Access Control (RBAC)

Envault allows you to control who has access to which projects using a Role-Based Access Control (RBAC) system.

Roles

There are three primary roles available in Envault.

Owner

The Owner has the keys to the castle.

• Manage Members: Invite or remove users from the project, and approve/deny share requests initiated by Editors.
• Delete Project: Permanently remove the project and all its secrets.
• Rotate Keys: Perform cryptographic key rotation.
• Billing: Manage subscription (if applicable).

Editor

The Editor is the standard role for day-to-day development.

• Manage Secrets: Add new environment variables or update existing ones.
• Manage Environments: Create new environments (e.g., feature-branch-1).
• View Audit Logs: See who changed what.

Viewer

The Viewer role is strictly read-only.

• View Secrets: See values in the dashboard.
• Pull Secrets: Use envault pull to get secrets locally.
• Cannot Edit: Any attempt to write will result in a 403 Forbidden error.

Granular Permissions

Currently, permissions are scoped to the Project level.

Roadmap Item: We are working on Environment-level permissions (e.g., a user is an Editor in Development but only a Viewer in Production).

Governance & Auditing

Every action taken by a user is logged. Owners can view the Audit Log in the project settings to see:

• Who accessed a secret.
• Who changed a value.
• Timestamps and IP addresses.

Just-in-Time (JIT) Access via GitHub

When a project is linked to a GitHub repository, Envault can automatically grant Viewer access to developers the moment they run envault pull - no manual invite needed.

How it works:

1. A developer runs envault pull without an existing project membership.
2. Envault checks if their GitHub account is a collaborator on the linked repository.
3. If yes → they are auto-granted the viewer role and receive their secrets.
4. If no → the CLI offers to submit an access request to the project owner.

See the GitHub Integration guide for setup instructions.