What is Access Control (Vault)?

Access Control in Zoho Vault is the system of roles and permissions that determines which users can view, edit, share, or manage each Secret and Chamber

Access Control (Vault)

Technical Term

Access Control in Zoho Vault is enforced at three layers: the organisation role (what a user can do globally), the Chamber permission (what they can do within a folder), and the Secret permission (what they can do with one credential). A least-privilege approach requires configuring all three layers intentionally, because Vault does not restrict by default when a Secret is shared.

How Access Control Works in Zoho Vault

Zoho Vault assigns each user an organisation-level role such as User, Manager, or Administrator, which governs vault-wide capabilities including user management and policy configuration. Below that, Chamber membership grants view, edit, or manage permissions for all Secrets in that Chamber. Individual Secrets can also be shared directly with specific users at a chosen permission level. All three layers combine additively: the user’s effective permission on a given Secret is the highest permission granted by any applicable layer.

When to Use Access Control

Configure access controls during initial vault setup before populating Secrets, so you build a clean permission model from the start rather than retrofitting. Revisit access control whenever an employee changes roles, a project ends, or a third-party contractor completes an engagement. Use Chamber-level permissions for ongoing team access, and Secret-level sharing for one-off or temporary grants. Do not assign the Administrator role broadly; limit it to those responsible for vault governance.

Key Considerations for Access Control

Access Control does not enforce time-limited sharing by default on all plans; temporary access may need manual revocation. The Manager role can manage Secrets and Chambers within their scope but cannot configure org-level policies. In Enterprise plans, role-based access can be integrated with directory services for automated provisioning and de-provisioning. Audit logs track every access control change, which is essential for compliance with frameworks like ISO 27001 or SOC 2.

India Example: A Bengaluru SaaS firm assigns its IT admin the Administrator role, gives the DevOps team Manager access to the Infrastructure Chamber, and grants contractors view-only access to the specific Secrets they need during a three-month engagement. On contract end, the admin removes the contractor shares in one session.

Can Zoho Vault restrict access to Secrets based on the user’s location or device?

Zoho Vault itself does not provide IP-based or device-based conditional access natively at the Secret level. However, when Vault is used within a Zoho One organisation, Zoho Directory can enforce multi-factor authentication and session policies that restrict where users can authenticate. For stricter device-level controls, pair Vault with an MDM solution.

How does Zoho Vault handle access control when a user is deleted from the organisation?

When a user is removed from the Zoho Vault organisation, their access to all Secrets and Chambers is revoked immediately. Secrets owned by that user enter a state where an admin must transfer ownership. Shared access granted by that user to others remains intact until explicitly reviewed, so a post-departure access audit is recommended to avoid orphaned permissions.

Need help implementing this in Zoho?

Aaxonix is a certified Zoho implementation partner based in Pune. Architecture-first, no surprises.

Book a Free Consultation →

← Back to Glossary