned"></a>
+
+## Function `signer_from_permissioned`
+
+
+invariants:
+address_of(master) == address_of(signer_from_permissioned(create_permissioned_signer(master))),
+
+
+<pre><code><b>public</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_signer_from_permissioned">signer_from_permissioned</a>(p: &<a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">permissioned_signer::PermissionedHandle</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>
+</code></pre>
+
+
+
+<details>
+<summary>Implementation</summary>
+
+
+<pre><code><b>public</b> <b>native</b> <b>fun</b> <a href="permissioned_signer.md#0x1_permissioned_signer_signer_from_permissioned">signer_from_permissioned</a>(p: &<a href="permissioned_signer.md#0x1_permissioned_signer_PermissionedHandle">PermissionedHandle</a>): <a href="../../aptos-stdlib/../move-stdlib/doc/signer.md#0x1_signer">signer</a>;
+</code></pre>
+
+
+
+</details>
+
+
+[move-book]: https://aptos.dev/move/book/SUMMARY
diff --git a/aptos-move/framework/aptos-framework/sources/aptos_account.move b/aptos-move/framework/aptos-framework/sources/aptos_account.move
index 34addca77cf28..e13a84be4772f 100644
--- a/aptos-move/framework/aptos-framework/sources/aptos_account.move
+++ b/aptos-move/framework/aptos-framework/sources/aptos_account.move
@@ -210,6 +210,7 @@ module aptos_framework::aptos_account {
         // as APT cannot be frozen or have dispatch, and PFS cannot be transfered
         // (PFS could potentially be burned. regular transfer would permanently unburn the store.
         // Ignoring the check here has the equivalent of unburning, transfers, and then burning again)
+        fungible_asset::withdraw_permission_check_by_address(source, @aptos_fungible_asset, amount);
         fungible_asset::deposit_internal(recipient_store, fungible_asset::withdraw_internal(sender_store, amount));
     }
 
diff --git a/aptos-move/framework/aptos-framework/sources/dispatchable_fungible_asset.move b/aptos-move/framework/aptos-framework/sources/dispatchable_fungible_asset.move
index 5a70aff95d2c1..37c16214fd879 100644
--- a/aptos-move/framework/aptos-framework/sources/dispatchable_fungible_asset.move
+++ b/aptos-move/framework/aptos-framework/sources/dispatchable_fungible_asset.move
@@ -77,6 +77,7 @@ module aptos_framework::dispatchable_fungible_asset {
         amount: u64,
     ): FungibleAsset acquires TransferRefStore {
         fungible_asset::withdraw_sanity_check(owner, store, false);
+        fungible_asset::withdraw_permission_check(owner, store, amount);
         let func_opt = fungible_asset::withdraw_dispatch_function(store);
         if (option::is_some(&func_opt)) {
             assert!(
diff --git a/aptos-move/framework/aptos-framework/sources/fungible_asset.move b/aptos-move/framework/aptos-framework/sources/fungible_asset.move
index 946d7b05eb415..adde6ff33a1a9 100644
--- a/aptos-move/framework/aptos-framework/sources/fungible_asset.move
+++ b/aptos-move/framework/aptos-framework/sources/fungible_asset.move
@@ -6,6 +6,7 @@ module aptos_framework::fungible_asset {
     use aptos_framework::event;
     use aptos_framework::function_info::{Self, FunctionInfo};
     use aptos_framework::object::{Self, Object, ConstructorRef, DeleteRef, ExtendRef};
+    use aptos_framework::permissioned_signer;
     use std::string;
     use std::features;
 
@@ -87,7 +88,8 @@ module aptos_framework::fungible_asset {
     const ECONCURRENT_BALANCE_NOT_ENABLED: u64 = 32;
     /// Provided derived_supply function type doesn't meet the signature requirement.
     const EDERIVED_SUPPLY_FUNCTION_SIGNATURE_MISMATCH: u64 = 33;
-
+    /// signer don't have the permission to perform withdraw operation
+    const EWITHDRAW_PERMISSION_DENIED: u64 = 34;
     //
     // Constants
     //
@@ -194,6 +196,10 @@ module aptos_framework::fungible_asset {
         metadata: Object<Metadata>
     }
 
+    struct WithdrawPermission has copy, drop, store {
+        metadata_address: address,
+    }
+
     #[event]
     /// Emitted when fungible assets are deposited into a store.
     struct Deposit has drop, store {
@@ -785,9 +791,32 @@ module aptos_framework::fungible_asset {
         amount: u64,
     ): FungibleAsset acquires FungibleStore, DispatchFunctionStore, ConcurrentFungibleBalance {
         withdraw_sanity_check(owner, store, true);
+        withdraw_permission_check(owner, store, amount);
         withdraw_internal(object::object_address(&store), amount)
     }
 
+    /// Check the permission for withdraw operation.
