# Configure your admin policy

This page walks you through editing the Administrative Policy: opening a draft, assigning actions to groups, reviewing the change summary, and activating the new policy with a passkey signature.

:::note
You need the **Modify Admin Policy** capability to make changes. At bootstrap, this capability is granted to the Admins group. If you cannot see the **Edit Policy** button, ask an administrator who has this capability.
:::

## Open a draft

1. Navigate to **Admin Policy** in the sidebar.
2. The page shows a two-pane layout. The left pane lists all twelve administrative actions. The right pane shows the current rules for whichever action you have selected.
3. Click **Edit Policy** in the top-right corner. The entire page enters edit mode simultaneously: all twelve actions become editable in a single draft.

:::tip
Only one pending draft can exist at a time. If you open a draft and leave without submitting or discarding, the draft remains open and the **Edit Policy** button takes you back into it rather than creating a new one.
:::

## Assign actions to groups

In edit mode, select each action in the left pane to configure its rules.

For each action:

1. Select the action in the left pane.
2. The action stays **denied by default**: no one can perform it until you add a rule granting it to a group.
3. Add one or more rules, choosing which groups are allowed to perform this action.
4. Repeat for each action you want to configure.

**Tracking changes:** actions with unsaved changes show a blue dot in the left pane. Actions with configuration errors (for example, a rule referencing a group that has been deleted) show a red dot. Fix all red-dot errors before submitting.

## A common starter policy

If you are setting up the vault for the first time, a workable starting point assigns actions like this:

| Action | Group |
|---|---|
| Manage Users | Operations group |
| Manage User Groups | Operations group |
| Modify Admin Policy | Senior admins |
| Modify Signing Policy | Trading operations |
| Freeze Keys | Operations group |
| Unfreeze Keys | Senior admins |
| Import/Generate Keys | Trading operations |
| Delete Keys | Senior admins |
| View System Resources | All staff group |
| View and Export Audit Log | Compliance group |
| Access Keys Backup | Senior admins |
| Configure Venues | Trading operations |

Adjust group names to match your organization's structure and risk tolerance.

## Review the change summary

When you are satisfied with all your changes:

1. Click **Submit** in the top-right corner.
2. A summary modal opens showing a diff of every changed action: rules added and rules removed.
3. Review the diff carefully. If anything looks wrong, click **Cancel** to go back and adjust the draft.

## Submit and sign with your passkey

1. Click **Confirm** in the summary modal.
2. Your browser shows the WebAuthn prompt (Face ID, Touch ID, Windows Hello, or PIN depending on your device).
3. Approve the gesture. The passkey signature is attached to the policy submission.
4. The vault applies all changed rules atomically. The page exits edit mode and shows the newly active policy.

## Discard a draft

If you want to abandon all changes:

1. Click **Discard** while in edit mode.
2. A confirmation dialog asks you to confirm. Discarding removes all unsaved rule changes across every action.

You can also click **Discard** at any point during editing if you want to start over. The policy in effect remains unchanged until you submit.
