Logo

Dashboard Guide

Access Control

EnvVault uses role-based access control at the organization level, with finer-grained scoping available through API keys. There are four built-in roles: Owner, Admin, Member, Viewer.

Roles

Owner

Full control. Can manage billing, transfer ownership, delete the organization, and perform every action available to lower roles.

Admin

Manages projects, secrets, team members (except other Owners), and API keys. Cannot manage billing or delete the organization.

Member

Reads and writes project variables, reads secrets they have access to. Can create personal API keys. Cannot delete projects or manage team membership.

Viewer

Read-only across the org. Cannot reveal secret values, write variables, or generate API keys.

Permission Matrix

ActionOwnerAdminMemberViewer
Read project variables
Write project variables
Reveal org secrets
Write org secrets
Create / delete projects
Invite / remove team members
Generate org-scoped API keys
Generate personal API keys
Manage billing / plan
Transfer ownership
Delete organization

API Key Scoping

API keys can be tightened beyond their owner's role:

  • Project scope — restrict the key to a subset of projects in the org.
  • IP allowlist — bind the key to one or more CIDR ranges (e.g. your CI runners).
  • Expiry — auto-revoke after N days; useful for short-lived deploy keys.

Manage all of this at /dashboard/api-keys.

Best Practices

Principle of least privilege. Default new members to Member or Viewer, promote only when needed.

One Owner is risky. Have at least two Owners so a single absence doesn't lock the org out of billing changes.

Service-account keys, not personal ones, in CI. Personal keys leave the org with their owner; service keys are explicit and auditable.

Audit role changes. Every promotion / demotion lands in Audit Logs.