Skip to main content

User Roles

Last updated: May 31, 2026Latest Frontend Version: 2.17.3

tiCrypt assigns every user a role that determines two things: which other users they can see (visibility) and which other users they can manage. Roles form a hierarchy. Higher roles can modify lower roles, but not vice versa. All role changes are permanently recorded in the audit trail.

Roles do not determine what actions a user can perform. That is controlled by permissions, which are assigned through User Profiles. The one exception is Super-Admin, which bypasses all permission checks.

note

Permissions control what actions a user can take, but data remains cryptographically inaccessible unless the data owner has explicitly shared the encryption keys. Even administrators cannot read user data.

RoleScopeVisibilityPermission-Controlled
Site Key AdminEscrow systemN/ANo
Escrow UserEscrow groupsN/ANo
Super-AdminEntire systemGlobalNo (full bypass)
AdminEntire systemGlobalYes
Sub-AdminAssigned teams/projectsLimitedYes
UserOwn resourcesLimitedYes

Site Key Admin

Offline certification authority that operates outside the main tiCrypt system. Signs escrow user certificates, escrow group certificates, and deletion requests. The site key must be countersigned by Tera Insights before use.

Escrow User

Operates outside the main tiCrypt system with a separate login. Organized into escrow groups (minimum three per deployment, three to five users each). Each group holds one part of a user's cryptographically split private key. Recovery requires one member from each group, a certificate from the Site Key Admin, and execution by a Super-Admin.

Super-Admin

Unrestricted authority over the entire system. Bypasses all permission checks. Can promote or demote any user, including other Super-Admins. Access to deployment settings, system services, and global configuration. Some functions, such as deployment settings, are reserved exclusively for Super-Admins. No access to user data. Executes orders signed by the Site Key Admin for escrow operations. Systems typically have only two or three Super-Admins to ensure redundancy while limiting the scope of unrestricted authority.

Admin

Same visibility as Super-Admin but under permission control. Manages users, teams, projects, infrastructure, and permissions via User Profiles. Cannot modify global settings, system services, or Super-Admin configuration. No access to user data.

Sub-Admin

Delegated management scoped to assigned teams, projects, or both. Assigned by an Admin or Super-Admin. Duties are similar to those of Admins but limited to the teams or projects they manage. Manages users, resource limits, members, and VMs/drives within scope only. No access to data unless explicitly shared. Not all systems use Sub-Admins.

note
  • Teams: Resource constraints for a group of users. Users removed from all teams are deactivated.
  • Projects: Access-controlled containers. Tagged resources are restricted to certified members.

User

The most common role. Users are researchers who use the Vault to store data and perform secure research in virtual machines. No administrative responsibilities. Default role with no permissions beyond those assigned. Must belong to a team to be active. Can own groups or projects if permitted. Holds a private key under PKI to decrypt resources. If the key is lost, data is unrecoverable unless restored through escrow.