> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Govern wallet access

> Organize Dfns wallets with tags, roles, and permissions for operational security, including least-privilege access and audit-friendly assignments.

Effective wallet management requires clear organization, access controls, and categorization. This solution covers how to structure permissions, use wallet tags, and implement separation of duties.

## What you'll need

* Understanding of [permissions](/core-concepts/roles-and-permissions)
* Understanding of [policies](/core-concepts/policies)
* Wallets created in your organization

## Components to configure

### Permission roles

Create role-based permissions that follow the principle of least privilege. Common roles include:

| Role              | Purpose                             |
| ----------------- | ----------------------------------- |
| Treasury Operator | Initiate transactions, view wallets |
| Treasury Approver | Approve transactions, view only     |
| Auditor           | Read-only access to all data        |

See how to [configure permissions](/guides/permission-based-access-control) and the [API reference](/api-reference/permissions/list-permissions).

### Wallet tags

Tags let you organize and filter wallets. Use them for:

* **Filtering** wallets in the dashboard
* **Targeting policies** to specific wallet groups
* **Organizing** wallets by purpose, team, or risk level

See how to [manage wallet tags](/guides/manage-wallets) and the [API reference](/api-reference/wallets/tag-wallet).

### Separation of duties

Combine permissions and policies to enforce dual control:

```mermaid theme={null}
flowchart LR
    subgraph Operator
        A[Initiate transaction]
    end
    subgraph Policy Engine
        B{Policy triggered?}
        C[Require approval]
    end
    subgraph Approver
        D[Review & approve]
    end

    A --> B
    B -->|Yes| C
    C --> D
    D --> E[Execute]
    B -->|No| E
```

1. **Operators** can initiate transactions but cannot approve
2. **Approvers** can approve but cannot initiate
3. **Policies** require approver sign-off for operator-initiated transactions

<Info>
  By default, the initiator cannot approve their own transactions. This enforces dual control automatically.
</Info>

## Organization patterns

### By function

| Tag               | Purpose                        |
| ----------------- | ------------------------------ |
| `treasury`        | Core treasury holdings         |
| `operations`      | Day-to-day operational wallets |
| `payroll`         | Employee payment wallets       |
| `vendor-payments` | Vendor disbursement wallets    |

### By risk level

| Tag            | Purpose              | Typical policies                        |
| -------------- | -------------------- | --------------------------------------- |
| `cold-storage` | Long-term holdings   | Strict multi-sig, low velocity          |
| `warm-wallet`  | Intermediate storage | Moderate limits                         |
| `hot-wallet`   | Active operations    | Higher velocity, lower single-tx limits |

### By network

| Tag           | Purpose                  |
| ------------- | ------------------------ |
| `eth-mainnet` | Ethereum mainnet wallets |
| `polygon`     | Polygon wallets          |
| `testnet`     | Test network wallets     |

<Tip>
  Wallets can have multiple tags. For example: `treasury`, `cold-storage`, `eth-mainnet`. This allows flexible policy targeting.
</Tip>

## Example permission sets

### Treasury Operator

Permissions for team members who initiate transactions:

* `Wallets:Read` - View wallet details and balances
* `Wallets:Transfers:Create` - Initiate transfer requests
* `Wallets:Transfers:Read` - View transfer history
* `Wallets:Transactions:Create` - Sign and broadcast transactions
* `Wallets:Transactions:Read` - View transaction history

### Treasury Approver

Permissions for team members who approve transactions:

* `Wallets:Read` - View wallet details
* `Wallets:Transfers:Read` - View transfer details
* `Wallets:Transactions:Read` - View transaction details
* Approval permissions for assigned policies

### Auditor (read-only)

Permissions for external auditors or compliance:

* `Wallets:Read` - View all wallets
* `Wallets:Transfers:Read` - View all transfers
* `Wallets:Transactions:Read` - View all transactions
* `Policies:Read` - View policy configurations
* `Auth:Logs:Read` - View audit logs

See [security best practices](/guides/security-best-practices#role-templates) for more role templates.

## Related solutions

<CardGroup cols={2}>
  <Card title="Define treasury policies" icon="shield-check" href="/solutions/define-treasury-policies">
    Multi-signature and spending controls
  </Card>

  <Card title="Embed user wallets" icon="key" href="/solutions/embed-user-wallets">
    Delegated wallet management
  </Card>

  <Card title="Apply compliance controls" icon="magnifying-glass" href="/solutions/apply-compliance-controls">
    Audit trails and reporting
  </Card>
</CardGroup>