Skip to main content

TAP best practices

  • Updated

Keep these key points in mind when building your TAP.

The TAP is an important security tool

Thoroughly think through and examine your TAP before submitting it for approval.

Remember the first-match principle

The Policy Engine will apply the first TAP rule which matches a submitted transaction.

Keep the TAP as simple as possible

Simplicity ensures clarity and control. Only use rules that you truly need for good governance.

Remember that rules are one-way

A rule for transactions from a specific source to a specific destination doesn’t apply the opposite way.

List more specific rules above more general rules

Example: To allow transfers between all vaults except vault X, first list a rule blocking vault X as a source or destination. Then below it, list a general rule allowing transfers between all vaults.

Creating rules for an API user as an approver

In your TAP, you can assign API users as approvers and enable them to approve certain transactions using an API Co-Signer. They must be assigned access to be able to initiate or sign transactions.

Creating rules for a semi-automated transaction flow

  • In this flow, an API user initiates transactions and a Fireblocks Console user signs them from their mobile device.
  • In this flow, you assign Editor or Non-Signing Admin role users as API users and assign the Console user as the rule’s Designated Signer.

Creating rules for a fully automated transaction flow

  • In this flow, there are usually two API users: one initiates transactions; the other approves and/or signs them through your API Co-Signer machine.
  • In this flow, you assign Editor or Non-Signing Admin role users as API users to initiate transactions, and Admin or Signer role users as API users who are approvers or the Designated Signer.

Put accumulation rules (if applicable) first for any type of rule

Accumulation rules sum up the value of multiple transactions. If single-transaction-based rules are listed before them, accumulation rules can’t get applied due to the first-match principle.

Use accumulation to control transaction volume

You can set a maximum accumulated volume over a certain time across a combination of Initiators, sources, or destinations. Example: All transfers over a 12-hour period can’t surpass $15 million.

List amount-based rules for the same parameter from high to low

This ensures stricter rules for higher-value transactions are enforced. At the bottom of the group of rules, always list a rule for transactions worth greater than $0.

Select Initiator can sign if you don't want a Designated Signer

You can enable this setting as long as the Initiator has a role that is authorized to sign.

Select Initiator counts as approver or they will not count towards your threshold

This makes their approval automatic and counts it if there is an approval threshold in the rule.

You can assign an approver as your Designated Signer

If you do this, that user automatically approves any transaction that matches the rule.

There's no wildcard shortcut or pattern matching for selecting sub-groups of vaults

When selecting multiple sources or destinations, there's no shortcut to select sub-groups of similar vaults. Either choose “All Vaults” or individually select all vaults the rule should apply for.

Best practices for TAP user and group management

Create and use user groups for simplicity and time savings making rules:

  • We recommend creating user groups for your TAP. Use groups under Initiator and Approved By to apply a rule to multiple users at once, including future users in the group. As your company changes and grows, you won’t have to edit rules with groups as members are added or removed.
  • When you use a user group as Initiator, all its users must be able to initiate or sign transactions. If certain users in the Initiator group can’t sign, the rule must have a Designated Signer.
  • If you list a group under Approved By, all its users must have user roles that are allowed to approve transactions.
  • If you list two or more groups as approvers, first ensure that no user is a member of both groups. Otherwise, that user’s approval will count for both groups and therefore be double-counted towards your approval threshold.

You can apply TAP rules to API users too

Note

This section is only relevant if you have an API Developer package. Learn more about the Fireblocks API in the API Developer Guide.

You can apply TAP rules to API users just like any other user. Make sure to create the API user in your workspace before applying rules to it.

Was this article helpful?
2 out of 2 found this helpful

Related Articles