Vault uses two different security mechanisms. There is a system based on user permissions and a system based on access control lists (ACL). The permissions-based security is part of the base Vault functionality, but the ACL based security is an optional feature which may or may not be available depending on the version of Vault.
Both security systems operate differently. They are conceptually different, they have different API's, and they were designed to solve different problems. There are even cases where the two mechanisms contradict each other.
Each user has a set of roles, and each role has a set of permissions. These permissions determine what the user can do. Also, these permissions apply globally to everything in the Vault. For example, if a user has the “File Read” permission, then it can read any file in the Vault.
If a user has multiple roles, then its permission set is the union of those role permissions. So a user has the “File Read” permission as long as it is in at least 1 role that has that permission. The same thing applies to groups. Groups can have roles associated with them. These roles trickle down to the users. For example, a user can have no permissions of it's own, but if it's part of the Administrators group, that user has administrative permissions. Being part of a group will never take away permissions from a user; the user can only gain extra permissions when being part of a group. In other words, an inclusive model is used.
An ACL is a list of who can is allowed and denied access to a given object. Each ACL contains a list of Access Control Entries (ACE). Each ACE contains a single User or Group and the list of permissions that it has. Vault currently has 3 types of permissions: Read, Write and Delete. An ACE does not need to contain all 3 permissions. For example, it can just set Read to ALLOW (true) and not specify the Write or Delete permissions.
ACLs use an exclusive model. If a user has access but is in a group with restricted access, then the user will also have restricted access. This is directly opposite from the permissions-based system.Here is the algorithm for determining if an ACL allows user access:
|A user is given access if and only if their user or parent group has an ALLOW bit and no DENY bits.|
The ACL model adds restrictions above and beyond the User Permission model. However, the ACL model does not replace the other model. In order to read a file, the user still needs the File Read user permission in addition to an ALLOW read ACL permission.
Let’s put everything together in flowchart form:
Keep in mind this process gets run for each permission. So it’s possible for READ to evaluate to “Access Allowed” while WRITE evaluates to “Access Denied”.