Skip to main content

Roles & Access Control

Vault++ uses a Role-Based Access Control (RBAC) system to manage access. There are three levels of roles: organizational, namespace, and environment level.

Organizational roles

  1. Member
    Organization Member is the default role assigned when a user is invited to your organization. By default, this role does not have access to all namespaces and applications and must be explicitly invited to each namespace or application by its admin.

  2. Admin
    Organization Admin has access to all namespaces and secrets. This role can invite and remove users, change user roles to admin, and create or delete applications and namespaces. It can also upgrade organization memberships but does not have permission to downgrade them.

  3. Owner
    In addition to Admin access, an Organization Owner can downgrade account memberships, delete the account, and change other user roles to admin or owner. Organization Owners cannot be removed directly; they must first be downgraded to Admin to be removed. It is recommended to have 2 - 3 Owners for an optimal balance of security and account recoverability.

Namespace roles

  1. Member
    Namespace Member is the default role assigned when a user is added to a namespace or application. If a member is added at the application level, they will not have access to other applications within the same namespace by default. However, if a member is added at the namespace level, they will gain access to all applications under that namespace.

  2. Admin
    Namespace Admin has access to all applications within the namespace. Organization Admins and Owners are automatically assigned this role and cannot have it changed. This role can perform the following actions:

    • Create and delete applications under the namespace.
    • Add or remove users to/from the namespace.
    • Change user roles within the namespace to admin.
    • Add or delete service accounts.
    • Add or remove CI integrations.
    • Add or remove environments.
    • View audit logs.

Environment roles

  1. Developer
    Developer is the default role assigned when a user is added to an application. Developers can:

    • View variable values but not secret values.
    • Raise Reveal Requests.
    • Raise Merge Requests.

  2. Admin
    Environment Admin can:

    • View secret and variable values.
    • Edit secret and variable values.
    • Raise Merge Requests.
    • Approve and apply Merge Requests.
    • Grant Reveal Requests.

By default, a namespace member will have the developer role for non-local environments and the admin role for the local environment. Namespace or organization admins automatically receive the admin environment role, which cannot be changed.