Overview

The Policy rule parameters are described in greater detail below. Each parameter offers configuration options that give you flexibility and high-level controls for your transaction workflows. The rule parameters you must define vary depending on the Policy type you are updating.

Source

This parameter defines the accounts that the transaction’s source must be for the rule to apply. The following types of sources are available:

• Vault accounts
• End-user wallets
• Exchange accounts
• Fiat accounts

To choose a specific account, enter its name. Make sure the account is already created or connected to your workspace. You can also choose all accounts of a certain type, such as Any Vault Account, or enter Any to have the rule apply to any source.

When making multiple entries for this parameter, there is no shortcut to select sub-groups of similar types of vault accounts. You must either choose Any Vault Account or select each vault account individually.

Venue

This parameter defines the accounts that must be involved in the token conversion for the rule to apply. The following types of venues are available: vault accounts, exchange accounts, or fiat accounts.

To choose a specific account, enter its name. Make sure the account is already created or connected to your workspace. You can also choose all accounts of a certain type, such as Any Exchange Account, or enter Any to have the rule apply to any venue.

When making multiple entries for this parameter, there is no shortcut to select sub-groups of similar types of vault accounts. You must either choose Any Vault Account or select each vault account individually.

Destination

This parameter defines the accounts the transaction's destination must be for the rule to apply. The following types of destinations are available:

• Vault accounts
• End-user wallets
• Exchange accounts
• Fireblocks Network profiles
• Whitelisted wallets (internal, external, or contract)
• Fiat accounts
• Staking destinations

To choose a specific account, enter its name. Make sure the account is already created or connected to your workspace. You can also choose all accounts of a certain type, such as Any Fiat Account, or enter Any to have the rule apply to any destination.

 

When making multiple entries for this parameter, there is no shortcut to select sub-groups of similar types of vault accounts. You must either choose Any Vault Account or select each vault account individually.

Initiators

This parameter defines which users must initiate the transaction for the rule to apply. Only users with the below workspace roles can be defined as Initiators:

• Owner
• Admin
• Non-Signing Admin (requires a Designated Signer)
• Signer
• Editor (requires a Designated Signer)

When defining the Initiators for a rule, you can select:

• Individual users: One or more individual users listed by name
• User groups: One or more user groups. All users in a user group must have the same role type. For example, Editors can't be in a user group with Signers.
• Any: Applies to all users in your workspace.

Blockchains

This parameter defines the blockchains where the transaction must take place for the rule to apply.

To choose a specific blockchain, enter its name. You can make multiple entries for this parameter or enter Any to have the rule apply to all Fireblocks-supported blockchains.

Contract call methods

This parameter defines the specific smart contract functions to which you want the rule applied. You can apply the rule to any function you enter or to the exact list of functions. The smart contract must be whitelisted to define its functions in a Policy rule.

Learn more about creating Policy rules for specific contract call methods.

Assets

This parameter defines the type of asset that must be transacted for the rule to apply. 

Selecting NFT applies the rule to all non-fungible tokens (NFTs). If you select Coins or tokens, enter the specific tokens to which you want the rule to apply. You can make multiple entries for this parameter or enter Any to apply the rule to any tokens (excluding NFTs) used in a transaction matching the rule.

If the asset you want is not supported, learn how to add non-EVM assets.

Base asset

This parameter defines the assets that must be defined as the base asset in the token conversion for the rule to apply.

Enter the name of each asset you want defined as a base asset. You can also choose the minimum and maximum amounts that the token conversion must contain of those base assets to match the rule.

Quote asset

This parameter defines the assets that must be defined as the quote asset in the token conversion for the rule to apply. 

Enter the name of each asset you want defined as a quote asset. You can also choose the minimum and maximum amounts that the token conversion must contain of those quote assets to match the rule.

Amount rage

This parameter defines the minimum and maximum amounts of the assets that must be met for the rule to apply.

You can enter the minimum and maximum amounts in two ways:

• Native amount: Limits the amount of an asset a user can transfer when using a specific asset. 
  • Example: A rule for transactions for any amount greater than 5 BTC. Only select this value for rules limited to a single asset.
• Fiat amount: Limits the amount of any asset users can transfer based on the USD or EUR equivalent of the asset. 
  • Example: A rule for transactions that use any amount greater than $5,000 worth of any asset.

We recommend using rules with fiat amount values. This allows you to apply rules to all your assets simultaneously and to give better visibility into your operations. We use CoinMarketCap to determine an asset's USD and EUR equivalent.

Limitations

This parameter defines whether the rule should apply to single transactions or all matching transactions within a specific time period.

