Organizations & roles

Wallet operations

Organizations and roles

BroSettlement access is scoped by organization. Users and service accounts receive roles that determine what they can view, configure, approve, and automate.

Roles

RoleTypical useAccess level
ownerCompany owner or primary administratorFull organization control
adminOperations or engineering administratorManage users, settings, wallets, and API access
operatorTreasury or support operatorExecute approved operational workflows
readerFinance, audit, or support viewerRead-only access
serviceBackend integration accountAPI access for automated workflows

Access model

Each action is evaluated against:

  • Organization membership
  • Assigned role
  • 2FA status
  • API key permissions
  • IP whitelist rules
  • Operation policy
  1. Create owner and admin accounts

Keep at least two trusted administrators with mandatory 2FA enabled.

  1. Create service accounts

Create separate service accounts for production, staging, and internal tools.

  1. Limit API permissions

Give each API key the smallest set of permissions needed for its workflow.

  1. Review access regularly

Remove inactive users and rotate API keys when team ownership changes.