Roles and Permissions (RBAC)¶
MazeVault Role-Based Access Control — Roles, Permissions, and Domain Separation
Document Version: 2.1.0
Last Updated: 2026-04-19
1. Overview¶
MazeVault uses a Role-Based Access Control (RBAC) system to manage user permissions. Each user is assigned one or more roles that determine what they can see and do in the system.
Key principles:
- Least Privilege — Users receive only the permissions they need
- Domain Separation — Certificate Manager cannot access secrets; Secret Manager cannot access certificates
- Environment Scoping — Roles can be scoped to specific environments (dev, staging, prod)
- Two-Level Cloud Access — Access to Azure resources requires BOTH MazeVault role AND Azure RBAC permission
2. System Roles¶
MazeVault provides the following built-in roles:
| Role | Description | Domain |
|---|---|---|
| Viewer | Dashboard and system outputs only — no access to secrets, certificates, or projects | Read-only |
| User | Standard user — can create/edit secrets, request certificates, view projects | General |
| Certificate Manager | Full certificate lifecycle management — NO access to secrets | Certificates |
| Secret Manager | Full secret lifecycle management — NO access to certificates | Secrets |
| Project Admin | Full project management including create/delete projects, manage settings | Administration |
| Admin | Full system access — all permissions | System |
| Auditor | Read-only access to audit logs, user lists, and deployment status | Compliance |
| Finance | Read-only access to billing and usage data | Billing |
Domain Separation
Certificate Manager and Secret Manager are mutually exclusive domains. A Certificate Manager cannot view or manage secrets, and a Secret Manager cannot view or manage certificates. This ensures separation of duties in enterprise environments.
3. Permission Matrix — Navigation¶
What each role can see in the MazeVault UI:
| Section | Viewer | User | Cert Mgr | Secret Mgr | Project Admin | Admin | Auditor | Finance |
|---|---|---|---|---|---|---|---|---|
| Dashboard Overview | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 📖 | ❌ |
| Dashboard Certificates | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Dashboard Entra | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Projects | ❌ | 📖 | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Discovered Certificates | ❌ | 📖 | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Deployment | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Access Control | ❌ | 📖 | 📖 | 📖 | ✅ | ✅ | 📖 | ❌ |
| Organization Settings | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
| Environments | ❌ | 📖 | 📖 | 📖 | ✅ | ✅ | ❌ | ❌ |
| Usage and Billing | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | 📖 |
| Archived Items | ❌ | ❌ | 📖 | 📖 | ✅ | ✅ | ❌ | ❌ |
| Audit Logs | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | 📖 | ❌ |
| KeyTab Management | ❌ | 📖 | ❌ | ❌ | ✅ | ✅ | 📖 | ❌ |
| Reports / System Outputs | ❌ | 📖 | 📖 | 📖 | ✅ | ✅ | 📖 | ❌ |
📖 = Read-only access
4. Permission Matrix — Secrets¶
| Action | Viewer | User | Cert Mgr | Secret Mgr | Project Admin | Admin |
|---|---|---|---|---|---|---|
| Read secret value | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ |
| Create secret | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ |
| Edit secret | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ |
| Rotate secret | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ |
| Archive secret | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ |
| Delete secret | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Permanently delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Import/Export | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ |
5. Permission Matrix — Certificates¶
| Action | Viewer | User | Cert Mgr | Secret Mgr | Project Admin | Admin |
|---|---|---|---|---|---|---|
| Read certificate | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Request certificate | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Import certificate | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
| Approve CSR | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ |
| Enroll certificate | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ |
| Archive certificate | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ |
| Revoke certificate | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ |
| Permanently delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
6. Permission Matrix — Projects & Organization¶
| Action | Viewer | User | Cert Mgr | Secret Mgr | Project Admin | Admin |
|---|---|---|---|---|---|---|
| View projects | ❌ | 📖 | ✅ | ✅ | ✅ | ✅ |
| Create project | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Edit project | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Archive project | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Delete project | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Permanently delete | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| View org settings | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Edit org settings | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Manage users/roles | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
7. Role Incompatibilities¶
Certain roles have domain separation and redundancy rules:
| Role Combination | Allowed? | Reason |
|---|---|---|
| Certificate Manager + Secret Manager | ⚠️ Not recommended | Defeats domain separation purpose |
| Certificate Manager + User | ✅ Allowed | User adds general read access |
| Secret Manager + User | ✅ Allowed | User adds general read access |
| Any role + Admin | ⚠️ Not recommended | Admin already has all permissions — additional roles are redundant, unnecessary, and create complexity in audit trails |
| Auditor + any operational role | ⚠️ Not recommended | Auditor should be independent |
Admin Role Best Practice
The Admin role includes every permission in the system. Assigning additional roles alongside Admin provides no extra access and is not recommended. It complicates role auditing and may create confusion about the actual source of permissions. If a user needs Admin access, assign only the Admin role.
