Teams
Inviting team members, managing permissions, and sharing project access in SikkerKey.
Teams let vault owners share project access with other SikkerKey users. Team members have no access by default. The vault owner grants access per-project and controls machine permissions explicitly.
Inviting a Team Member
From the Teams page, enter the email address of a SikkerKey user in the Invite Member card and click Send Invite. The invitee receives an email notification. If they are logged into the dashboard, the invite also appears on their Teams page in real time.
You cannot invite yourself. You cannot invite someone who is already a team member. Duplicate pending invites to the same email are rejected.
Invite Lifecycle
| Status | Meaning |
|---|---|
| Pending | The invite has been sent. Waiting for the invitee to respond. Shown in the "Pending Invitations" card. |
| Accepted | The invitee accepted. They are now a team member. |
| Declined | The invitee declined. The invite is closed. |
Invites expire after 7 days. Expired invites cannot be accepted and must be re-sent.
You can cancel a pending invite at any time from the Pending Invitations card.
Accepting an Invite
When you receive an invite, it appears on your Teams page under Vault Invitations. Click Accept to join the vault or Decline to dismiss it.
After accepting, the vault owner's projects appear in your sidebar grouped under the owner's username. You will not see any secrets or machines until the owner adds you to a project.
Permissions
Permissions are granted per-project. A team member with access to one project has zero access to other projects in the same vault unless explicitly granted.
Secret Access
Adding a team member to a project gives them full secret management within that project: view metadata, create, delete, replace, version history, and notes.
Important: "view" means secret metadata (name, note, version, machine count). The dashboard never displays decrypted secret values. Reading the actual plaintext requires an authenticated machine with a per-secret grant.
Machine Permissions
Machine permissions are separate and must be explicitly granted per project:
| Permission | What it allows |
|---|---|
machine_view | See machines in the project |
machine_add | Add their own machines to the project. The member cannot add the vault owner's machines. |
machine_remove | Remove machines from the project |
machine_configure | Change which secrets a machine can access within the project |
A team member with no machine permissions can still fully manage secrets in their assigned projects.
Managing Permissions
Click Permissions on a team member row to open the permissions modal.
Adding Project Access
Use the dropdown at the top of the modal to select a project, then click Add. This adds the project to the member's access list, granting them full secret access in that project.
Granting and Revoking Machine Permissions
Click a project in the member's access list to expand the permission editor. Machine permissions are displayed in two columns:
- Available: permissions not yet granted. Click a permission to grant it.
- Granted: permissions currently active. Click a permission to revoke it.
Click Save permissions to apply changes. The team member is notified in real time if they are online.
Removing Access to a Project
Click the x button next to a project in the permissions modal to remove the member from that project entirely. This revokes all permissions and removes any machines the member had added to that project.
Team Members Table
The Teams page shows a table of all team members with:
- Username and email
- Joined date
- Projects: chips showing which projects the member has access to
- Permissions button: opens the permissions modal
- Remove button: removes the member from the vault
Search, sort, and filter are available for vaults with many team members.
Removing a Team Member
Click Remove on a team member. This permanently:
- Removes them from your vault
- Deletes all their project access and machine permissions
- Removes any machines they had added to your projects
The member loses access immediately. The shared projects disappear from their sidebar. This cannot be undone. You would need to re-invite them to restore access.
What Team Members See
After accepting an invite and being added to projects, the vault owner's projects appear in the team member's sidebar grouped under the owner's username.
Team members see secret metadata (names, notes, versions, field names, machine counts) in projects they've been added to. They never see decrypted secret values through the dashboard.
Machine pages are gated by the machine_view permission. Without it, the team member cannot see the project's machines tab.
If the vault owner's account is suspended, all team member access to that vault is blocked immediately. Team members are not informed of the suspension reason.
Audit Trail
All team-related operations are audit-logged:
| Action | Logged for |
|---|---|
team_invite | Vault owner and invitee |
team_invite_accepted | Vault owner |
team_joined | Team member |
team_invite_declined | Vault owner and team member |
team_invite_cancelled | Vault owner |
team_member_remove | Vault owner |
team_permission_update | Vault owner |
Actions performed by team members on shared projects (creating secrets, adding machines, configuring access) are logged in both the vault owner's and the team member's audit logs.