+    public(friend) fun withdraw_permission_check<T: key>(
+        owner: &signer,
+        store: Object<T>,
+        amount: u64,
+    ) acquires FungibleStore {
+        assert!(permissioned_signer::check_permission(owner, amount as u256, WithdrawPermission {
+            metadata_address: object::object_address(&borrow_store_resource(&store).metadata)
+        }), error::permission_denied(EWITHDRAW_PERMISSION_DENIED));
+    }
+
+    /// Check the permission for withdraw operation.
+    public(friend) fun withdraw_permission_check_by_address(
+        owner: &signer,
+        metadata_address: address,
+        amount: u64,
+    ) {
+        assert!(permissioned_signer::check_permission(owner, amount as u256, WithdrawPermission {
+            metadata_address,
+        }), error::permission_denied(EWITHDRAW_PERMISSION_DENIED));
+    }
+
     /// Check the permission for withdraw operation.
     public(friend) fun withdraw_sanity_check<T: key>(
         owner: &signer,
@@ -1179,6 +1208,32 @@ module aptos_framework::fungible_asset {
         move_to(&object_signer, ConcurrentFungibleBalance { balance });
     }
 
+    /// Permission management
+    ///
+    /// Master signer grant permissioned signer ability to withdraw a given amount of fungible asset.
+    public fun grant_permission(
+        master: &signer,
+        permissioned: &signer,
+        token_type: Object<Metadata>,
+        amount: u64
+    ) {
+        permissioned_signer::authorize(
+            master,
+            permissioned,
+            amount as u256,
+            WithdrawPermission {
+                metadata_address: object::object_address(&token_type),
+            }
+        )
+    }
+
+    /// Removing permissions from permissioned signer.
+    public fun revoke_permission(permissioned: &signer, token_type: Object<Metadata>) {
+        permissioned_signer::revoke_permission(permissioned, WithdrawPermission {
+            metadata_address: object::object_address(&token_type),
+        })
+    }
+
     #[test_only]
     use aptos_framework::account;
 
@@ -1541,6 +1596,47 @@ module aptos_framework::fungible_asset {
         assert!(aggregator_v2::read(&borrow_global<ConcurrentFungibleBalance>(object::object_address(&creator_store)).balance) == 30, 12);
     }
 
+    #[test(creator = @0xcafe, aaron = @0xface)]
+    fun test_e2e_withdraw_limit(
+        creator: &signer,
+        aaron: &signer,
+    ) acquires FungibleStore, Supply, ConcurrentSupply, DispatchFunctionStore, ConcurrentFungibleBalance {
+        let (mint_ref, _, _, _, test_token) = create_fungible_asset(creator);
+        let metadata = mint_ref.metadata;
+        let creator_store = create_test_store(creator, metadata);
+        let aaron_store = create_test_store(aaron, metadata);
+
+        assert!(supply(test_token) == option::some(0), 1);
+        // Mint
+        let fa = mint(&mint_ref, 100);
+        assert!(supply(test_token) == option::some(100), 2);
+        // Deposit
+        deposit(creator_store, fa);
+        // Withdraw
+        let fa = withdraw(creator, creator_store, 80);
+        assert!(supply(test_token) == option::some(100), 3);
+        deposit(aaron_store, fa);
+
+        // Create a permissioned signer
+        let aaron_permission_handle = permissioned_signer::create_permissioned_handle(aaron);
+        let aaron_permission_signer = permissioned_signer::signer_from_permissioned(&aaron_permission_handle);
+
+        // Grant aaron_permission_signer permission to withdraw 10 apt
+        grant_permission(aaron, &aaron_permission_signer, metadata, 10);
+
+        let fa = withdraw(&aaron_permission_signer, aaron_store, 5);
+        deposit(aaron_store, fa);
+
+        let fa = withdraw(&aaron_permission_signer, aaron_store, 5);
+        deposit(aaron_store, fa);
+
+        // aaron signer don't abide to the same limit
+        let fa = withdraw(aaron, aaron_store, 5);
+        deposit(aaron_store, fa);
+
+        permissioned_signer::destroy_permissioned_handle(aaron_permission_handle);
+    }
+
     #[deprecated]
     #[resource_group_member(group = aptos_framework::object::ObjectGroup)]
     struct FungibleAssetEvents has key {
diff --git a/aptos-move/framework/aptos-framework/sources/permissioned_signer.move b/aptos-move/framework/aptos-framework/sources/permissioned_signer.move
new file mode 100644
index 0000000000000..5d2c219cd3ba3
--- /dev/null
+++ b/aptos-move/framework/aptos-framework/sources/permissioned_signer.move
@@ -0,0 +1,213 @@
+/// A _permissioned signer_ consists of a pair of the original signer and a generated
+/// signer which is used store information about associated permissions.
