Aller au contenu principal
Version : la plus récente

I get a permission denied error

VaultPAM enforces access control at every layer: Safe membership, role permissions, session policies, and API token scopes. A "permission denied" error means the current user account does not hold the privilege required for the requested action. The correct resolution is always to request the appropriate access from an admin — there is no legitimate shortcut.

Symptoms

  • An error banner reads Permission denied, Access denied, or You do not have permission to perform this action.
  • Clicking a Launch Session, Check out, Approve, or Edit button returns an error.
  • An API call returns 403 Forbidden.
  • A feature or menu item is visible but clicking it produces an access error.

Causes

1. Missing role assignment

The most common cause. Your user account has not been assigned a role that includes the permission needed for the requested action.

Check: Open Profile → My Access to see your current role assignments. Confirm a role is listed for the Safe or resource you are trying to access.

Fix: Contact a Safe admin or VaultPAM admin and ask them to assign you a role that includes the required permission for the specific Safe. Role assignment is done via Safes → pick Safe → Members → Add member.

2. Role scoped to the wrong Safe

Roles in VaultPAM are scoped to individual Safes. Having an Operator role on Safe A does not grant any access to Safe B. If you are trying to access a resource that belongs to a different Safe than the one your role covers, you will receive a permission denied error.

Check: Confirm which Safe the target resource or session belongs to, then open Profile → My Access and verify your role assignment covers that specific Safe.

Fix: Ask a Safe admin for the correct Safe to add you with an appropriate role.

3. Session policy restriction

Some Safes apply session policies that restrict access based on time window, requester attributes, or approval requirements. A policy restriction is enforced at the moment of the session request, even if you hold a role that normally permits access.

Check: Open the Safe detail view and look for a Policy badge or Access policy section. Active restrictions such as "Requires approval" or "Outside allowed hours" will be described there.

Fix: If a policy requires approval, submit a session request and wait for an approver to act on it. If the policy is time-restricted, retry during the allowed window. If you believe the policy is misconfigured, ask a Safe admin to review it.

4. API token scope insufficient

If you are accessing VaultPAM via the API and receive a 403 Forbidden response, the API token in use may have been created with a restricted scope that does not include the required operation.

Check: Review the scope assigned to the API token. Tokens are created in Profile → API Tokens. Confirm the token's scope includes the permission the API call requires.

Fix: Create a new API token with the appropriate scope, or ask a VaultPAM admin to update the scope on the existing token. Do not reuse tokens across applications or grant broader scopes than the minimum needed.

Resolution steps

  1. Note the exact error message and the action you were attempting.
  2. Open Profile → My Access and confirm you have a role assignment for the specific Safe that the resource belongs to. If no role is listed, contact an admin.
  3. Confirm the resource belongs to the Safe your role covers — a role on one Safe does not transfer to another.
  4. If the Safe shows an active session policy, check its requirements (approval, time window) and comply with them.
  5. If using the API, verify the token scope in Profile → API Tokens and create a replacement token with the correct scope if needed.
  6. After a role or policy change, retry the action — permission changes take effect immediately without a logout.

Escalation path

If after reviewing your roles and policies the error persists:

  1. Note the exact error message, the Safe name, the resource name, and the action attempted.
  2. Ask a VaultPAM admin to review your role assignments and confirm what permissions are attached to your current role.
  3. Open a support ticket with: affected username, Safe name, exact error message, and the admin's findings from the role review.