Wallet operations
Organizations and roles
BroSettlement access is scoped by organization. Users and service accounts receive roles that determine what they can view, configure, approve, and automate.
Roles
| Role | Typical use | Access level |
|---|---|---|
owner | Company owner or primary administrator | Full organization control |
admin | Operations or engineering administrator | Manage users, settings, wallets, and API access |
operator | Treasury or support operator | Execute approved operational workflows |
reader | Finance, audit, or support viewer | Read-only access |
service | Backend integration account | API access for automated workflows |
Access model
Each action is evaluated against:
- Organization membership
- Assigned role
- 2FA status
- API key permissions
- IP whitelist rules
- Operation policy
Recommended setup
- Create owner and admin accounts
Keep at least two trusted administrators with mandatory 2FA enabled.
- Create service accounts
Create separate service accounts for production, staging, and internal tools.
- Limit API permissions
Give each API key the smallest set of permissions needed for its workflow.
- Review access regularly
Remove inactive users and rotate API keys when team ownership changes.