Approval groups let you define which users must approve specific workspace configuration changes, giving you more granular control than the default Admin Quorum.
By default, all workspace actions require approval from the Admin Quorum. For each action, you can control whether Owner approval is required, and optionally replace the Admin Quorum with a designated user group and a custom approval threshold.
Any user in the approval group has the authority to deny a request before the required threshold is met. Only users with sufficient user role permissions count toward the threshold. Users without permission for a specific action do not count toward the threshold, even if they are part of the user group assigned to the action.
If the number of users within the approval group falls below the specified threshold, you must reconfigure the approval group with an appropriate threshold. Otherwise, approval requests won't be delivered to the approval group users, and they will be unable to approve workspace actions.
Actions requiring approval
Actions that can be assigned to an approval group include:
- Whitelisting addresses (internal wallets, external wallets, and smart contracts)
- Allowlisting IP addresses for Console access
- Allowing the use of one-time addresses in the workspace
- Changing the Policies
- Managing workspace users (Console and API users)
- Re-enrolling devices
- Managing user groups
- Adding Fireblocks P2P Network connections
- Setting deposit routing for Fireblocks P2P Network profiles
- Connecting exchange accounts
- Connecting fiat accounts
- Managing Automation rules
Example
The approval group assigned to whitelisting addresses consists of a user group with six users. The approval threshold for whitelisting an address is three users, and does not require Owner approval.
- A user submits a request to whitelist an address.
- The six users in the approval group receive an approval notification in their Fireblocks mobile app.
- If at least three of them approve the request before anyone denies it, the request is approved and the address is whitelisted; if any user denies the request before the threshold is met, the request is rejected and the address is not whitelisted.
Default settings
By default, all actions are assigned to your Admin Quorum and must be approved according to its settings. For some actions, the Owner's approval is mandatory:
- Allowing the use of one-time addresses in the workspace
- Changing the Policies
- Managing workspace users
- Re-enrolling devices
- Managing user groups
The default settings apply until you configure approval groups with different settings for them.
Before you begin
- Approval groups are not available in Cold Wallet workspaces.
- The user groups you want to assign must already exist. Learn more about user group management.
- Users can only participate in an approval group if they have completed the onboarding process and are listed as
Activeon the Users page. This requires a paired mobile device, so Viewers and Editors cannot participate in approval groups.
Important: If you set an approval group to be fully controlled by API users, you assume the risk of securing your API key(s). If compromised, malicious actors will be able to authorize changes to your workspace without human oversight. Fireblocks recommends having a trusted person manually review low-volume, security-sensitive configurations.
Configuring approval groups
To configure the approval group assigned to an action:
- Go to Settings > Quorums.
- In the Approval groups section, actions are organized into categories. Select a category to expand or collapse it, then select Edit on the action you want to configure.
- In the dialog, under Owner approval, select or clear Requires workspace owner approval.
- Under Approval permission, select either Requires approval of the admin quorum or Requires approval of a specific group.
- If you selected a specific group, choose the group from the Group dropdown, then enter the number of required approvals in the Threshold field.
- Select Save.
The approval group changes must be approved by your Admin Quorum and workspace Owner.