Roles & Role-Based Access Control
SyVault uses a three-tier role-based access control (RBAC) model to govern what each member of an organization can do. Roles are enforced server-side on every API request -- the client UI merely reflects the permissions the server grants.
Role Definitions
| Capability | Owner | Admin | Member |
|---|---|---|---|
| Access personal vault | Yes | Yes | Yes |
| Create and manage own records | Yes | Yes | Yes |
| Share records (per policy) | Yes | Yes | Yes |
| Join shared folders | Yes | Yes | Yes |
| Create teams | Yes | Yes | No |
| Manage team membership | Yes | Yes | No |
| Invite / remove members | Yes | Yes | No |
| Configure enforcement policies | Yes | Yes | No |
| Manage SSO / SCIM | Yes | Yes | No |
| View audit logs | Yes | Yes | No |
| Manage billing & subscription | Yes | No | No |
| Assign / change roles | Yes | No | No |
| Transfer ownership | Yes | No | No |
| Delete organization | Yes | No | No |
Owner
The Owner has unrestricted administrative control over the organization. This includes billing management, role assignment, ownership transfer, and the ability to delete the organization. Every organization must have at least one Owner at all times. There is no upper limit on the number of Owners, but the role should be granted sparingly.
Admin
Admins handle day-to-day management: inviting members, creating teams, configuring enforcement policies, setting up SSO and SCIM, and reviewing audit logs. Admins cannot access billing, change anyone's role, or delete the organization. This separation ensures that operational management and financial control can be held by different people.
Member
Members are standard users. They can access their personal vault, create and manage their own records, and participate in shared folders and teams according to the policies set by Owners and Admins. Members cannot perform any administrative actions.
Roles apply at the organization level. A user who is an Admin in one organization may be a Member in another.
Assigning and Changing Roles
Only Owners can assign or change roles. To change a member's role:
- Open Admin Console > Members.
- Find the user and click the role badge next to their name.
- Select the new role from the dropdown.
- Confirm the change.
The role change takes effect immediately and is recorded in the audit log (member.role.update).
Downgrading the last remaining Owner to Admin is blocked by the server. An organization must always have at least one Owner.
Enforcement Policies and RBAC
Enforcement policies (master password complexity, 2FA requirements, IP allowlists, session timeouts) are set by Owners and Admins but apply to all members regardless of role -- including Owners and Admins themselves. This ensures that security policies are uniformly enforced. See Enforcement Policies for the full list of configurable policies.
Programmatic Role Checks
For teams building integrations against the SyVault API, the authenticated user's role is returned in the X-VF-Role response header and in the role field of the /api/org/me endpoint. Use these values to conditionally render admin-only UI elements or gate client-side operations before making privileged API calls.