Single transaction

The rule applies to every matching transaction, regardless of time period.

Time limit

The rule applies to all matching transactions within a specific time period. 

If you choose this option, you can define over what length of time to accumulate transferred amounts in transactions that match the rule, until the total exceeds the value you specify as the minimum amount in the Amount range parameter. When the specified amount is reached within that period, whether by one or many transactions, further transactions in that period either fail or require more approvals.

Use the following fields to define the accumulation details:

• Hours: Enter the number of hours during which the amount must be accumulated for the rule to match. You can select a period from the default values or enter an hour period (e.g., 1hr, 2hrs, 10hrs). The maximum period you can enter is 360 hours.
• Initiator: Select Per Initiator to apply the limit to each listed Initiator. Select Accumulated initiators to apply the limit to the sum of all Initiators’ transactions.
• Source: Select Per source to apply the limit to each listed Source. Select Accumulated sources to apply the limit to the sum of all transactions from all listed Sources.
• Destination: Select Per destination to apply the limit to each listed Destination. Select Accumulated destinations to apply the limit to the sum of all transactions to all listed Destinations.

For example, let's say you have a rule in which three Initiators can't transfer more than $1 million within four hours from any source to any destination.

• When you select Per Initiator..., each Initiator can transfer up to $1 million, for a collective total of $3 million, every four hours.
• When you select Accumulated Initiators..., the three Initiators can collectively transfer up to $1 million every four hours.

Rule name

This parameter defines the name you want to use to identify the Policy rule.

Result

This parameter defines the action to take when a transaction meets the rule’s criteria.

You can choose one of the following actions:

• Allow: The transaction proceeds to signing without requiring additional approvals.
• Block: The transaction is automatically blocked.
• Request approval: The users or user groups must approve the transaction before it can be signed. If any reject the transaction before the required approval threshold is met, the transaction is blocked.

Approval set configuration

This parameter defines the threshold of defined users or user groups that must approve the transaction before it can be signed. It is only available if you selected Request approval as the rule’s Result.

You can define the following requirements for transaction approval:

• Approver set: Only Owners, Admins, Non-Signing Admins, Signers, and Approvers can be included.
• Threshold: The number of users from the Approver set that must approve the transaction before it can be signed.

By default, when a transaction initiator is a listed approver (individually or as part of a group), they can't approve their own transaction or count toward the approval threshold. To allow the transaction initiator to approve their own transaction and count toward the approval threshold, select Transaction initiator can approve.

Whitelisted / OTA

Defines whether the destination to which you are sending funds must be whitelisted, to allow one-time transfers to non-whitelisted external addresses, or both. By default, you can only transfer to an external address after it’s whitelisted. To allow transfers to a non-whitelisted external address, enable the one-time address feature and create a rule for that external address.

• Whitelisted only: can only be sent to whitelisted addresses
• One-time address only: can only be sent to non-whitelisted external addresses
  Important
  Selecting one-time address only blocks transactions to whitelisted addresses. If you want the flexibility to also transfer to whitelisted addresses, select Whitelisted+OTA, which is the better choice to avoid unintended blocked transactions.
• Any (Whitelisted+OTA): can be sent to whitelisted addresses or non-whitelisted external addresses on a one-time basis. Mostly used related to DeFi operations.

By default, if your Policy contains rules for external addresses but doesn't allow one-time transfers, then transfers matching those rules will be automatically blocked.

Designated Signers

This parameter allows you to designate a specific user, multiple individual users, or user groups as a signer for transactions that match the rule. For example, you can create a semi-automated flow for API users that allows them to be Initiators but requires another user to sign the transaction.

Rules with multiple signers

When a transaction matches a rule with multiple designated signers, Fireblocks sends a signing request notification to each user specified as a designated signer. However, only one user needs to sign the transaction. Once the transaction is signed, Fireblocks automatically removes the notification from all other signers’ devices (or queues, for API users).

Designated Signers for Online Workspaces

In online workspaces, only users with the following workspace roles can be designated signers:

• Owner
• Admin
• Signer

You can use any combination of user types as designated signers in online workspaces. For example, you can have one Fireblocks mobile app user and one API user, user groups containing all mobile app users and all API users, or user groups containing a mixture of mobile app users and API users.

Designated Signers for Offline Workspaces

Like in an online workspace, you can assign multiple designated signers to Policy rules in an offline workspace. However, there are some restrictions in place to help with overall security:

• The Source parameter must be a vault account.

Designated signers (whether an individual or as part of a group) can only be Fireblocks mobile app users with the Signer role who have completed their user setup for the offline workspace.