Capabilities reference
Every capability available on an organization template, what it gates, and whether it is project-scoped.
The capability matrix is the cell-by-cell vocabulary of organization templates. Every capability on this page corresponds to a checkable cell in the template editor. A member's effective permissions are the union of the cells checked on their assigned template, intersected with their project scope for project-scoped cells.
Three terms appear in every row:
- Scope. Vault-wide capabilities apply across the whole organization vault; the member can act on every machine, every audit row, every alert configuration that exists in the vault. Project-scoped capabilities apply only to projects in the member's scope list (or every project, if the member has global project access).
- Owner-only. Some capabilities can only ever be held by the vault owner. They appear in the matrix as locked cells. Checking them on a template has no effect — the cell is filtered out before the template grants render to any member.
Capabilities are grouped by the dashboard category they appear under.
Machines
Vault-wide. Machines are the runtime identities that read secrets via the SDK or CLI. Managing them includes bootstrapping, approving pending registrations, disabling, revoking, and renaming. AI agents are the same surface (they share the Machines page).
| Capability | Gates | Owner-only |
|---|---|---|
| Machines: View | See the machines page and per-machine status. | No |
| Machines: Manage | Bootstrap, approve, disable, revoke, rename machines. Mint single-use and temp-machine bootstrap tokens. | No |
| AI agents: View | See AI agents listed on the machines page. | No |
| AI agents: Manage | Bootstrap, approve, disable, revoke, and scope AI agents. | No |
Enrollment tokens
Vault-wide. Enrollment tokens are the multi-use credentials used to onboard fleets of ephemeral machines (CI runners, cron jobs, transient containers) without minting per-machine bootstrap tokens up front.
| Capability | Gates | Owner-only |
|---|---|---|
| Enrollment tokens: View | See the enrollment tokens page. | No |
| Enrollment tokens: Manage | Create, revoke, and configure enrollment tokens. Generate CI bootstrap scripts for those tokens. | No |
Audit log
Vault-wide. Members with the base view see their own actions only. Members with the expanded view see every actor in the vault (owner, members, machines, AI agents).
| Capability | Gates | Owner-only |
|---|---|---|
| Audit log: View | See the audit log page. Only the member's own actions are visible. | No |
| Audit log: View others | Expand the view to every actor in the vault. | No |
Alerts
Vault-wide. Email and webhook alerts are split because they carry different trust shapes — webhook configuration holds an HMAC signing secret, email subscriptions don't.
| Capability | Gates | Owner-only |
|---|---|---|
| Alerts: View | See the alerts page (subscription preferences and configured webhooks). | No |
| Alerts: Manage email | Toggle which audit actions trigger email alerts for the vault. | No |
| Alerts: Manage webhook | Create, update, delete, and test outbound webhooks (HMAC-signed delivery). | No |
IP allowlist
Vault-wide. The IP allowlist gates machine authentication (not dashboard authentication). A member with manage rights can add, remove, and enable/disable CIDR entries.
| Capability | Gates | Owner-only |
|---|---|---|
| IP allowlist: View | See the configured IP allowlist entries. | No |
| IP allowlist: Manage | Enable/disable the allowlist; add/remove CIDR entries. | No |
Integrations
Vault-wide. Integrations cover the GitHub App, GitLab OAuth, Bitbucket OAuth, and other third-party connections.
| Capability | Gates | Owner-only |
|---|---|---|
| Integrations: View | See connected integrations. | No |
| Integrations: Manage | Install, configure, and uninstall integrations. | No |
Trash
Vault-wide. The trash holds soft-deleted secrets pending hard-delete by the cleaner.
| Capability | Gates | Owner-only |
|---|---|---|
| Trash: View | See secrets currently in the trash. | No |
| Trash: Manage | Restore secrets from trash; permanently delete trashed secrets. | No |
Organization
Vault-wide. The roster surface — viewing members, sending invites, suspending, removing. Assigning templates is split out because it is the privilege-escalation surface that defines what every other capability resolves to.
| Capability | Gates | Owner-only |
|---|---|---|
| Organization: View | See the organization member roster. | No |
| Organization: Manage | Invite, suspend, and remove organization members. | No |
| Organization: Assign templates | Change which template a member is assigned to, and change a member's project scope. | Yes |
Templates
Vault-wide. Editing templates rewrites the permission shape of every member who holds them, so the manage right is owner-only.
| Capability | Gates | Owner-only |
|---|---|---|
| Templates: View | See the organization templates page. | No |
| Templates: Manage | Create, edit, archive, and delete templates and their capability grants. | Yes |
Support
Vault-wide. The support page covers tickets opened on behalf of the organization.
| Capability | Gates | Owner-only |
|---|---|---|
| Support: View | See the support tickets page for the vault. | No |
| Support: Manage | Create, reply to, and close support tickets on the organization's behalf. | No |
Projects
The umbrella for project-scoped capabilities. Projects: View is vault-wide (it unlocks the Projects sidebar category for the member). Every other project capability is project-scoped — it only applies to projects in the member's scope list (or every project, if the member has global project access).
| Capability | Gates | Scope | Owner-only |
|---|---|---|---|
| Projects: View | See projects in the dashboard sidebar. | Vault-wide | No |
| Projects: Manage | Create, delete, and unfreeze projects. | Vault-wide | No |
| Secrets: Manage | Modify existing secrets in scoped projects (rotation schedules, canary toggles, sync configurations, value updates). | Project-scoped | No |
| Secrets: Create | Create new secrets in scoped projects. | Project-scoped | No |
| Secrets: Delete | Delete (soft-delete to trash) secrets in scoped projects. | Project-scoped | No |
| Policies: View | See access policies attached to secrets in scoped projects. | Project-scoped | No |
| Policies: Manage | Create, edit, delete access policies; bind and unbind secrets to policies. | Project-scoped | No |
| Project machines: View | See machines attached to scoped projects. | Project-scoped | No |
| Project machines: Manage | Attach and detach machines to/from scoped projects; configure per-secret machine grants. | Project-scoped | No |
Project scope
A project-scoped capability is only effective on projects in the member's scope. Two scope modes exist:
- Global: the member can act on every project in the vault. Project-scoped capabilities behave as if every project is in their scope.
- Specific: the member has an explicit list of projects. Project-scoped capabilities apply only to those projects; everything else is invisible and inaccessible.
A member with Projects: View but global=false and an empty scope list sees the Projects category in their sidebar but no actual projects under it. Adding projects to their scope is how the projects become visible.
What members without any template see
A member with no template assigned can:
- Sign in to SikkerKey with their own credentials.
- Pick your vault from the post-login picker.
- See the Overview and Settings pages of the vault.
- Read their own audit log entries (they will be empty until they do anything that fires an event, which without capabilities is nearly nothing).
Everything else is invisible until a template is assigned.