Understanding Vault Access & Permissions

Last Updated: October 19, 2025

Torvus Platform uses a simple, secure ownership-based access model to protect your sensitive data. This guide explains how vault access works and what you can do.

⚠️ Important: Access Model Update (October 2025)

The platform now uses a vault ownership model instead of a traditional role-based access control (RBAC) system:

Vault Owner: You own vaults you create - you have full access
No Granular Roles: There are no VAULT_VIEWER, VAULT_ADMIN, or VAULT_OPERATOR roles for customers
Binary Access: You either own a vault (full control) or you don't have access
Simplified Security: Easier to understand, harder to misconfigure

What This Means for You

✅ Full Control: You have complete control over vaults you create
✅ No Confusion: No need to request role upgrades or manage permissions
✅ Better Security: Clear ownership prevents accidental data exposure
❌ No Sharing: Vault sharing features are coming in a future update

Access Model Overview

Vault access is controlled by ownership, stored in the owner_uid field when you create a vault.

How It Works

Create Vault
  └─ You become the vault owner automatically
  └─ Full access to all vault features
  └─ Cannot transfer ownership (contact support if needed)

Your Vaults
  └─ Complete control over your vaults
  └─ Upload, delete, configure, release
  └─ Manage recipients and policies

Other Users' Vaults
  └─ No access (unless shared in future update)
  └─ Vault data is strictly isolated

What You Can Do as a Vault Owner

When you create a vault, you automatically become the owner with full access to all features:

✅ Vault Management

Create vaults - Unlimited vault creation
Delete vaults - Permanently remove vaults you own
Rename vaults - Change vault names anytime
Configure settings - Customize vault behavior

✅ Document Operations

Upload documents - Add files to your vaults
Download documents - Access your files anytime
Delete documents - Remove files from your vaults
Sign documents (PAdES) - Create cryptographic signatures
View signing receipts - Access signature verification data

✅ Recipient Management

Add recipients - Configure who receives your documents
Remove recipients - Manage recipient list
Edit recipient details - Update contact information
Configure notifications - Control recipient communications

✅ Release & Policy Management

Create releases - Initiate document distribution
Execute releases - Send documents to recipients (requires MFA)
Configure policies - Set up release rules and requirements
Manage check-ins - Configure liveliness verification

✅ Monitoring & Security

View audit logs - Track all activity on your vaults
Export audit reports - Download activity history
Monitor check-ins - View liveliness verification status
Track release status - Monitor document distribution

Access Restrictions

❌ What You Cannot Do

Access other users' vaults

Vault data is strictly isolated per user
You can only see vaults where owner_uid matches your user ID
No cross-user visibility (except for Torvus staff with appropriate authorization)

Transfer vault ownership

Vault ownership cannot be transferred between users
Contact Torvus support if ownership transfer is required
Vault sharing features are planned for a future release

Grant access to others

There is no built-in vault sharing for customers yet
Recipient features only control document release distribution
Collaborative vault access is coming in a future update

Staff Access (Torvus Employees Only)

Torvus staff members may have limited access to customer vaults for support, compliance, and operations purposes:

Staff Roles

STAFF_SUPPORT - Support staff with vault access for troubleshooting
STAFF_ADMIN - Administrative staff with elevated privileges
STAFF_SECURITY - Security staff with security-specific access

Staff Access Controls

✅ All staff access is automatically logged to audit trails
✅ Staff can only access vaults via explicit override (not by default)
✅ Staff access requires @torvussecurity.com email domain
✅ You can view all staff access in your audit logs

Note: Staff roles are for Torvus employees only and cannot be requested by customers.

Frequently Asked Questions

Why was the role system changed?

The previous role system (VAULT_VIEWER, VAULT_ADMIN, etc.) was confusing because the role names suggested per-vault permissions but actually granted system-wide access. The new ownership model is simpler, clearer, and more secure.

Can I still see my "role" in the UI?

The old role badge has been removed for customers. You are always the owner of vaults you create. Torvus staff members may still see their STAFF_* role badges.

What happened to VAULT_VIEWER?

All authenticated users could previously upload, download, and sign documents - just like vault owners. There was no meaningful difference, so we simplified to a single "vault owner" model.

Vault sharing for customers is not currently available. This feature is planned for a future release. Currently, you can:

Add recipients to receive documents during a release
Contact Torvus support for special access arrangements

Can I upgrade my permissions?

There are no customer-facing permission levels to upgrade to. All vault owners have the same full access to their vaults. Torvus staff roles (STAFF_*) are only for employees.

Why do I see "View-Only Mode"?

You should not see this alert on vaults you own. If you do, it may indicate:

A bug in the application (please report it)
You're viewing a vault you don't own (very rare, contact support)
Temporary access issues (try refreshing the page)

Are there any access logs?

Yes! All actions on your vaults are logged:

Navigate to Settings → Audit Log
View all activity on your vaults
See when staff accessed your vaults (if applicable)
Export audit trails for compliance

Best Practices

Security

Enable MFA: Use multi-factor authentication for sensitive operations
Monitor Audit Logs: Regularly review your vault activity
Secure Your Account: Use strong authentication methods
Report Suspicious Activity: Contact support immediately if you see unexpected access

Operations

Test Releases: Use shadow releases to test configurations before real releases
Configure Policies: Set up check-in policies to ensure proper release timing
Verify Recipients: Double-check recipient information before executing releases
Keep Records: Export audit logs for your own records

Compliance

Track Activity: All actions are automatically logged
Export Reports: Download audit trails as needed
Review Regularly: Check audit logs monthly
Document Decisions: Keep notes on why vaults were created/deleted

Getting Help

Need assistance with vault access?

Documentation: Read this guide thoroughly
Support: Contact support@torvussecurity.com
Help Center: Visit help.torvussecurity.com
Report Issues: Use the in-app feedback form

Reporting Issues

If you're experiencing access issues:

Check this documentation first
Verify you're viewing a vault you created
Try refreshing the page or logging out/in
Contact Torvus support if issues persist

Security Overview - Platform security model

API Authentication - API authentication requirements
Getting Started - New user guide
Create Vault - Managing your vaults

Last Updated: October 19, 2025

⚠️ Important: Access Model Update (October 2025)​

What This Means for You​

Access Model Overview​

How It Works​

What You Can Do as a Vault Owner​

✅ Vault Management​

✅ Document Operations​

✅ Recipient Management​

✅ Release & Policy Management​

✅ Monitoring & Security​

Access Restrictions​

❌ What You Cannot Do​

Staff Access (Torvus Employees Only)​

Staff Roles​

Staff Access Controls​

Frequently Asked Questions​

Why was the role system changed?​

Can I still see my "role" in the UI?​

What happened to VAULT_VIEWER?​

How do I share my vault with someone?​

Can I upgrade my permissions?​

Why do I see "View-Only Mode"?​

Are there any access logs?​

Best Practices​

Security​

Operations​

Compliance​

Getting Help​

Need assistance with vault access?​

Reporting Issues​

Related Documentation​