All
Filter by:
How do I deposit cash into my account?
I need help with account verification
Why can't I access my account?
Are there any crypto withdrawal fees?
I need help signing into my account
Permissions and Workflows in Organizations
Last updated: May 18, 2026
This article explains how access control works in Organizations, who can do what, and on which accounts. For how approval policies govern those actions, see Policies, approvals, and governance. For a high-level overview, see About Organizations.
How access works
Access in Organizations is built on two layers:
Permissions define what a Member is allowed to do and on which accounts.
Policies determine whether an action is completed immediately or must be approved by other Members first.
A Member's effective access depends on both layers. Permissions determine what a Member can do; the workflow's policy determines whether the action completes immediately or requires independent approval first.
You can allow some Members to complete actions immediately while requiring everyone else to go through approval, or require approval for every request, regardless of who initiates it.
For how policies and approvals work, see Policies, approvals, and governance.
Permissions
Permissions define what a Member is authorized to do. They fall into two categories based on what they scope access to.
Account permissions
Account permissions define which actions a Member can perform and on which accounts. Each grant is scoped to a specific account — access to one account does not carry over to another. During Beta, only one account is available — see Beta limitations. The effective access is a combination of the permission grant, the account scope, and the workflow policy.
Permission | What it allows |
|---|---|
Trade | Place and manage orders on Spot and Margin markets |
Earn Allocate | Allocate assets into Earn (staking and yield) products |
Earn Deallocate | Deallocate (unstake) assets from Earn products |
Account permissions take effect immediately for trading and Earn operations. As multi-account support becomes available, risk will also be managed through account segregation, controlling which accounts a Member can operate on.
Workflow permissions
Workflow permissions govern how actions are performed within each workflow. These permissions apply to Members only. Service Users are authorized through API key permissions instead — see Service Users for details.
Every workflow supports the same four levels:
Permission level | What it allows |
|---|---|
View | Read-only access to the workflow's data and request history |
Initiate | Create a new request. The request enters the approval queue unless the Member also holds Execute and the policy allows immediate completion. |
Approve | Review and approve or reject a pending request created by another Member |
Execute | Complete actions immediately without waiting for approval, but only when the workflow policy allows it |
How a request is completed depends on the Member's permissions and the workflow's policy:
Member's permissions | "Always require approval" | What happens |
|---|---|---|
Initiate (without Execute) | OFF or ON | Request enters the approval queue |
Initiate + Execute | OFF | Request completed immediately |
Initiate + Execute | ON | Request enters the approval queue |
Execute bypasses the approval queue when the workflow policy allows it. When "Always require approval" is ON, Execute has no effect.
See Execute and policy interaction for details.
Implicit permission grants
Some permissions are automatically granted so Members have the visibility they need:
When a Member has... | They automatically receive... | Why |
|---|---|---|
Initiate or Approve on any workflow | View on that same workflow | Members who participate in a workflow need to see its data |
Initiate or Execute on Initiate Withdrawal | View on Manage Addresses | Members who can withdraw funds need to see whitelisted destinations |
Initiate or Execute on Manage Policies | View on Manage Access | Members who can edit policies need to see current permissions |
These implicit grants cannot be removed independently. To remove an implicit View grant, remove the permission that triggered it.
Workflows
All governed actions are organized into workflows. Each workflow contains a defined set of operations and has its own independently configurable policy. The four permission levels (View, Initiate, Approve, Execute) work the same way across all workflows.
Funding workflows
Initiate Withdrawal
Controls who can request, approve, and complete fiat and crypto withdrawals.
Operations:
- Create a fiat withdrawal
- Create a crypto withdrawal
Because withdrawals move funds out of the Organization, this workflow is typically the first one configured to require approval.
How permissions apply here:
- View: See withdrawal history and pending withdrawal requests
- Initiate: Submit a new withdrawal request (enters the approval queue)
- Approve: Approve or reject a pending withdrawal request from another Member
- Execute: Complete a withdrawal immediately (when the policy allows)
Manage Addresses
Controls who can add or remove whitelisted withdrawal destinations. Funds can only be sent to addresses on this list, so changes here directly affect withdrawal risk.
Operations:
- Add a whitelisted address (fiat or crypto)
- Remove a whitelisted address
How permissions apply here:
- View: See the current list of whitelisted fiat and crypto addresses
- Initiate: Submit a request to add or remove a whitelisted address
- Approve: Approve or reject an address change request
- Execute: Add or remove an address immediately (when the policy allows)
When a Member uses Execute to complete an address change immediately, the system requires email confirmation before the change takes effect. During Beta, the confirmation is sent to the Organization Owner. See Email confirmation for address changes.
Administration workflows
Important: Administration workflows follow the same governance model as funding workflows. Once configured with a policy, the Owner and all Members are bound by the same approval rules, including for managing access and changing policies.
Manage Access
Controls who can manage the Organization's Members and Service Users.
Operations:
- Invite a new Member
- Activate or deactivate a Member
- Edit Member permissions
- Create, remove, or edit API key (Service User) permissions
How permissions apply here:
- View: See the Member list, their permissions, and Service User configurations
- Initiate: Submit requests to invite Members, change activation status, or edit permissions
- Approve: Approve or reject access change requests
- Execute: Complete access changes immediately (when the policy allows)
Manage Policies
Controls who can modify the approval rules that apply to each workflow. This is the workflow that governs how all other workflows operate.
Operations:
- Edit a workflow's policy (change required approval count, toggle "Always require approval")
- Lock or unlock a workflow's policy
How permissions apply here:
- View: See current policy configurations for all workflows
- Initiate: Submit a request to change, lock, or unlock a policy
- Approve: Approve or reject a policy change request
- Execute: Apply a policy change immediately (when the policy allows)
Caution: Manage Policies is one of the highest-impact workflows. A change here can affect how every other workflow operates. See Locking policies for details.
How to assign permissions to a Member
- Go to the Manage Access section in your Organization.
- Select the Member you want to configure, or select Invite Member to add someone new.
- Choose a role template to start with a predefined set of permissions, or select Custom to configure each permission individually.
- For account permissions (Trade, Earn Allocate, Earn Deallocate), select the accounts the Member should have access to. During Beta, only one account is available.
- For workflow permissions, set the permission level (View, Initiate, Approve, Execute) for each workflow as needed.
- Review the permission summary and confirm.
If the Manage Access workflow has a policy configured, your changes may enter the approval queue instead of taking effect immediately. See Policies, approvals, and governance for details.
You can change a Member's permissions at any time by returning to Manage Access and editing their configuration. The same governance rules apply to permission changes as to the original assignment.
Role templates
When assigning permissions, you can choose from predefined role templates that bundle common permission combinations. Templates are a starting point — you can adjust individual permissions after applying a template.
Role template | Intended use |
|---|---|
Viewer | Read-only access across all workflows |
Trader | Account trading permissions with no administrative access |
Fund Manager | Permissions for funding operations (withdrawals, address management) |
Initiator | Can initiate requests across workflows but cannot approve or execute |
Approver | Can approve requests across workflows but cannot initiate or execute |
Admin | Full permissions across all workflows |
Custom | Manually configured permission set tailored to your needs |
During Beta, Custom roles cannot be saved and reused. You can create the same Custom configuration with a previously used name as long as it does not use the reserved role template names listed above.