User Roles
tiCrypt assigns every user a role that determines two things: which other users they can see (visibility) and which other users they can manage. Roles form a hierarchy. Higher roles can modify lower roles, but not vice versa. All role changes are permanently recorded in the audit trail.
Roles do not determine what actions a user can perform. That is controlled by permissions, which are assigned through User Profiles. The one exception is Super-Admin, which bypasses all permission checks.
Permissions control what actions a user can take, but data remains cryptographically inaccessible unless the data owner has explicitly shared the encryption keys. Even administrators cannot read user data.
| Role | Scope | Visibility | Permission-Controlled |
|---|---|---|---|
| Site Key Admin | Escrow system | N/A | No |
| Escrow User | Escrow groups | N/A | No |
| Super-Admin | Entire system | Global | No (full bypass) |
| Admin | Entire system | Global | Yes |
| Sub-Admin | Assigned teams/projects | Limited | Yes |
| User | Own resources | Limited | Yes |
Site Key Admin
Offline certification authority that operates outside the main tiCrypt system. Signs escrow user certificates, escrow group certificates, and deletion requests. The site key must be countersigned by Tera Insights before use.
Escrow User
Operates outside the main tiCrypt system with a separate login. Organized into escrow groups (minimum three per deployment, three to five users each). Each group holds one part of a user's cryptographically split private key. Recovery requires one member from each group, a certificate from the Site Key Admin, and execution by a Super-Admin.
Super-Admin
Unrestricted authority over the entire system. Bypasses all permission checks. Can promote or demote any user, including other Super-Admins. Access to deployment settings, system services, and global configuration. Some functions, such as deployment settings, are reserved exclusively for Super-Admins. No access to user data. Executes orders signed by the Site Key Admin for escrow operations. Systems typically have only two or three Super-Admins to ensure redundancy while limiting the scope of unrestricted authority.
Admin
Same visibility as Super-Admin but under permission control. Manages users, teams, projects, infrastructure, and permissions via User Profiles. Cannot modify global settings, system services, or Super-Admin configuration. No access to user data.
Sub-Admin
Delegated management scoped to assigned teams, projects, or both. Assigned by an Admin or Super-Admin. Duties are similar to those of Admins but limited to the teams or projects they manage. Manages users, resource limits, members, and VMs/drives within scope only. No access to data unless explicitly shared. Not all systems use Sub-Admins.
- Teams: Resource constraints for a group of users. Users removed from all teams are deactivated.
- Projects: Access-controlled containers. Tagged resources are restricted to certified members.
User
The most common role. Users are researchers who use the Vault to store data and perform secure research in virtual machines. No administrative responsibilities. Default role with no permissions beyond those assigned. Must belong to a team to be active. Can own groups or projects if permitted. Holds a private key under PKI to decrypt resources. If the key is lost, data is unrecoverable unless restored through escrow.