+///
+/// A permissioned signer behaves compatible with the original signer as it comes to `move_to`, `address_of`, and
+/// existing basic signer functionality. However, the permissions can be queried to assert additional
+/// restrictions on the use of the signer.
+///
+/// A client which is interested in restricting access granted via a signer can create a permissioned signer
+/// and pass on to other existing code without changes to existing APIs. Core functions in the framework, for
+/// example account functions, can then assert availability of permissions, effectively restricting
+/// existing code in a compatible way.
+///
+/// After introducing the core functionality, examples are provided for withdraw limit on accounts, and
+/// for blind signing.
+module aptos_framework::permissioned_signer {
+    use std::signer::address_of;
+    use std::error;
+    use std::option::{Option, Self};
+    use aptos_std::copyable_any::{Self, Any};
+    use aptos_std::smart_table::{Self, SmartTable};
+    use aptos_framework::transaction_context::generate_auid_address;
+
+
+    /// Trying to grant permission using master signer.
+    const ENOT_MASTER_SIGNER: u64 = 1;
+
+    /// Cannot authorize a permission.
+    const ECANNOT_AUTHORIZE: u64 = 2;
+
+    /// Access permission information from a master signer.
+    const ENOT_PERMISSIONED_SIGNER: u64 = 3;
+
+    /// signer doesn't have enough capacity to extract permission.
+    const ECANNOT_EXTRACT_PERMISSION: u64 = 4;
+
+    struct PermissionedHandle has store {
+        master_addr: address,
+        permission_addr: address,
+    }
+
+    struct PermStorage has key {
+        perms: SmartTable<Any, u256>,
+    }
+
+    struct Permission<K> {
+        key: K,
+        capacity: u256,
+    }
+
+    public fun create_permissioned_handle(master: &signer): PermissionedHandle {
+        assert!(!is_permissioned_signer(master), error::permission_denied(ENOT_MASTER_SIGNER));
+        // Do we need to move sth similar to ObjectCore to register this address as permission address?
+        PermissionedHandle {
+            master_addr: address_of(master),
+            permission_addr: generate_auid_address(),
+        }
+    }
+
+    public fun destroy_permissioned_handle(p: PermissionedHandle) acquires PermStorage {
+        let PermissionedHandle { master_addr: _, permission_addr } = p;
+        let PermStorage { perms } = move_from<PermStorage>(permission_addr);
+        smart_table::destroy(perms);
+    }
+
+    /// =====================================================================================================
+    /// Permission Management
+    ///
+
+    /// Authorizes `permissioned` with the given permission. This requires to have access to the `master`
+    /// signer.
+    public fun authorize<PermKey: copy + drop + store>(
+        master: &signer,
+        permissioned: &signer,
+        capacity: u256,
+        perm: PermKey
+    ) acquires PermStorage {
+        assert!(
+            is_permissioned_signer(permissioned) &&
+            !is_permissioned_signer(master) &&
+            address_of(master) == address_of(permissioned),
+            error::permission_denied(ECANNOT_AUTHORIZE)
+        );
+        let permission_signer = permission_signer(permissioned);
+        let permission_signer_addr = address_of(&permission_signer);
+        if(!exists<PermStorage>(permission_signer_addr)) {
+            move_to(&permission_signer, PermStorage { perms: smart_table::new()});
+        };
+        let perms = &mut borrow_global_mut<PermStorage>(permission_signer_addr).perms;
+        smart_table::add(perms, copyable_any::pack(perm), capacity);
+    }
+    /// Asserts that the given signer has permission `PermKey`, and the capacity
+    /// to handle `weight`, which will be subtracted from capacity.
