Important
The article is accessible to you as part of our New Policy Engine, which replaces the Transaction Authorization Policy (TAP). We are currently still updating the relevant documentation in the Help Center to reflect the recent changes to our New Policy Engine.
Note
Creating a Fireblocks Cold Wallet workspace requires scheduling onboarding time. For more information contact your Customer Success Manager.
Overview
You must submit a separate Policy template for your Cold Wallet workspace. In a Cold Wallet workspace, your Policy rules are slightly different than in an online signing workspace:
- You can add a single user, multiple users, user groups, or a combination to the Designated Signer column allowing them to sign Cold Wallet transactions. You must assign each user a Signer role, whether you add them individually or in a user group.
- You cannot add the workspace Owner to the Designated Signers column, either individually or in a user group. Owners cannot sign transactions in Cold Wallet workspaces.
- You cannot add API users to the Designated Signers column. Signers must use the Fireblocks Cold Wallet mobile app to complete the signature process manually. However, you can add API users as Non-Signing Admins if you want them to serve as API co-signers that automatically approve workspace operations.
- You cannot add multiple users or a user group to the Designated Signers column for rules with an exchange account or fiat account as the Source. Transfers matching the rule would fail automatically.
After you complete the template, submit it to Fireblocks Support for approval and implementation.
Learn more about Policies for hot wallet workspaces.
Designated signer groups
A group of designated signers is a user group or multiple users allowed to sign offline for specific transaction types that you define in your Cold Wallet Policies.
Using this type of group accelerates your transaction authorization flow and provides redundancy, allowing any user in the group to sign transactions that match the rule. You can also create semi-automated transaction flows where any group member can sign transactions initiated via API.
How does a group of designated signers work?
Only one person in the group of designated signers can sign a transaction at a time. However, there are a few differences between designated signer groups and individuals:
- When a user submits an offline signing transaction, the transaction card appears in each designated signer's Offline Signing panel, so any of them can initiate signing.
- When they select Sign on a transaction card, the Send Transaction to Mobile Device window opens, where they scan a QR code. The card disappears for other signers. The window may take a few seconds to open. Do not close or refresh the tab or you will be sent back to the Offline Signing panel, where you must select Sign again to reopen it.
- If the signer who initiated offline signing does not finish the process in a reasonable amount of time, the user can cancel and re-submit the transaction so a different signer can sign it.
Examples: Policy rules with a designated signer group
Companies use inclusionary or exclusionary rules to customize their Policies. This allows multiple ways to ensure transactions match the correct rule. This is important since you cannot add multiple users or a user group to the Designated Signers column for rules with exchange accounts or fiat accounts in the Source column. Transfers matching the rule would fail automatically.
Method 1: Use a group of designated signers only for supported sources
The rules in the table above state:
- Rule 1: This rule allows any transaction from any vault account to any whitelisted destination or one-time address greater than $0 of any asset. One member of Group 1 must sign all transactions that match this rule.
- Rule 2: This rule allows any transaction from any source to any whitelisted destination or one-time address greater than $0 of any asset. User A must approve all transactions that match this rule.
Therefore, based on the first-match principle, the group of designated signers only signs single transactions if the source is a vault account. User A must approve all transactions from other sources.
Method 2: Excluding a group of designated signers from unsupported sources
The rules in the table above state:
- Rules 1-2: This rule allows any transaction from any exchange account or fiat account to any whitelisted destination or one-time address greater than $0 of any asset. User A must approve all transactions that match this rule.
- Rule 3: This rule allows any transaction from any source to any whitelisted destination or one-time address greater than $0 of any asset. User A must approve all transactions that match this rule and a member from Group 1 must sign them.
Therefore, based on the first-match principle, the group of designated signers only signs transactions if the source is not an exchange account or a fiat account.