Folder Security Rights

Following are the four Folder Security access rights and their description. Note that Obliterate is only available through the Admin Web Client and therefore not a security right on a folder, but a permission granted to Repository Admins.

A repository's Folder Security must be enabled for the rights to be enforced within a repository. By default, Folder Security is disabled within a repository for increased performance of Vault operations.

When a security access right is applied to a folder, it recursively applies those rights to all subfolders. User access rights that are closest to the folder being checked take precedence over access rights assignments that are farther away. For example, if $/foo/bar/xyz is being checked for rights, a user access right assigned at $/foo/bar takes precedence over a user access right assigned at $/foo.



Commands allowed

No Rights

No access at all – cannot view files or subfolders.


Read (R)

Read-only access to folder and its files.

  • View
  • Get
  • Cloak

Check Out / Check In (C)

Access to modify the contents of files, but not to change the structure or properties of the folder.

  • Modify files
  • Check Out
  • Check In
  • Undo Check Out

Add / Rename / Delete (A)

Full access to the folder.

  • Modify the file list
  • Add
  • Delete/Undelete Label
  • Rename
  • Move
  • Branch
  • Share
  • Pin

Groups and Folder Security

Defining groups is an easy way to set access rights for multiple users. Groups can have individual folder rights but do not have default rights. A user can belong to multiple groups as well as have individual folder rights.

If only group access rights exist, the most permissive group takes precedence. For example, if Group A allows RC at root and Group B allows R at $/foo/bar, then group A’s access rights take precedence at $/foo/bar.

However, a single group’s access rights can be restricted by multiple rights assignments. For example, if Group A has RCA at root and R at $/foo/bar, and Group B has RC at $/foo/bar, it is Group B’s RC that takes precedence, because Group A’s R rights permission overrides its RCA at $/foo/bar. As the example shows, a group’s rights assignment closest to the folder in question take precedence over other rights assignments of that group further away.

User vs. Group Rights

User access rights always take precedence over group access rights regardless of where in the tree the group rights are applied. For example, a user access right at root takes precedence over a group access right on the folder itself.

Inherited group access rights take precedence over user default access rights. The only time default rights are used is when there are no rights assignments at all for a user or any groups they belong to from root down to the folder in question.