Skip to main content

Approval groups

Important

In order to assign actions to approval groups, your Fireblocks mobile app must be updated to the latest version to approve the changes.

Additionally, approval groups are not supported in Cold Wallet workspaces.

Overview

Approval groups are a significant component of an organization's operational security and consist of users from a designated user group. Approval groups are designed to facilitate the minimum number of users required to approve specific workspace configuration changes within different workspace domains. For example, you can define groups for approving changes to security and compliance, user management, Fireblocks P2P Network connections, or connecting external accounts. Approval groups operate similarly to the Admin Quorum (which is the default approval group for all actions), but provide a more flexible alternative by allowing you to assign different user groups to approve different types of workspace actions.

Any user in the approval group has the authority to deny a request before the required threshold is met. Only users with sufficient user role permissions count toward the threshold. Users without permission for a specific action do not count toward the threshold, even if they are part of the user group assigned to the action.

If the number of users within the approval group falls below the specified threshold, you must reconfigure the approval group with an appropriate threshold. Otherwise, approval requests won't be delivered to the approval group users, and they will be unable to approve workspace actions.

Approval groups consist of users from a designated user group. Before you can assign an approval group, you must first create the user group. Learn more about User Group Management and Best Practices.

Important

If you set an approval group to be fully controlled by API users, you assume the risk of securing your API key(s). If compromised, malicious actors will be able to authorize changes to your workspace without human oversight. It is recommended to have a trusted person manually review low-volume, security-sensitive configurations.

Screenshot 2024-04-11 at 2.27.11 PM.png

Actions that can be assigned to an approval group include:

  • Whitelisting addresses (internal wallets, external wallets, and smart contracts)
  • Allowlisting IP addresses for Console access
  • Allowing the use of one-time addresses in the workspace
  • Changing the Policies
  • Managing workspace users (Console and API users)
  • Re-enrolling devices
  • Managing user groups
  • Adding Fireblocks P2P Network connections
  • Setting deposit routing for Fireblocks P2P Network profiles
  • Connecting exchange accounts
  • Connecting fiat accounts
  • Managing Automation rules

Note

Only Owners, Admins, and Non-Signing Admins can approve Policy changes. If other user roles, such as Signers, are included in a user group assigned to the Policy approval group, they do not count toward the approval threshold.

Only users who have completed the onboarding process and are listed as Ready in your Fireblocks Console user list (Settings > Users) can participate in an approval group. Users show as Ready after they pair their mobile device to their workspace account and can approve requests. Since a paired mobile device is required, Viewers and Editors cannot participate in approval groups.

Example

The approval group assigned to whitelisting addresses consists of a user group with six users. The approval threshold for whitelisting an address is three users, and does not require Owner approval.

  1. A user submits a request to whitelist an address.
  2. The six users in the approval group receive an approval notification in their Fireblocks mobile app.
  3. If at least three of them approve the request before anyone denies it, the request is approved and the address is whitelisted.
    • If any user denies the request before the threshold is met, the request is rejected and the address is not whitelisted.

Default settings

Note

To assign a user group as an approval group for any action, you must first create the user group. Learn more about User Group Management.

By default, all actions are assigned to your Admin Quorum and must be approved according to its settings. For some actions, the Owner’s approval is mandatory:

  • Allowing the use of one-time addresses in the workspace
  • Changing the Policies
  • Managing workspace users
  • Re-enrolling devices
  • Managing user groups

The default settings apply until you configure approval groups with different settings for them.

Configuring approval groups

To configure the approval group assigned to an action:

  1. Go to Settings > Quorums.
  2. In the Assign approval groups section, select the action whose group configuration you want to change. Actions are grouped into categories, which can be selected to hide or unhide the actions belonging to them.
  3. Select whether to require Owner approval for the action.
  4. Select whether the action requires approval by the Admin Quorum or a specific user group.
  5. If selecting a specific user group, select the number of users from that group that must approve the action. Only users with User Role permissions to complete the action count toward the threshold.
  6. Select Save.
  7. The approval group changes must be approved by your Admin Quorum and workspace Owner.
Was this article helpful?
0 out of 1 found this helpful

Related Articles