Overview

When using the Fireblocks Contracts in Tokenization, you can assign roles for your token contracts. When delegating these roles, such as Default Admin or Minter, you should implement security measures to prevent contract misuse and unauthorized access.

Below is a list of best practices for assigning token contract roles. Since the safest setup can be complex, we’ve detailed three options for basic, intermediate, and advanced security practices. Ultimately, how you assign roles depends on your business needs.

Basic (not recommended)

• Use a single workspace for all tokenization actions.
• Assign all roles to a single vault account.
  • For example, assign the Minter, Pauser, and Default Admin roles to a single vault account.
• Create a very basic TAP with rules that don’t differentiate between roles.

Intermediate

• Use a single workspace for all tokenization actions.
• Assign each role to a unique vault account.
  • For example, create one vault for minting and another for pausing. Assign the first vault the Minter role and the second vault the Pauser role.
• Create granular TAP rules for each role.
  • For example, create a rule where the Minter role can only call the "mint()" function.

Advanced

• Use multiple workspaces for your tokenization actions.
  • Separate workspaces based on their use and the risk profile that makes sense for your business context.
  • Example:
    • Place powerful roles, such as Default Admin and Upgrader, in one workspace.
    • Place Minting and Burning roles in another workspace.
• Assign each role to a unique vault account.
• Create granular TAP rules for each role.
  • For example, create a rule where the Minter role can only call the "mint()" function.