Effective wallet management requires clear organization, access controls, and categorization. This solution covers how to structure permissions, use wallet tags, and implement separation of duties.
What you’ll need
Permission roles
Create role-based permissions that follow the principle of least privilege. Common roles include:
| Role | Purpose |
|---|
| Treasury Operator | Initiate transactions, view wallets |
| Treasury Approver | Approve transactions, view only |
| Auditor | Read-only access to all data |
- Filtering wallets in the dashboard
- Targeting policies to specific wallet groups
- Organizing wallets by purpose, team, or risk level
See how to manage wallet tags and the API reference.
Separation of duties
Combine permissions and policies to enforce dual control:
- Operators can initiate transactions but cannot approve
- Approvers can approve but cannot initiate
- Policies require approver sign-off for operator-initiated transactions
By default, the initiator cannot approve their own transactions. This enforces dual control automatically.
Organization patterns
By function
| Tag | Purpose |
|---|
treasury | Core treasury holdings |
operations | Day-to-day operational wallets |
payroll | Employee payment wallets |
vendor-payments | Vendor disbursement wallets |
By risk level
| Tag | Purpose | Typical policies |
|---|
cold-storage | Long-term holdings | Strict multi-sig, low velocity |
warm-wallet | Intermediate storage | Moderate limits |
hot-wallet | Active operations | Higher velocity, lower single-tx limits |
By network
| Tag | Purpose |
|---|
eth-mainnet | Ethereum mainnet wallets |
polygon | Polygon wallets |
testnet | Test network wallets |
Wallets can have multiple tags. For example: treasury, cold-storage, eth-mainnet. This allows flexible policy targeting.
Example permission sets
Treasury Operator
Permissions for team members who initiate transactions:
Wallets:Read - View wallet details and balancesWallets:Transfers:Create - Initiate transfer requestsWallets:Transfers:Read - View transfer historyWallets:Transactions:Create - Sign and broadcast transactionsWallets:Transactions:Read - View transaction history
Treasury Approver
Permissions for team members who approve transactions:
Wallets:Read - View wallet detailsWallets:Transfers:Read - View transfer detailsWallets:Transactions:Read - View transaction details- Approval permissions for assigned policies
Auditor (read-only)
Permissions for external auditors or compliance:
Wallets:Read - View all walletsWallets:Transfers:Read - View all transfersWallets:Transactions:Read - View all transactionsPolicies:Read - View policy configurationsAuth:Logs:Read - View audit logs
See security best practices for more role templates.
