Overview

User groups enable you to simplify your Transaction Authorization Policy (TAP) by applying rules to multiple users without the need to add new rules when adding and removing users.

You can create groups based on workspace roles to easily group multiple users with the same role to initiate, approve, or sign transactions. Using groups simplifies creating rules and approval flows. Only the workspace Owner and Admins can manage user groups.

Your Admin Quorum and Owner must approve new groups or changes to existing groups. As your company grows and changes, group-based rules reduce how often you must revise your TAP.

Accessing user groups

To manage your user groups, go to Settings > Users > Group Management.

Before you create groups, the Manage groups window is empty.

After your Admin Quorum and Owner approve user groups, the top of the Groups section on the left shows a list of your workspace’s active groups. Select a group to view its details.

Creating a user group

1. On the Manage groups window, select + Create Group.
   
2. On the Create new group window, name the group and add the users you want to include. The users you add appear on the right, organized by their workspace roles.
   
   
3. Select Create group.

Your Admin Quorum and Owner must approve the new group. Until they approve it, you can only view the group’s details.

Viewing pending new groups or group changes

To view a group’s details, select it from the Manage groups section on the left. The group detail view for a pending new group or an existing group with pending changes looks like this:

1. Pending Approval banner: Highlighted in yellow at the top right. Select the banner to see how many approvals are still needed.
2. Changes panel: On the far right. If it is a new group request, it lists all users and their roles. If it is a group change request, it lists all new users that were added to and removed from the group.
3. Cancel: Select Cancel under the approver list to cancel the request.
   
4. TAP rules impacted indicator: Under the group name at the top. Shows how many of your existing TAP rules will be impacted by the creation of this new group.

Approving a new user group

1. After you submit a new user group for approval, your Admin Quorum and Owner receive notifications in their Fireblocks mobile app.
   
2. Tap View to see the group details. If the details extend beyond the bottom of the screen, the Approve and Deny buttons do not appear until you scroll to the end.
3. Tap Approve. After your request reaches the approval threshold, the group is immediately active and moves up to the Groups section.

Approving a user group change request

1. After you submit a user group change request for approval, your Admin Quorum and Owner receive notifications in their Fireblocks mobile app.
   
2. Tap View to see the change details. If the details go beyond the bottom of the screen, the Approve and Deny buttons do not appear until you scroll to the end.
3. Tap Approve. After your change request reaches the approval threshold, the changes to the group immediately go into effect.

Denying a user group request

1. Any Admin can reject a new group request or group change request by tapping Deny at the bottom of the request, then Yes, in their Fireblocks mobile app.
   
   

Viewing impacted TAP rules

For both active groups and groups that are pending approval, you may see an indicator under the group name that says (X) TAP rules impacted.

This lets you know how many existing TAP rules use this group. Therefore, changing this group may cause errors or warnings related to the impact of removing or adding certain users as well as errors or warnings related to how the change impacts the rule’s approval threshold.

1. From any group’s detail view with at least 1 rule impacted, select (X) TAP rules impacted.
2. This opens the Impacted TAP rules tab in Edit Mode. Impacted rules show on the left.
   
3. Select any rule, then select See rule in TAP Editor to see the rule details.

Deleting an existing user group

1. On the Manage groups window, select the group you wish to delete from the left.
2. Select Delete .
3. On the confirmation window, select Delete group.
   

Your Admin Quorum and Owner must approve deleting the group. After your request reaches the approval threshold, the group is removed from the Groups section.

Duplicating a user group

Sometimes you may want to create a new group that includes multiple users from an existing group. You can save time by duplicating the group instead of drafting the group from scratch.

1. On the Manage groups page, select the group you want to duplicate on the left.
2. Select Duplicate .
3. On the confirmation window, select Duplicate group.
   
4. A Create new group window appears with the same users and same name followed by (copy). You can rename the group with any group name that’s not already in use.
5. Add or remove users to the group as needed.
6. Select Create group.

Your Admin Quorum and Owner must approve this duplicate user group. Until they approve it, you can only view the group’s details. Unlike when changing existing groups, it shows under Pending approval. Note that the Changes panel shows the duplicate group’s users as if you created the group from scratch and is not a comparison against the original group.

Editing a user group

1. On the Manage groups page, select the group you want to change from the left.
2. Select Edit group.
   
3. On the Edit group window, make the necessary changes. You can change the group’s name and add or remove users. You can only choose a name that's not already used by an active group.
   
4. Select Save changes.

After you submit your group change request, your Admin Quorum and Owner must approve it before the changes go into effect. Note that pending changes to an existing user group do not move the group from the Groups section.

Until your change request is approved, the group shows a yellow Changes pending banner in the top right corner, and you can’t make any further changes.

Examples of user groups

You can create groups based on workspace roles, such as Admins and Editors, and their common privileges in your workspace.

Say your company has the following workspace roles and users with those roles:

• Owner: John Smith
• Admin: Margaret Taylor, Joshua Hill
• Non-Signing Admin: Thomas Cooper, Wendy Harris
• Editor: Jason North, Michael Black

If you want to create groups based on the users' workspace roles, that might look like this:

Best practices for building user groups

We recommend the following when building your TAP’s user groups:

1. When you assign a user group as Initiator, all its users must have roles that can either initiate or sign transactions.
2. If you list a user group under Approved By, all its users must have roles that are authorized to approve transactions.
3. Avoid placing users with and without signing privileges in the same group, such as Editors and Signers. If you list a group with both Editors and Signers as an Initiator for a rule, you must assign a designated signer to the rule. If you only include Signers in the group, you can assign the Initiator as the rule’s designated signer.
4. Create separate groups for Console users and API users, as they may function differently.
5. When creating or updating a group, check how it affects your TAP rules. Are there enough approvers remaining to meet any approval thresholds after you edit the group? Is the TAP logic kept intact?
6. If you list two or more groups as approvers, first ensure that no user is in both groups. Otherwise, that user’s approval will count twice towards your approval threshold.