+    public fun check_permission<PermKey: copy + drop + store>(
+        s: &signer,
+        weight: u256,
+        perm: PermKey
+    ): bool acquires PermStorage {
+        if (!is_permissioned_signer(s)) {
+            // master signer has all permissions
+            return true
+        };
+        let addr = address_of(&permission_signer(s));
+        if(!exists<PermStorage>(addr)) {
+            return false
+        };
+        let perm = smart_table::borrow_mut(&mut borrow_global_mut<PermStorage>(addr).perms, copyable_any::pack(perm));
+        if(*perm < weight) {
+            return false
+        };
+        *perm = *perm - weight;
+        return true
+    }
+
+    public fun capacity<PermKey: copy + drop + store>(s: &signer, perm: PermKey): Option<u256> acquires PermStorage {
+        assert!(is_permissioned_signer(s), error::permission_denied(ENOT_PERMISSIONED_SIGNER));
+        let addr = address_of(&permission_signer(s));
+        if(!exists<PermStorage>(addr)) {
+            return option::none()
+        };
+        let perm_storage = &borrow_global<PermStorage>(addr).perms;
+        let key = copyable_any::pack(perm);
+        if(smart_table::contains(perm_storage, key)) {
+            option::some(*smart_table::borrow(&borrow_global<PermStorage>(addr).perms, key))
+        } else {
+            option::none()
+        }
+    }
+
+    public fun revoke_permission<PermKey: copy + drop + store>(permissioned: &signer, perm: PermKey) acquires PermStorage {
+        if(!is_permissioned_signer(permissioned)) {
+            // Master signer has no permissions associated with it.
+            return
+        };
+        let addr = address_of(&permission_signer(permissioned));
+        if(!exists<PermStorage>(addr)) {
+            return
+        };
+        smart_table::remove(&mut borrow_global_mut<PermStorage>(addr).perms, copyable_any::pack(perm));
+    }
+
+    /// Another flavor of api to extract and store permissions
+    public fun extract_permission<PermKey: copy + drop + store>(
+        s: &signer,
+        weight: u256,
+        perm: PermKey
+    ): Permission<PermKey> acquires PermStorage {
+        assert!(check_permission(s, weight, perm), error::permission_denied(ECANNOT_EXTRACT_PERMISSION));
+        Permission {
+            key: perm,
+            capacity: weight,
+        }
+    }
+
+    public fun get_key<PermKey>(perm: &Permission<PermKey>): &PermKey {
+        &perm.key
+    }
+
+    public fun consume_permission<PermKey: drop>(
+        perm: &mut Permission<PermKey>,
+        weight: u256,
+        perm_key: PermKey
+    ): bool {
+        if(perm.key != perm_key) {
+            return false
+        };
+        if(perm.capacity >= weight) {
+            perm.capcity = perm.capacity - weight;
+            return true
+        } else {
+            return false
+        }
+    }
+
+    public fun store_permission<PermKey: copy + drop + store>(
+        s: &signer,
+        perm: Permission<PermKey>
+    ) {
+        assert!(is_permissioned_signer(s), error::permission_denied(ENOT_PERMISSIONED_SIGNER));
+        let Permission { key, capacity } = perm;
+
+        let permission_signer = permission_signer(permissioned);
+        let permission_signer_addr = address_of(&permission_signer);
+        if(!exists<PermStorage>(permission_signer_addr)) {
+            move_to(&permission_signer, PermStorage { perms: smart_table::new()});
+        };
+        let perms = &mut borrow_global_mut<PermStorage>(permission_signer_addr).perms;
+        let key = copyable_any::pack(key);
+        if(smart_table::cotains(perms, key)) {
+            let entry = smart_table::borrow_mut(perms, copyable_any::pack(perm));
+            *entry = *entry + capacity;
+        } else {
+            smart_table::add(perms, copyable_any::pack(perm), capacity)
+        }
+    }
+
+    // =====================================================================================================
+    // Native Functions
+
+    /// Creates a permissioned signer from an existing universal signer. The function aborts if the
+    /// given signer is already a permissioned signer.
+    ///
+    /// The implementation of this function requires to extend the value representation for signers in the VM.
+    ///
+    /// Check whether this is a permissioned signer.
+    public native fun is_permissioned_signer(s: &signer): bool;
+    /// Return the signer used for storing permissions. Aborts if not a permissioned signer.
