Skip to main content

Admin Quorum

Overview

The Admin Quorum is a vital component of an organization's operational security. It lists all users with Admin privileges who are part of the process for approving or denying new connections and changes to their Fireblocks workspace. The Admin Quorum threshold defines the minimum number of Admins required to approve any of the changes listed below.

Any user assigned an Owner, Admin, or Non-Signing Admin role is part of the Admin Quorum. Any Admin can deny a request before the Admin Quorum threshold is met. Requests have different expiration times depending on the action.

The Admin Quorum applies to all workspace policy changes by default. For greater flexibility, use Approval Groups to define specific sets of users for approving or denying different workspace changes.

Activities that require Admin Quorum approval include:

  • Whitelisting addresses
  • New Fireblocks P2P Network connections
  • New connected accounts
  • Adding new workspace users
  • Changes to Policies
  • Configuring approval groups
  • Enabling one-time addresses
  • Other workspace settings and configuration changes

Only Admin users who have completed onboarding and who show as  under Status in your Fireblocks Console user list (Settings > Users) count toward the quorum. Admins show as Active after they pair their mobile device to their workspace account and they can approve requests.

image.png

 

Example

A workspace with a quorum of six Admin users sets an Admin Quorum threshold of three.

  1. A user submits a request to whitelist an address.
  2. The six Admin users receive an approval notification on their Fireblocks app.
  3. If at least three of them approve before anyone denies it, the request is approved.
    • If any Admin denies the request before the threshold is met, the address is rejected. 

Changing the Admin Quorum threshold

Note

If this functionality is not enabled on your workspace, please submit a request to Support.

  1. Select Settings at the top-right of your Console.
  2. Select Show admin quorum under Quorums > Admin Quorum in the Quorums tab.
  3. Select Change Threshold.
  4. Submit your new Admin Quorum threshold.
    • All: Dynamically requires all active Admin users to approve to meet the threshold.

    • A number: Always requires the selected number of Admins to meet the threshold. If at any point the total number of active Admins in your workspace falls below that number, you must contact Support to make further workspace changes.

      Note

      The default Admin Quorum threshold when your workspace is first created is "All Admins." At that time, the workspace Owner is the only active user. After other Admin users are created and complete their onboarding, any Admin can request to change the quorum to a lower threshold.

      mceclip3.png

  5. Select Change Quorum Threshold to confirm.
  6. The current Admin Quorum will receive a notification to approve the change.
    mceclip2.png
  7. Your current Admin Quorum threshold remains unchanged until the new threshold is approved.

  8. Any outstanding requests require the threshold that was active when they were submitted.

    Note

    If an Admin user is deleted while there are still pending requests that require their approval,  cancel any outstanding requests and submit new ones. The new requests will not include the deleted user.

  9. The Admin Quorum and Owner must approve the change.

Changing the Admin Quorum threshold: API Admins

If you have active API Admin users (API Admin or API Non-Signing Admin) in your workspace, their approval is automatic for Admin Quorum change requests. Your workspace Owner should consider this when adding Admin users to your workspace. For example:

  • If the first two Admins added to your workspace are one (human) Admin and one API Admin:
    • An Admin Quorum threshold of two should be your minimum setting. Otherwise, if your threshold is one, the API Admin automatically approves all requests without any human approvers.
  • If the first two Admins added to your workspace are two human Admins (non-API):
    • You can set an Admin Quorum threshold of one or two. Both threshold settings will have the desired effect since neither Admin's approval is automatic.

Effectively, having API Admins in your workspace reduces your quorum by one Admin when it comes to updating your Admin Quorum. The workspace Owner should consider this when setting up new Admin users to ensure the threshold setting has its desired effect.

Cold Wallet workspaces

When conducting Admin Quorum activities in Cold Wallet workspaces, note the following:

  • For all workspace changes that require both Owner and Admin approval, such as adding new users and provisioning new signing devices, you must contact Fireblocks Support.
  • Other workspace configuration changes that require approval by the Admin Quorum may be approved by Non-Signing Admins.
  • Only the Owner can delete users or reset a user's two-factor authentication (2FA) via the Fireblocks Console without any additional approvals.
Was this article helpful?
7 out of 8 found this helpful

Related Articles