Access Control Lists (ACLs)

The Access Control List lets you add and remove members to control who has access to certain files, folders, items, and custom objects. You can also control whether the member can only view the content, modify the content, and delete the content.

Note: Custom Objects are available in Vault Professional.

A file, folder, or custom object that does not have an Access Control List defined uses object-based security. 

Object-based security can be overridden. An override of security means that the ACL still exists on the object but is being overridden by a newly defined ACL. This is called an Override Access Control List or an Override ACL.

As long as an override ACL exists, the object-based security is ignored. If the user removes the override ACL then the object-based security becomes the new security. If an override ACL is active, only members and users in the ACL list have permissions with the object.

The following table explains each permission.

Permission Access
Read
  • Allow - Content can be viewed. 
  • Deny - Content cannot be viewed.
  • None -
    • If member has explicit Allow permission at state-level,but object-based security is set to None, member is denied access.
    • If a member is in two different groups and permissions at object-based security level in one group are set to None but set to Allow in the other group, the effective permission for the member at the object-based security level is Allow.
    • If a member is in two different groups and permissions at state-based security level in one group are set to None but set to Allow in the other group, the effective permission for the member at the state-based security level is Allow.
    • If permissions are combined (i.e., object-based and state-based security is applied), and either state or object-based security is set to None, the result is denied access.
    .
Modify
  • Allow - Content can be modified. 
  • Deny - Content cannot be modified. 
  • None -
    • If member has explicit Allow permission at state-level,but object-based security is set to None, member is denied access.
    • If a member is in two different groups and permissions at object-based security level in one group are set to None but set to Allow in the other group, the effective permission for the member at the object-based security level is Allow.
    • If a member is in two different groups and permissions at state-based security level in one group are set to None but set to Allow in the other group, the effective permission for the member at the state-based security level is Allow.
    • If permissions are combined (i.e., object-based and state-based security is applied), and either state or object-based security is set to None, the result is denied access.
Delete
  • Allow - Content can be deleted. 
  • Deny - Content cannot be deleted. 
  • None -
    • If member has explicit Allow permission at state-level,but object-based security is set to None, member is denied access.
    • If a member is in two different groups and permissions at object-based security level in one group are set to None but set to Allow in the other group, the effective permission for the member at the object-based security level is Allow.
    • If a member is in two different groups and permissions at state-based security level in one group are set to None but set to Allow in the other group, the effective permission for the member at the state-based security level is Allow.
    • If permissions are combined (i.e., object-based and state-based security is applied), and either state or object-based security is set to None, the result is denied access.

What if Object-Based Security Is Combined with State-Based Security?

The following use cases can be applied to one or more Vault objects when combined security (dual-gate security) is used.

Note: To use legacy security from Vault 2016 or earlier, also known as single-gate security, enable the Override Security option for the lifecycle definition.

Object ACL

State-Based ACL

Resulting ACL

Allow

Allow

Allow

Deny

Deny

Deny

Deny

Allow

Deny*

null

Deny

Deny

Allow

null

Deny

null

null

Deny

(not in ACL) null

Allow

Deny*

Allow (subset group)

Allow (superset group)

Allow* (subset group)

*Resulting permission is different from the legacy (single-gate security) used in Vault 2016 or earlier.