Overview
All users in a Fireblocks workspace require an assigned role. User roles grant permissions regarding which parts of the platform users can access, what type of actions they can perform, and whether they have MPC key shares used to sign transactions.
You can assign users the following roles:
- Owner
- Admin
- Non-Signing Admin
- Signer
- Approver
- Editor
- Viewer
The Owner, Admin, and Signer roles have an MPC key share and can sign transactions. Assign these roles carefully using the Principle of Least Privilege to maximize your workspace security.
The Non-Signing Admin, Editor, Approver, and Viewer roles do not require MPC shares and cannot sign transactions. However, Non-Signing Admins, Editors, and Approvers can initiate transactions if you assign a designated signer. Non-Signing Admins and Approvers can also approve transactions.
Admin Quorum vs. TAP
Before defining user roles, we recommend understanding the difference between the Admin Quorum and the Transaction Authorization Policy (TAP). While the Admin Quorum is responsible for approving workspace configuration changes and defining the whitelisted space to which funds can stream outside of your vault, the TAP is a rule engine that governs outgoing asset transactions.
The TAP scans each outgoing transaction and its parameters (initiator, sum, type of transaction, etc.) to determine the appropriate action (allow, block, or additional approval). Using the TAP, you can set up approvals for transactions that must be met before users are prompted to sign the transactions.
Only Admins and the Owner can participate in the Admin Quorum, while the TAP may apply to all workspace users except Viewers. Only the Admins and the Owner can participate in both the Admin Quorum and the TAP. Some workspace actions require the Owner's approval in the Admin Quorum, while other actions can be approved with only Admins.
Consider vacations and leaves of absence when defining the Admin Quorum threshold and the number of approvals required in the TAP. Transactions that require the approval of all users in a group may be delayed until users return from vacation or leave.
Workspace Owner
The workspace Owner is the root user of a workspace and is responsible for approving multi-party computation (MPC) signing devices and new users, in addition to all other Admin privileges. Every workspace requires only one Owner to set up the Fireblocks Vault.
For security purposes, the Owner role is automatically assigned to the respective user by Fireblocks Support. To change the Owner of a workspace, or when the Owner wants to change their role, migrate to a new mobile device, or unfreeze the workspace, the Owner must first verify their identity with Fireblocks Support by scheduling a short video call.
The Owner's recommended responsibilities are:
- Approving new signing devices and MPC key shares
- Approving new workspace users
- Approving new external connections
- Creating API keys
- Deleting workspace users
- Enabling advanced workspace features
- Creating, editing, and approving workspace policies
- Resetting two-factor authentication (2FA)
- Enacting emergency operations like freezing the workspace, creating a backup kit, and recovery
Important
If you are the only user in a workspace who can sign transactions, we recommend creating additional Admin or Signer users as a precautionary measure. This helps to prevent the loss of access to your digital assets and financial operations when the primary signer cannot access the workspace.
Choosing user roles
The following questions and answers can help you determine the appropriate user roles for your Fireblocks users.
Do you want the user to:
- Receive an MPC key share and be able to sign transactions? If yes, choose Admin or Signer.
- Receive access to Fireblocks workspace configuration and external connection approval, and be able to freeze the workspace? If yes, choose Admin or Non-Signing Admin.
- Only be able to initiate transactions? If yes, choose Editor. Note that transactions initiated by an Editor must be signed by a designated signer. Designated signers are defined in the TAP and must have signing privileges. Learn more about designated signers.
- Be able to approve transactions? If yes, choose Approver.
- Receive access for auditing purposes only? If yes, choose Viewer.
Note
The above information is only a recommendation. Fireblocks takes no responsibility for the specific user roles you choose for your users. Choosing user roles is exclusively the Owner/company's decision and responsibility.