Architecture Overview – Security Model

Password Vault is built on a multi-layer security architecture designed to protect data at rest, in transit, and during processing.

Encryption

AES-256 Data stored in the system is encrypted at rest using AES-256.

TLS Communication between system components is protected using TLS encryption.

On-demand decryption Secrets are decrypted only when required to perform an authorized operation.

Access Control

Access control is enforced through a two-layer model:

  • Role-Based Access Control (RBAC) – defines who can manage collections and secrets and what operations they can perform on them in the Admin Panel.

  • Access Policies – define the conditions and workflow rules for granting access to secrets, such as approvals and time limits, for users accessing secrets through User Access Gateway.


Key characteristics:

  • Permission inheritance across collection hierarchy

  • Policy override capability at lower levels

  • Just-in-Time access requests

Access decisions are evaluated in real time and logged.

Audit

Note

  • Operations on secrets (view, checkin / checkout) can be tracked in the Password Vault > Secret Access tab.

  • To preview all logs related to Password Vault, go to the Event Logs tab.

The system tracks:

  • Permission changes

  • Access requests and approvals

  • Checkout and checkin operations

  • Secret usage events

  • Rotation operations

Note

Each secret maintains immutable version history. To preview logs for a specific secret, edit the secret and open the Activity logs subtab.