User Management

User Management in Secryn allows administrators to control who can access the system and define what they are allowed to do. Access is governed by project-level roles and optional restricted vault rules.

User Management is available to Admins only.

User Model Overview

In Secryn:

• Users are added by an Admin.
• There is no public self-registration.
• Roles are assigned at the project level.
• Users may belong to multiple projects.
• Permissions are enforced through RBAC.
• Users authenticate with email and password (or configured social login providers).

Inviting a User

To add a new user:

• Navigate to User Management
• Click Add User
• Enter:
  • Email address
  • Initial role
• Send invitation

The user receives an email with a secure link.

Upon first login, the user:

• Sets their name
• Sets their password
• Gains access according to assigned role

Until the invitation is accepted, the user remains in a pending state.

Roles

Secryn includes four predefined roles:

• Admin
• Project Manager
• Contributor
• Read-only

Roles define what a user can do within projects and vaults.

Role capabilities are enforced consistently across:

• Web UI
• API
• MCP

For a full breakdown of permissions, see the RBAC section.

Assigning Users to Projects

Users must be assigned to projects to access vaults and resources.

Within a project:

• Admins and Project Managers can add or remove users
• Roles are assigned per project
• Access can differ across projects

If a user is not assigned to a project, they cannot see it.

Restricted Vault Access

If a vault is marked as Restricted:

• Contributors and Read-only users must be explicitly added
• Project Managers retain access
• Admins always retain access

Restricted vaults override default project-level access.

Editing a User

Admins can:

• Change a user's role
• Add or remove project access
• Disable a user account

Users can:

• Change their name
• Change their password
• Enable or disable email notifications

Users cannot:

• Change their email address
• Delete their own account

Disabling a User

Disabling a user:

• Immediately prevents login
• Preserves audit history
• Does not delete activity logs

Disabling is preferred over deletion to maintain audit integrity.

Email Notifications

Users can enable or disable email notifications.

If disabled:

• System notifications (e.g., expiration alerts) are not sent
• Authentication-related emails (password reset, invitation) are still sent

Access Enforcement

All user actions are:

• Evaluated against RBAC rules
• Checked against vault restrictions
• Logged in audit logs

Access is never implicitly granted.

Security Model

User management in Secryn follows these principles:

• Explicit access assignment
• Project-scoped roles
• No hard deletion of users
• Immutable audit trail
• Separation between authentication and authorization

Best Practices

• Assign the least privilege necessary
• Use restricted vaults for sensitive data
• Regularly review project membership
• Disable unused accounts promptly
• Avoid granting Admin role unless required