{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-products/wallet/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Configure approval flows","description":"User guides, API reference, and support resources.","siteUrl":"https://docs.ripple.com","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"configure-approval-flows","__idx":0},"children":["Configure approval flows"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Approval groups add human oversight to critical operations in your organization. They require designated users to review and approve actions before those actions take effect. As an owner or administrator, you configure approval groups to enforce governance across transactions, addresses, policies, credentials, users, and devices."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"what-approval-groups-govern","__idx":1},"children":["What approval groups govern"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can create one default approval group per entity type:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Entity type"},"children":["Entity type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"What requires approval"},"children":["What requires approval"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Transactions"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Designated approvers must approve outgoing transactions before the MPC quorum signs them and Palisade broadcasts them to the blockchain."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Addresses"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Designated approvers must approve new address book entries before they become active."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Policy rules"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Designated approvers must approve new or updated transaction policy rules before they take effect."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Designated approvers must approve new API credentials before integrations can use them."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Users"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Designated approvers must approve new user invitations before Palisade sends the invitation."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Devices"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Designated approvers must approve new device registrations before the device can join a quorum."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approval groups"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Active organization owners approve approval group changes before Palisade applies them."]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each entity type can have one default approval group that applies organization-wide. ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Only transaction approval groups support wallet-level overrides"]}," — all other entity types are organization-wide only."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approval groups"]}," type is a special organization-wide control. It governs approval groups themselves, including wallet-level transaction approval group overrides. Palisade manages its approver list and uses the organization's active owners. You set only the required approval threshold and timeout."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configure-approval-groups-in-the-console","__idx":2},"children":["Configure approval groups in the console"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approvals"]}," page in the console to create, update, and delete approval groups. For step-by-step console instructions, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/user-interface/security-controls/approvals"},"children":["Approvals"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"require-approval-for-approval-group-changes","__idx":3},"children":["Require approval for approval group changes"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approval groups"]}," type to require owner approval before approval group changes take effect. This control protects the settings that decide who can approve transactions, addresses, policies, API credentials, users, devices, and approval group changes."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Configure this approval group before you create or update other approval groups if you want active owners to approve those changes. The first ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approval groups"]}," approval group establishes the requirement. After it exists, Palisade routes later approval group changes through the active owner approval flow."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To configure this requirement in the console, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/user-interface/security-controls/approvals#require-approval-for-approval-group-changes"},"children":["Require approval for approval group changes"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After you create this approval group, Palisade creates a pending approval request when someone creates, updates, or deletes an organization-level approval group. Palisade applies the requested change only after enough active owners approve it. If you later update or delete the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approval groups"]}," approval group itself, Palisade also sends that change to active owners for approval."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Wallet-level transaction approval group overrides use the same protection. If you update a wallet to use the default approval group, no approval group, or a custom list of transaction approvers, Palisade keeps the wallet-level change pending until enough active owners approve it."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Active owner approval"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Palisade sends approval group change requests only to active organization owners. Keep enough active owners available to meet the threshold before you enable this requirement."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["While an approval group change is pending:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Palisade keeps the current approval group configuration in effect."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The approval groups table shows ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Pending creation"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Pending update"]},", or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Pending deletion"]}," status."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["You cannot submit another change for the same approval group until the pending approval completes, expires, or an owner rejects it."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If an owner rejects the approval request or the request expires, Palisade leaves the existing approval group configuration unchanged."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"wallet-level-transaction-approvals","__idx":4},"children":["Wallet-level transaction approvals"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["By default, the transaction approval group applies to all wallets. You can override it for a specific wallet by using the wallet's ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approvers"]}," tab. For the console procedure, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/user-interface/security-controls/approvals#add-an-approval-group-to-a-wallet"},"children":["Add an approval group to a wallet"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If your organization uses an ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approval groups"]}," approval group, Palisade also routes wallet-level transaction approval group override changes through the active owner approval flow."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"how-approvals-work-at-runtime","__idx":5},"children":["How approvals work at runtime"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When a user or API credential performs an action governed by an approval group:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The action enters a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["pending"]}," state."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Approvers receive notifications in the Palisade web console and on their registered mobile devices (if applicable)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Approvers review and approve or reject the action."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the minimum number of approvals is met within the timeout window, the action proceeds."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the timeout expires before the action receives enough approvals, Palisade automatically rejects the action."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"governance-best-practices","__idx":6},"children":["Governance best practices"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Separate initiators from approvers"]}," — assign different users to create and approve transactions. This separation of duties reduces the risk of unauthorized actions."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Govern addresses and policies, not just transactions"]}," — require approvals on address book entries and policy rule changes to prevent unauthorized modifications to your security controls."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Use API credential approvals"]}," — require approval before new API credentials become active to prevent unauthorized programmatic access."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Protect approval groups"]}," — create an approval group with the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Approval groups"]}," type so changes to approvers and thresholds require active owner approval."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Maintain active owners"]}," — keep enough owner users active to meet the approval group change threshold, especially before role or user lifecycle changes."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Review approval timeouts"]}," — set timeouts that balance speed with adequate review time. Too short (5 minutes) may cause legitimate requests to expire. Too long (24 hours) may delay operations."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Start restrictive, then adjust"]}," — begin with approval groups on all entity types. Remove them only after you understand your operational patterns and are confident the controls are no longer needed."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Monitor approval activity"]}," — use ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/admin-guide/configure-audit-logging"},"children":["audit logging"]}," to track who approved what and when."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"related-guides","__idx":7},"children":["Related guides"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/user-interface/security-controls/approvals"},"children":["Approvals"]}," — Reference documentation"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/admin-guide/manage-users-and-roles"},"children":["Manage users and roles"]}," — Assign the Approver role to users"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/admin-guide/configure-audit-logging"},"children":["Configure audit logging"]}," — Track approval activity"]}]}]},"headings":[{"value":"Configure approval flows","id":"configure-approval-flows","depth":1},{"value":"What approval groups govern","id":"what-approval-groups-govern","depth":2},{"value":"Configure approval groups in the console","id":"configure-approval-groups-in-the-console","depth":2},{"value":"Require approval for approval group changes","id":"require-approval-for-approval-group-changes","depth":2},{"value":"Wallet-level transaction approvals","id":"wallet-level-transaction-approvals","depth":2},{"value":"How approvals work at runtime","id":"how-approvals-work-at-runtime","depth":2},{"value":"Governance best practices","id":"governance-best-practices","depth":2},{"value":"Related guides","id":"related-guides","depth":2}],"frontmatter":{"title":"Configure approval flows","seo":{"title":"Configure approval flows"}},"lastModified":"2026-06-08T14:44:42.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/wallet/admin-guide/configure-approval-flows","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}