8. Azure Cloud Resource Access — Two-Level Control¶
When MazeVault is integrated with Azure Key Vault, access to cloud resources requires two simultaneous conditions:
- MazeVault RBAC — User must have the appropriate MazeVault role and permission
- Azure RBAC — User must have the corresponding Azure role assignment on the Key Vault
Managed Identity vs User Access
Managed Identity is used ONLY for automated operations (scheduled rotations, background sync). For ALL user-initiated operations (reading secrets, manual rotation, editing), the user's own Azure identity is used via On-Behalf-Of (OBO) token flow. MazeVault never uses Managed Identity to bypass Azure RBAC for user operations.
| Operation | Token Type | Azure RBAC Required |
|---|---|---|
| Scheduled secret rotation | Managed Identity | MI must have Key Vault access |
| User reads secret from KV | OBO (user token) | User must have Key Vault Secrets User |
| User edits secret in KV | OBO (user token) | User must have Key Vault Secrets Officer |
| Agent certificate discovery | Managed Identity | MI must have read access |
| Admin imports secrets from KV | OBO (user token) | User must have Key Vault Secrets Officer |
9. Group Mapping¶
MazeVault supports mapping external identity provider groups to system roles:
- Entra ID (Azure AD) — Map Entra security groups to MazeVault roles
- LDAP / Active Directory — Map LDAP groups to MazeVault roles
- SPNEGO / Kerberos — Map Kerberos groups via LDAP fallback
Group mappings are managed in Access Control → Groups tab. Each mapping specifies:
- External group identifier
- Target MazeVault role
- Optional scope (organization, project, environment)
10. Custom Roles¶
Administrators can create custom roles with specific permission sets. Custom roles can combine any available permissions to match your organization's needs.
Available permission categories:
secret:read,secret:write,secret:delete,secret:archive,secret:rotatecertificate:read,certificate:write,certificate:revoke,certificate:approve,certificate:archiveproject:read,project:write,project:delete,project:archiverotation:read,rotation:write,rotation:executeaudit:read,role:read,role:write,billing:readkeytab:read,keytab:write,keytab:delete,keytab:adminreport:read,report:writesync:read,consistency:read,consistency:writeintegration:read,integration:write- And many more...
Contact your MazeVault administrator for custom role creation.
11. Permission Matrix — KeyTab Management¶
Since v1.0.38
| Action | Viewer | User | Cert Mgr | Secret Mgr | Project Admin | Admin | Auditor |
|---|---|---|---|---|---|---|---|
| View keytabs | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Import keytab | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Update keytab | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Delete keytab | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Manage cipher policy | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ |
| View discovered keytabs | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Import discovered keytab | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ |
| View dashboard | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
12. Permission Matrix — Reports¶
Since v1.0.38
| Action | Viewer | User | Cert Mgr | Secret Mgr | Project Admin | Admin | Auditor |
|---|---|---|---|---|---|---|---|
| View report settings | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Preview report | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Trigger report | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Update report settings | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ |