Workspace administration
Overview
- This article is here to guide you through the major steps in setting up your workspace on the Vault.
- It will cover the administrator rule, accounts, transactions, users, groups, and whitelists.
Admin rule
For step-by-step instructions on how to edit the admin rule, see Edit the admin rule.
What is the admin rule?
Admin rule is the name given to the number of approvals required from all Administrators to authorize sensitive actions in your workspace (for example: creating an account, revoking a user...). It's the minimum number of approvals that must be collected before a request is effective.
How can I set up the admin rule?
To properly operate in your workspace, the admin rule must be set up in such way that:
- there are at least three Administrators registered.
- the required number of approvals is lower than the total number of Administrators.
Impact of editing the admin rule
Editing the admin rule is a critical action and should be thought through beforehand. All pending requests will fail if they're not processed before editing the admin rule as a new number of approvals will have to be collected.
How revoking an Administrator affects the admin rule
Revoking an Administrator potentially decreases the required number of approvals required to authorize sensitive tasks. You'll be prevented from revoking an Administrator if this results in having less than three Administrators registered in your workspace.
Limitations
You'll be prevented from editing the admin rule if any of the following requests are pending approval in your workspace:
- Invite Administrator
- Revoke Administrator
- Edit admin rule
Accounts
For step-by-step instructions on how to create an account, see Create an account.
Number of accounts
The number of accounts you can create in your workspace depends on the pricing plan your organization subscribed to.
Configuring account rules
You can ensure transaction requests are submitted to specific approvers before they're sent to the blockchain network using transaction rules.
Build simple workflows with a single approval step, or complex workflows using up to four rules each containing different conditions on approval steps, amount ranges, and whitelists.
Transaction rules conditions
Transaction rules allow setting up conditions to require specific approvals if the conditions are met.
| Conditions | Description |
| Creators |
Selected Operators can create transactions in the account. You can select up to 20 Operators or a single group. |
| Amount range (optional) |
Allows defining the minimum and maximum amounts that can be spent per transaction. If not provided, Operators can send any amount. |
| Whitelist (optional) |
Allows restraining the list of recipients to which funds can be sent to. If not provided, Operators can send funds to any address. |
| Approval steps (optional) |
Allows defining the approvers of a transaction request and up to three different rounds of approvals before a transaction is broadcasted to the network. |
You create the HeyBitcoin account with two rules.
- Rule 1 for transactions between BTC 0 and BTC 20 Operators of the APAC Ops group are allowed to send funds to any addresses and you apply a 3-step approval workflow where a total of 5 Operators are required to approve.
- Rule 2 for transactions between BTC 20 and BTC 50, you allow Operators to send funds to addresses listed in the APAC Ops whitelist only, and you apply a two-step approval workflow where a total of 5 Operators are required to approve.
How are account rules applied?
Transaction rules are applied sequentially. In other words, you must arrange them in the order you want them to be executed. This is particularly important as the first matching rule will always be selected. If the first rule isn't applicable, the next rules are checked until the first valid rule is found.
In cases where the amount range overlaps between two rules the first valid rule will always be selected. For example, an overlap on BTC 100:
- Rule 1: BTC 0 to BTC 100.
- Rule 2 : BTC 100 to BTC 200, the transaction rule selected and applied will always be rule 1.
Use the drag and drop icon to order rules when creating the account.
Rules are applied automatically depending on the amount and recipient address entered by the Operator when creating the transaction.
Example (part 2)
The HeyBitcoin account has two rules (see Example (part 1)). Operator A creates a transaction request of BTC 30. The Ledger Vault will first scan rule 1. This rule isn't applicable, so it'll move to rule 2 which is applicable for this amount.
Note that if an Operator creates a transaction request of 60 BTC it'll be rejected as you haven't defined a rule that includes that amount.
Limitations of transaction rules
Operators can't create and approve the same request...
