Secryn uses role-based access control (RBAC) to define what users can see and do across projects, vaults, and resources. Roles are assigned at the project level and enforced consistently across the UI and API.

How RBAC Works

Access checks evaluate:

1. membership in a project
2. project role
3. vault restrictions (including restricted vaults)
4. resource visibility (for public keys/certificates)

Built-in Roles

Four predefined roles cover most workflows:

• Admin – full system access, including app settings, users, and all projects. Bypasses all restrictions.
• Project Manager – manages vaults, secrets, keys, and certificates within their projects. Can manage contributors/read-only users in those projects.
• Contributor – creates and updates resources in authorized vaults. Cannot manage users or projects and cannot access restricted vaults unless explicitly added.
• Read-only – view-only access for vaults they have permission to see. Secret values remain masked.

Restricted Vaults

Restricted vaults add another gate:

• Admins and Project Managers automatically have access.
• Contributors and Read-only users must be explicitly added.
• Vault restrictions override project membership.

RBAC vs API Tokens

RBAC applies to user accounts (UI + user-authenticated API calls). It does not apply to vault access keys or public URLs, which have their own scoping rules.

Best Practices

• grant least privilege required
• use restricted vaults for sensitive data
• limit Project Manager assignments
• review access regularly
• use access keys for automation instead of user credentials

RBAC keeps Secryn secure and auditable while still enabling collaboration across teams.