Users and permissions
Arkivra has two authorization layers. Platform roles and privileges apply to the instance. Vault roles apply to one vault. Keep the distinction explicit when granting access.
Platform roles
Section titled “Platform roles”- Administrator can use administration pages, manage users and invitations, approve sensitive requests, configure AI and office conversion, manage backups, inspect the global audit log, and directly operate across active vaults.
- Member has no administration access and receives only explicitly granted platform privileges plus access from vault membership.
Administrators implicitly have every platform privilege. Arkivra prevents demotion or disabling of the last active administrator.
Platform privileges
Section titled “Platform privileges”Regular members can receive:
- Use AI (
system.use_ai) — permits chat and AI-enhanced retrieval when AI is enabled and configured. - Create vaults without approval (
system.create_vaults) — permits immediate vault creation.
Without Create vaults, a member’s create action submits an approval request. Without Use AI, AI search and chat context are unavailable even if the instance-wide AI switch is on.
Vault roles
Section titled “Vault roles”- Owner manages vault identity, members, invitations, activity, documents, and ownership-sensitive actions.
- Editor reads and changes documents and folders.
- Viewer reads vault documents without changing them.
Every vault must keep at least one owner. Promoting another member to owner can require administrator approval. A vault role does not grant access to platform administration.
Invite a platform user
Section titled “Invite a platform user”- Open Administration → Users.
- Select Invite user.
- Enter the email address.
- Choose Member or Administrator.
- For a member, choose the two optional platform privileges.
- Send the invitation.
The invitation appears as pending until accepted. An administrator can resend or revoke it. Working SMTP is required for delivery outside the development log fallback.
The Users table also allows administrators to grant or revoke the administrator role, change platform privileges, and disable or reactivate an account. Disabling an account prevents its authorization state from being used; it does not transfer vault ownership automatically, so review owned vaults first.
Add a vault member
Section titled “Add a vault member”Open the vault’s management page and select Invite member. An owner or administrator can target an existing user by email or user ID, or initiate an email invitation for someone outside the instance. Choose owner, editor, or viewer.
Some changes are direct and some create an approval request:
vault.create— member requests a new vault;vault.delete— owner requests destructive vault deletion when approval is required;vault.owner_promote— owner promotion;vault.external_invite— invitation to someone outside the current instance.
Administrators review these under Approval requests. Approving applies the stored request payload; rejecting records the decision without applying it.
Remove access safely
Section titled “Remove access safely”Before disabling a user or removing a vault owner:
- Confirm another active platform administrator exists when changing an administrator.
- Confirm every affected vault retains at least one owner.
- Transfer operational responsibility for backups, AI configuration, and provider credentials where relevant.
- Review pending invitations and approval requests created by that user.
Removing vault membership stops normal member access but does not delete the user’s account or personal authentication settings.
Permission matrix
Section titled “Permission matrix”| Action | Viewer | Editor | Owner | Administrator |
|---|---|---|---|---|
| Read vault documents | Yes | Yes | Yes | Yes, across active vaults |
| Upload, rename, move, tag, or trash documents | No | Yes | Yes | Yes |
| Manage vault members and details | No | No | Yes | Yes |
| Create a vault immediately | With platform privilege | With platform privilege | With platform privilege | Yes |
| Use AI | With platform privilege | With platform privilege | With platform privilege | Yes |
| Manage instance settings and backups | No | No | No | Yes |
See Activity and audit for records created by permission and administrative actions.