.. _role_based_access_control_system:

Role based access control system (RBAC)
=======================================

StoredSafe has a RBAC consisting of 2 levels of roles and rights.

**Firstly there is a System role which can be Read, Write or Admin.**

* A system Read user cannot create any vaults only access vaults shared
  with him.
* A system Write user can create/modify/delete vaults.
* A system Admin can create/disable/modify/delete vaults and users.

**Then there is vault roles, Read, Write, Admin.**

* A vault Read user can only read/decrypt objects.
* A vault Write user can create/modify/delete objects.
* A vault Admin can create/modify/delete vaults and add/remove new users
  to the vault.

These 2 different types of roles can mix, so a system Read user can have
admin in a vault for instance. A system admin might only have read in a
specific vault.

Aside from these there are also capability roles in the system.

- Audit
- UG list
- Changepass
- Active

Audit has the right to use and see the audit log. Export CSVs of audit
logs and also audit users to see what objects they have decrypted etc.

:ref:`ug_list` has the right to see relations between users and vaults.

Changepass is only a temporary role which enforces a password change on
the next logon.

Active, well if the user is active, if not then the user is disabled and
cannot log on.