.. _basic_concepts: Basic concepts ============== Everything in StoredSafe revolves around a couple of basic building blocks: - Vaults - Objects - Capabilities given to an individual user ("User Capabilities") - Permission given to an individual user in a specific vault ("Vault Permission") Vaults ------ Vaults are used to store objects and permission to view or change the objects is given to a specific user for a specific vault. Every vault has an individual, unique encryption key used to encrypt information in stored objects, all objects in a specific vault share the same encryption key. Whoever initially creates a vault will automatically get the "Admin" permission of the newly created vault, note that a user requires a specific capability ("Write") to be able to create vaults. .. _basic_concepts_objects: Objects ------- Objects are pieces of information (password, files etc) which will be stored encrypted in the appliance, every object belongs to a single vault and access to the object is determined if a user belongs to the vault or not. - Folder: An object to store other objects in - Login: Contains a hostname, username and a password (encrypted) field - Short login: Contains a username and a password (encrypted) field - Server: Contains a hostname, username, password (encrypted), extra information and a sensitive information (encrypted) - Server/IP: As the Server object, but adds an IP field. (encrypted) - Note: Contains a name and note (encrypted) - PIN Code: Contains a name and a PIN code (encrypted) - File: Contains a name, a description and a file (encrypted) - Credit Card: Credit Card details, information and PIN code (encrypted) - x509: A container for X.509 certificate artifacts (encrypted) .. _user_capabilities: User Capabilities ----------------- A user can have the following different capabilities - Read: User is only allowed to use vaults assigned to them by other users with the Write permission - Write: User is allowed to create vaults - Admin: User is allowed to create users and deactivate users .. note:: In StoredSafe, the Admin user holds the highest level of access privileges. However, it's important to note that when it comes to vaults, an Admin user does not have any inherent authority. Unless a vault has been explicitly shared with an Admin user, they have no capabilities to access ot her users' vaults. The Admin user's power is limited to creating or deactivating users and does not extend to unauthorized access to individual vaults. - Audit: User is allowed to view the audit logs - :ref:`ug_list`: User is allowed to view what vaults a user belongs to and what users belong to a certain vault - Change Password: User is forced to change password at next logon - Active: User is active and allowed to log on .. _vault_permissions: Vault Permissions ----------------- A user can have the following permissions in a vault - Read: User has read only access to objects in the vault - Write: User is allowed to view, change, delete or add objects to the vault - Admin: User is allowed to share the vault with other users All permissions are inclusive, "Write" includes "Read" and "Admin" includes "Write" and "Read". Whoever initially creates a vault will automatically get the "Admin" permission of the newly created vault, note that a user requires a specific capability ("Write") to be able to create vaults.