User Roles
Roles form a hierarchy that determines who can modify which users. Roles also determine visibility, a user's ability to view and interact with other users in the system. Roles do not determine permissions, with the exception of Super-Admin, which bypasses all permission checks. All role changes are permanently audited.
Permissions function as ACLs over the underlying PKI. Data is not accessible unless the owner has explicitly shared it.
| Role | Scope | Visibility | Permission-Controlled |
|---|---|---|---|
| Site Key Admin | Escrow system | N/A | No |
| Escrow User | Escrow groups | N/A | No |
| Super Admin | Entire system | Global | No (full bypass) |
| Admin | Entire system | Global | Yes |
| Sub-Admin | Assigned teams/projects | Limited | Yes |
| User | Own resources | Limited | Yes |
Site Key Admin
Offline certification authority that operates outside the main tiCrypt system. Signs escrow user certificates, escrow group certificates, and deletion requests. The site key must be countersigned by Tera Insights before use.
Escrow User
Operates outside the main tiCrypt system with a separate login. Organized into escrow groups (minimum three per deployment, three to five users each). Each group holds one part of a user's cryptographically split private key. Recovery requires one member from each group, a certificate from the Site Key Admin, and execution by a Super-admin.
Super Admin
Unrestricted authority over the entire system. Bypasses all permission checks. Can promote or demote any user, including other Super-Admins. Access to deployment settings, system services, and global configuration. Some functions, such as deployment settings, are reserved exclusively for Super-Admins. No access to user data. Executes Site Key Admin signed orders for escrow operations. Systems typically have only 2-3 Super-Admins to ensure redundancy while limiting the scope of unrestricted authority.
Admin
Same visibility as Super-admin but under permission control. Manages users, teams, projects, infrastructure, and permissions via User Profiles. Cannot modify global settings, system services, or Super-admin configuration. No access to user data.
Sub-Admin
Delegated management scoped to assigned teams, projects, or both. Assigned by an Admin or Super-Admin. Duties are similar to Admins but limited to the team or project they manage. Manages users, resource limits, members, and VMs/drives within scope only. No access to data unless explicitly shared. Not all systems use Sub-Admins.
- Teams — Resource constraints for a group of users. Users removed from all teams are deactivated.
- Projects — Access-controlled containers. Tagged resources are restricted to certified members.
User
The most common role. Users are researchers who use the Vault to store data and perform secure research using virtual machines. No administrative responsibilities. Default role with no permissions beyond what is assigned. Must belong to a team to be active. Can own groups or projects if permitted. Holds a private key under PKI to decrypt resources. If lost, data is unrecoverable unless restored through escrow.