RecipesAccess Control
Access Control Overview
How roles, rules, and permissions fit together in the Custody Engine access-control model.
This section introduces the access-control model used by Blockstream Enterprise Custody. The current structure is centered on roles, rules, and permission scope so operators can reason clearly about who can do what.
The model at a glance
The access-control model has two main building blocks:
- roles, which describe sets of permissions
- rules, which define which resource and action combinations are allowed
Together they implement RBAC for workspace- and wallet-level operations.
Why this matters
In a custody environment, access control is not just administrative metadata. It determines:
- who can move funds
- who can create or approve proposals
- who can modify wallets, policies, and users
- how audit trails map actions back to responsibilities
Scope matters
The most important distinction is scope:
- workspace scope: organization-wide operations such as user, role, and policy management
- wallet scope: permissions tied to specific wallets and their operational flows
Typical role families
| Role family | Focus area |
|---|---|
| Workspace roles | Users, policies, roles, groups, global visibility |
| Wallet roles | Wallet operations, balances, transaction creation, review |
That separation helps avoid over-privileging users who only need wallet-specific access.
How roles and rules fit together
- roles package permissions into operational bundles
- rules describe what resource and action pairs those bundles allow
- users receive access through assigned roles rather than per-user hand editing
Design goals
The model is built around:
- separation of duties
- least privilege
- auditability
- operational scalability