+    native fun permission_signer(permissioned: &signer): signer;
+    ///
+    /// invariants:
+    ///   address_of(master) == address_of(signer_from_permissioned(create_permissioned_handle(master))),
+    ///
+    public native fun signer_from_permissioned(p: &PermissionedHandle): signer;
+}
diff --git a/aptos-move/framework/aptos-framework/tests/permissioned_signer_tests.move b/aptos-move/framework/aptos-framework/tests/permissioned_signer_tests.move
new file mode 100644
index 0000000000000..f996e7e7f014d
--- /dev/null
+++ b/aptos-move/framework/aptos-framework/tests/permissioned_signer_tests.move
@@ -0,0 +1,104 @@
+#[test_only]
+module aptos_framework::permissioned_signer_tests {
+    use aptos_framework::permissioned_signer;
+    use std::option;
+    use std::signer;
+
+    struct OnePermission has copy, drop, store {}
+
+    struct AddressPermission has copy, drop, store {
+        addr: address
+    }
+
+
+    #[test(creator = @0xcafe)]
+    fun test_permission_e2e(
+        creator: &signer,
+    ) {
+        let perm_handle = permissioned_signer::create_permissioned_handle(creator);
+        let perm_signer = permissioned_signer::signer_from_permissioned(&perm_handle);
+
+        assert!(permissioned_signer::is_permissioned_signer(&perm_signer), 1);
+        assert!(!permissioned_signer::is_permissioned_signer(creator), 1);
+        assert!(signer::address_of(&perm_signer) == signer::address_of(creator), 1);
+
+        permissioned_signer::authorize(creator, &perm_signer, 100, OnePermission {});
+        assert!(permissioned_signer::capacity(&perm_signer, OnePermission {}) == option::some(100), 1);
+
+        assert!(permissioned_signer::check_permission(&perm_signer, 10, OnePermission {}), 1);
+        assert!(permissioned_signer::capacity(&perm_signer, OnePermission {}) == option::some(90), 1);
+
+        permissioned_signer::authorize(creator, &perm_signer, 5, AddressPermission { addr: @0x1 });
+
+        assert!(permissioned_signer::capacity(&perm_signer, AddressPermission { addr: @0x1 }) == option::some(5), 1);
+        assert!(permissioned_signer::capacity(&perm_signer, AddressPermission { addr: @0x2 }) == option::none(), 1);
+
+        // Not enough capacity, check permission should return false
+        assert!(!permissioned_signer::check_permission(&perm_signer, 10, AddressPermission { addr: @0x1 }), 1);
+
+        permissioned_signer::revoke_permission(&perm_signer, OnePermission {});
+        assert!(permissioned_signer::capacity(&perm_signer, OnePermission {}) == option::none(), 1);
+
+        permissioned_signer::destroy_permissioned_handle(perm_handle);
+    }
+
+    // invalid authorization
+    // 1. master signer is a permissioned signer
+    // 2. permissioned signer is a master signer
+    // 3. permissioned and main signer address mismatch
+    #[test(creator = @0xcafe)]
+    #[expected_failure(abort_code = 0x50002, location = aptos_framework::permissioned_signer)]
+    fun test_auth_1(
+        creator: &signer,
+    ) {
+        let perm_handle = permissioned_signer::create_permissioned_handle(creator);
+        let perm_signer = permissioned_signer::signer_from_permissioned(&perm_handle);
+
+        permissioned_signer::authorize(&perm_signer, &perm_signer, 100, OnePermission {});
+        permissioned_signer::destroy_permissioned_handle(perm_handle);
+    }
+
+    #[test(creator = @0xcafe)]
+    #[expected_failure(abort_code = 0x50002, location = aptos_framework::permissioned_signer)]
+    fun test_auth_2(
+        creator: &signer,
+    ) {
+        permissioned_signer::authorize(creator, creator, 100, OnePermission {});
+    }
+
+    #[test(creator = @0xcafe, creator2 = @0xbeef)]
+    #[expected_failure(abort_code = 0x50002, location = aptos_framework::permissioned_signer)]
+    fun test_auth_3(
+        creator: &signer,
+        creator2: &signer,
+    ) {
+        let perm_handle = permissioned_signer::create_permissioned_handle(creator);
+        let perm_signer = permissioned_signer::signer_from_permissioned(&perm_handle);
+
+        permissioned_signer::authorize(creator2, &perm_signer, 100, OnePermission {});
+        permissioned_signer::destroy_permissioned_handle(perm_handle);
+    }
+
+    // Accessing capacity on a master signer
+    #[test(creator = @0xcafe)]
+    #[expected_failure(abort_code = 0x50003, location = aptos_framework::permissioned_signer)]
+    fun test_invalid_capacity(
+        creator: &signer,
+    ) {
+        permissioned_signer::capacity(creator, OnePermission {});
+    }
+
+    // creating permission using a permissioned signer
+    #[test(creator = @0xcafe)]
+    #[expected_failure(abort_code = 0x50001, location = aptos_framework::permissioned_signer)]
+    fun test_invalid_creation(
+        creator: &signer,
+    ) {
+        let perm_handle = permissioned_signer::create_permissioned_handle(creator);
+        let perm_signer = permissioned_signer::signer_from_permissioned(&perm_handle);
+
+        let perm_handle_2 = permissioned_signer::create_permissioned_handle(&perm_signer);
+        permissioned_signer::destroy_permissioned_handle(perm_handle);
+        permissioned_signer::destroy_permissioned_handle(perm_handle_2);
+    }
+}