# Configure approval flows

Approval groups add human oversight to critical operations in your organization. They require designated users to review and approve actions before those actions take effect. As an owner or administrator, you configure approval groups to enforce governance across transactions, addresses, policies, credentials, users, and devices.

## What approval groups govern

You can create one default approval group per entity type:

| Entity type | What requires approval |
|  --- | --- |
| **Transactions** | Designated approvers must approve outgoing transactions before the MPC quorum signs them and Palisade broadcasts them to the blockchain. |
| **Addresses** | Designated approvers must approve new address book entries before they become active. |
| **Policy rules** | Designated approvers must approve new or updated transaction policy rules before they take effect. |
| **API credentials** | Designated approvers must approve new API credentials before integrations can use them. |
| **Users** | Designated approvers must approve new user invitations before Palisade sends the invitation. |
| **Devices** | Designated approvers must approve new device registrations before the device can join a quorum. |


Each entity type can have one default approval group that applies organization-wide. **Only transaction approval groups support wallet-level overrides** — all other entity types are organization-wide only.

## Create an approval group

1. Go to **Controls** in the console sidebar, then select the **Approval groups** tab.
2. Select **Create approval group**.
3. Under **Type of approval**, select the entity type this group governs.
4. Under **Approvers**, select one or more users who can approve requests. The UI notes that per-wallet overrides are available, but only transaction approval groups support them. For all other entity types, the group applies organization-wide. Any user with the Owner, Administrator, or Approver role is eligible.
5. After you select approvers, a **Threshold** field appears. Set the minimum number of approvers required. The threshold can range from 1 to the total number of approvers in the group.
6. Under **Approval timeout**, set the time window approvers have to act before the request automatically expires. The default is 1 hour. Available options:


| Timeout option | Duration |
|  --- | --- |
| 5 minutes | 300 seconds |
| 15 minutes | 900 seconds |
| 30 minutes | 1,800 seconds |
| 1 hour | 3,600 seconds |
| 2 hours | 7,200 seconds |
| 4 hours | 14,400 seconds |
| 12 hours | 43,200 seconds |
| 24 hours | 86,400 seconds |


1. Select **Create**.


The group appears in the **Approval groups** tab on the Controls page and applies as the default for the selected entity type.

Majority approval recommended
Set the threshold to a majority of approvers rather than requiring every approver. This prevents a single unavailable approver from blocking operations. For example, if you have 3 approvers, set the threshold to 2.

## Override approvals for a specific wallet

By default, the transaction approval group applies to all wallets. You can override this at the wallet level:

1. Open the wallet and go to the **Approvers** tab.
2. Select **Update approval group**.
3. Choose one of:
  - **No approval group** — no approvals required for transactions from this wallet.
  - **Default** — use the organization-wide transaction approval group.
  - **Custom** — define wallet-specific approvers and threshold that override the default.


Custom approval groups appear in the wallet's approvers table. You can delete a custom group to revert to the default.

## Update an approval group

1. Go to **Controls** > **Approval groups**.
2. Select the approval group you want to modify.
3. Add or remove approvers and adjust the threshold as needed.
4. Save your changes.


You can't change the entity type of an existing approval group. To change the type, delete the group and create a new one.

## Delete an approval group

1. Go to **Controls** > **Approval groups**.
2. Find the approval group in the table.
3. Open the **Actions** menu and select **Delete**.


Deleting an approval group removes the approval requirement for that entity type. Operations that previously required approval proceed without it.

## How approvals work at runtime

When a user or API credential performs an action governed by an approval group:

1. The action enters a **pending** state.
2. Approvers receive notifications in the Palisade web console and on their registered mobile devices (if applicable).
3. Approvers review and approve or reject the action.
4. If the minimum number of approvals is met within the timeout window, the action proceeds.
5. If the timeout expires before the action receives enough approvals, Palisade automatically rejects the action.


## Governance best practices

- **Separate initiators from approvers** — assign different users to create and approve transactions. This separation of duties reduces the risk of unauthorized actions.
- **Govern addresses and policies, not just transactions** — require approvals on address book entries and policy rule changes to prevent unauthorized modifications to your security controls.
- **Use API credential approvals** — require approval before new API credentials become active to prevent unauthorized programmatic access.
- **Review approval timeouts** — set timeouts that balance speed with adequate review time. Too short (5 minutes) may cause legitimate requests to expire. Too long (24 hours) may delay operations.
- **Start restrictive, then adjust** — begin with approval groups on all entity types. Remove them only after you understand your operational patterns and are confident the controls are no longer needed.
- **Monitor approval activity** — use [audit logging](/products/wallet/admin-guide/configure-audit-logging) to track who approved what and when.


## Related guides

- [Approvals](/products/wallet/user-interface/security-controls/approvals) — Reference documentation
- [Manage users and roles](/products/wallet/admin-guide/manage-users-and-roles) — Assign the Approver role to users
- [Configure audit logging](/products/wallet/admin-guide/configure-audit-logging) — Track approval activity