Blockstream Enterprise Custody SDK
RecipesAccess Control

Access Control Overview

How roles, rules, and permissions fit together in the Custody Engine access-control model.

This section introduces the access-control model used by Blockstream Enterprise Custody. The current structure is centered on roles, rules, and permission scope so operators can reason clearly about who can do what.

The model at a glance

The access-control model has two main building blocks:

  1. roles, which describe sets of permissions
  2. rules, which define which resource and action combinations are allowed

Together they implement RBAC for workspace- and wallet-level operations.

Why this matters

In a custody environment, access control is not just administrative metadata. It determines:

  • who can move funds
  • who can create or approve proposals
  • who can modify wallets, policies, and users
  • how audit trails map actions back to responsibilities

Scope matters

The most important distinction is scope:

  • workspace scope: organization-wide operations such as user, role, and policy management
  • wallet scope: permissions tied to specific wallets and their operational flows

Typical role families

Role familyFocus area
Workspace rolesUsers, policies, roles, groups, global visibility
Wallet rolesWallet operations, balances, transaction creation, review

That separation helps avoid over-privileging users who only need wallet-specific access.

How roles and rules fit together

  • roles package permissions into operational bundles
  • rules describe what resource and action pairs those bundles allow
  • users receive access through assigned roles rather than per-user hand editing

Design goals

The model is built around:

  • separation of duties
  • least privilege
  • auditability
  • operational scalability

On this page