Technical overview
The root quorum is a group of users who can execute any action and bypass the policy engine. The root quorum is defined byuserIds
: the Ids of users who compose the quorum setthreshold
: the number of quorum members required to execute an action as root
threshold / userIds.length
. So a quorum with a threshold of 2 and set size of 5 can be referred to as 2 / 5
.
Defaults
When you create an organization, the root quorum will default to being your user and a threshold of 1.Updating the root quorum
Only the current root quorum can approve updates to the quorum. It is not possible to add editing permissions to the root quorum through policies. Both the website and public APIs expose the ability to update the root quorum.Best practices
Limit tasks you perform with the root quorum
The root quorum should only be used in cases where it is absolutely necessary. In particular, the root quorum should primarily be used to unblock an organization in the event of incorrect policies or lockout. For example, if you accidentally set overly-restrictive policies that prevent users from taking any action, the root quorum can be used to delete the relevant policies.Create scoped users for day-to-day actions
Ensure that you have scoped policies for day-to-day actions that you expect to complete. For example, you may have an API user with permissions to only create sub-organizations. You can read more about creating policies in our Policy Overview.Configuration considerations
There are primarily two factors to consider when setting the root quorum- how hard is it to get locked out of root? I.E. how many authenticators need to be lost/destroyed so the threshold cannot be met.
- how many authenticators need to be compromised for an attacker to take root actions?
- if 4 users lost all their authenticators, no root actions could be taken (including updating the quorum itself).
- if 2 different users authenticators are compromised, an attacker could steal all the organizations funds.