Skip to main content

Roles & Permissions - Frequently Asked Questions

Quick answers to common questions about roles and permissions on the Torvus Platform.

General Questions​

What is my default role?​

All users are automatically assigned VAULT_VIEWER when they sign up. This role provides read-only access to your own vaults and documents.

How do I check my current role?​

Look for the role badge in the header of the Platform (e.g., "Viewer", "Admin"). You can also check Settings → Account → Roles & Permissions for a complete list.

Can I have multiple roles?​

Yes! Users can have multiple roles, and capabilities are cumulative. Your "primary role" is the highest-privilege role you have.

Permission Questions​

Why can't I delete my vault?​

Vault deletion requires VAULT_OWNER role. VAULT_VIEWER only provides read access. Contact your vault administrator to request owner privileges.

Why is the delete button greyed out?​

Disabled buttons indicate actions that require a higher role. Hover over the button to see which role is required and how to request it.

What does "View-Only Mode" mean?​

This alert appears when you're viewing a resource with VAULT_VIEWER role but don't have modification permissions. You can view but not edit, delete, or configure.

Can VAULT_VIEWER create vaults?​

Yes! All authenticated users can create vaults. When you create a vault, you automatically become its VAULT_OWNER.

Can VAULT_VIEWER sign documents?​

Yes! PAdES document signing is available to all authenticated users, including VAULT_VIEWER.

Role Capabilities​

What can VAULT_VIEWER do?​

  • ✅ View own vaults and documents
  • ✅ Create new vaults (becomes owner)
  • ✅ Upload/download own documents
  • ✅ Sign documents with PAdES
  • ✅ View signing jobs and receipts
  • ✅ View own audit trail

What can VAULT_OPERATOR do?​

Everything VAULT_VIEWER can do, plus:

  • ✅ Execute shadow (test) releases

What can VAULT_ADMIN do?​

Everything VAULT_OPERATOR can do, plus:

  • ✅ Execute real releases (with MFA)
  • ✅ Manage policies and approvals
  • ✅ Export audit logs

What can VAULT_OWNER do?​

Everything VAULT_ADMIN can do, plus:

  • ✅ Delete and rename vaults
  • ✅ Manage recipients
  • ✅ Full vault configuration

Upgrading Roles​

How do I request a role upgrade?​

  1. Go to Settings → Account → Roles & Permissions
  2. Click "Request Role Upgrade"
  3. Select desired role and provide justification
  4. Wait for administrator approval

Who can approve my request?​

  • VAULT_ADMIN can grant VAULT_OPERATOR
  • VAULT_OWNER can grant roles for their vaults
  • System administrators can grant any role

How long does approval take?​

Approval time varies by organization. You'll receive an email notification when your request is approved or denied. Contact your administrator for updates.

Can I upgrade myself?​

No. Role upgrades require approval from an administrator or vault owner to maintain security and proper access control.

Troubleshooting​

I should have a higher role but don't see it​

  1. Check Settings → Account → Roles & Permissions
  2. Verify with your administrator
  3. Sign out and sign back in
  4. Contact support if issue persists

My role changed unexpectedly​

Administrators can modify user roles. Check:

  • Your email for notifications
  • Audit trail in Settings → Audit Log
  • Contact your administrator for clarification

Actions are disabled that shouldn't be​

If buttons are disabled unexpectedly:

  1. Verify your current role (header badge)
  2. Hover over disabled button to see required role
  3. Check if you're the vault owner
  4. Contact support if you believe this is an error

I can't access a vault I own​

Ownership alone isn't enough - you also need the appropriate role:

  • View: Requires VAULT_VIEWER (everyone has this)
  • Modify: Requires VAULT_OWNER role
  • Admin functions: Requires VAULT_ADMIN

Verify you have the VAULT_OWNER role for your vault.

Security & Compliance​

Are role changes logged?​

Yes! All role assignments, changes, and removals are logged to the audit trail with:

  • Who made the change
  • When it was made
  • What changed
  • Reason (if provided)

Can VAULT_VIEWER access other users' vaults?​

No. VAULT_VIEWER can only access vaults they own. Cross-user access requires VAULT_ADMIN privileges (for staff operations only).

What happens to my data if I lose a role?​

You immediately lose access to capabilities granted by that role, but:

  • Your data remains intact
  • You retain VAULT_VIEWER (baseline role)
  • You can request role reinstatement
  • Vault owners always have access to their vaults

How is VAULT_ADMIN access secured?​

VAULT_ADMIN operations require:

  • Multi-factor authentication (MFA) for real releases
  • Approval from other admins (if policies require)
  • Clean document scans (no threats)
  • Full audit logging of all actions

Best Practices​

What role should I request?​

Request the minimum role needed for your tasks:

  • Viewing only: VAULT_VIEWER (default)
  • Testing releases: VAULT_OPERATOR
  • Production releases: VAULT_ADMIN
  • Vault management: VAULT_OWNER (for your vaults)

Should I enable MFA?​

Yes! MFA is required for VAULT_ADMIN operations and highly recommended for all users. Enable it in Settings → Security.

How often should I review my roles?​

Review quarterly or:

  • When changing job functions
  • After project completion
  • During security audits
  • When access needs change

Can I temporarily elevate my role?​

Some organizations support temporary role elevation. Contact your administrator to check if this is available for your use case.

Getting Help​

Documentation​

Support Channels​

Last Updated: October 5, 2025