Cold Wallet workspaces have different user roles and privileges than hot wallet workspaces. This article highlights the main differences. Significantly, only Signers can sign transactions, which means there is no Admin role as in a hot wallet workspace. A workspace Transaction Authorization Policy (TAP) is still used to designate users for authorizing and signing transactions.
For information about the user roles in an online signing workspace, see User roles.
Creating a Fireblocks Cold Wallet workspace requires scheduling onboarding time. For more information please contact your Customer Success Manager.
Cold wallet user role access table
| Role | Owner | Non-Signing Admin | Signer | Approver | Editor | Viewer |
| Software | Fireblocks Cold Wallet mobile app | Fireblocks mobile app or API User | Fireblocks Cold Wallet mobile app | Fireblocks mobile app | No need for mobile app (Console or API user) | No need for mobile app (Console or API user) |
| Initiate & cancel transactions | Yes* | Yes* | Yes | No | Yes* | No |
| Approve transactions** | Yes | Yes | Yes | Yes | No | No |
| Sign transactions | No | No | Yes | No | No | No |
| Create vault accounts | Yes | Yes | Yes | Yes | Yes | No |
| Submit connections for approval | Yes | Yes | Yes | Yes | Yes | No |
| Approve connection | Yes | Yes | No | No | No | No |
| View all workspace settings | Yes | Yes | No | No | No | No |
| Approve MPC signing devices | Yes | No | No | No | No | No |
| Export transaction history | Yes | Yes | Yes | Yes | Yes | Yes |
Legend
| ✓ | Full Access - same as online signing workspaces. |
| Yes* |
Full Access - This is unlike online signing workspaces. |
| * * | Approving transactions requires identifying specific users in the transaction authorization policy |
Main differences compared to an online signing workspace
Owner
The Owner's device must be an offline device running the Fireblocks Cold Wallet mobile app. Their device holds the root MPC key share that all signing device keys are derived from, but they can not sign transactions.
The Owner's Cold Wallet device is required for approving and generating MPC key shares for Cold Wallet signing devices.
By default, the owner cannot initiate transactions because they cannot sign those transactions. However, it is possible to configure TAP rules to designate a Signer for transactions initiated by the owner.
Admin
The Admin user role is not available in Cold Wallet workspaces.
Non-Signing-Admin users can approve transactions according to your TAP and participate in the Admin Quorum. Non-Signing Admins do not hold MPC key shares and use the Fireblocks mobile app with an online device.
Signer
Signers in a Cold Wallet workspace are the only user role that can sign transactions. Their MPC key shares are stored on an air-gapped, offline iOS device using the Fireblocks Cold Wallet app. Each Signer in the Cold Wallet workspace requires their own iOS device that is locked in a supervised mode during the setup process and is used for the offline signature processes.
Signers may also take part in transaction approval if required by the TAP. Transactions are approved using their Cold Wallet device by scanning a QR animation in the Fireblocks Console Cold Wallet signing panel. Learn more about the Cold Wallet transaction signing process.
Security Manager
The Security Manager is not a specific workspace user, but a person authorized to provision every Cold Wallet iOS device and verify that it is locked in supervised mode and can only open Fireblocks Cold Wallet at the end of the setup process. This person does not require an account login to your Fireblocks workspace.
The Security Manager requires a MacOS computer running Apple Configurator in order to provision new Cold Wallet signing devices.
The Owner must approve generating new key shares during the Cold Wallet device provisioning process. Accordingly, the Owner may act as the Security Manager depending on your organization and regulation requirements. The two user roles can also be kept separate, each person in charge of securely storing their devices and participating in the Cold Wallet device provisioning process together.
Managing Cold Wallet users
Adding, removing, and modifying users, and API Keys currently requires contacting Fireblocks Support. If the Owner did not submit the support ticket, then Fireblocks Support requests written approval for confirming any workspace changes.
Best Practices
In order to protect the safety and security of the Owner's device that holds the root MPC key used to generate all signing keys, Fireblocks recommends separating the Owner user role from daily blockchain operations and trading. The Owner should limit their activity to only approving new signing devices if possible. The Owner's offline device should be stored securely at all times.
For ease of operation, Fireblocks recommends creating one or more users with a Non-Signing Admin role to approve workspace modifications instead of using the owner's Cold Wallet device. Non-signing Admins use the Fireblocks mobile app with an online device to easily approve transactions, new external connections, new whitelisted addresses, workspace settings changes, and more.
Actions that can ideally be assigned to Non-Signing Admins include:
- Approving transactions
- Approving new exchange connections
- Whitelisting new addresses
- Viewing and modifying workspace settings
- Approving changes to workspace settings
Actions that require the Owner's Cold Wallet device:
- Approving MPC signing devices
Fireblocks recommends separating transaction creation, approval, and signing steps using your TAP. Only Signers should be responsible for creating new transactions and signing them because these steps require an MPC key using the Fireblocks Cold Wallet app. Transactions should be approved by Non-Signing-Admins and Approvers because they only require the Fireblocks online app, which immediately receives notifications when approval is required.