This ensures responsibility is shared among Operators. If an Operator has been selected in the approval workflow and in the Creators conditions they'll only be able to perform one action: create the transaction request or approve it.
A group can't be selected more than twice...
The same group can be selected once in the Creator condition and once in the Approval workflow. However, the Operator who created the request won't be able to approve it. As a result, you will never be able to have all Operators in the group to approve the request as the Operator who created it will be counted out.
The same group can't be selected twice as an approver in the Approval workflow condition. The same goes for individual users.
Bitcoin accounts
Although we continue to support Bitcoin legacy accounts, since the 13th of September 2022 it is only possible to choose the Native Segiwt type when creating a Bitcoin account.
- A Native Segwit (or Bech32) account, for addresses starting with bc1 .
It's not possible to create Nested Segwit accounts, but you can send funds to these addresses.
For additional information, see Bitcoin: What’s the difference between SegWit and Native SegWit (Bech32)?
ERC20 token accounts
ERC20 token accounts created in your workspace must all be connected to an Ethereum account — the parent. This parent Ethereum account is used to pay gas fees when Operators create transactions, and should therefore always be credited.
Creating ERC20 accounts
When creating a token account you have two options:
- Connect it to an existing Ethereum account: To allow the ERC20 account to use this Ethereum account to pay for gas fees. This is possible only if that account hasn't been connected to another occurrence of that same token.
- Create a new one: To automatically create a new Ethereum account if none exist in your workspace or if the existing ones are already linked to an occurrence of the ERC20 token. This account will be view-only until you activate it by providing transaction rules.
View-only Ethereum accounts
View-only is the status given to accounts for which transaction rules haven't been defined yet. This status can be given to two types of accounts:
- Ethereum accounts created while Creating ERC20 accounts .
- ERC20 tokens that have been airdropped into your Ethereum account.
Activating view-only Ethereum accounts
To activate view-only accounts, you must provide their transaction rules. This can be done from the account's dashboard. Until you do so, the account will have the View-only status and Operators won't be able to create transactions. However, if the Ethereum account is credited, it can be used to pay gas fees when creating transactions in children ERC20 accounts.
For more information, see Activate a view-only account.
Account permission limitation
Operators who have access to ERC20 token accounts, but not the parent Ethereum account won't be able to access the Ethereum account dashboard. This won't prevent them from creating transaction in the ERC20 token accounts.
Allowing UTXO consolidation in the account
If the account you create uses whitelists only, make sure you either add the address index 0 of that account to one of the whitelists or create a separate rule for this address. This is to ensure Operators can consolidate UTXOs in the account.
Generating receive addresses
You can generate a public address from the account's dashboard each time you need to share it or transfer funds to yourself from any hardware wallet or exchange platform.
To provide the best level of security, verify the address after you copy and paste it. Malware on your computer might replace addresses in your clipboard.
Assets
Which crypto assets are supported on the Vault?
For a complete list of the crypto assets supported on the Vault today, please check this article.
Groups
Groups are particularly useful if you'd like to gather users who hold a similar approval level or who belong to the same company. A group can contain up to 20 members. If an Operator is revoked from your workspace, they'll also be automatically removed from any group they belong to.
Whitelists
A whitelist is a collection of addresses that can be linked to accounts. It allows ensuring Operators send funds to a specific set of addresses only. This is particularly useful if you create whitelists for specific customers or if you want to save time by gathering your most used addresses.
You can save up to 300 addresses in a whitelist, and for ease of identification, each must be named. It can contain any crypto asset addresses. However, when creating an account, only whitelists containing at least one address in the currency of the account can be linked.
Limitations
ERC20 token whitelists
It's not currently possible to whitelist ERC20 token addresses. To bypass this limitation, save the address of the parent Ethereum account in a whitelist. This will automatically whitelist its linked ERC20 children accounts and allow you to send tokens.
Deleting whitelists
It's not currently possible to delete whitelists.