# Enterprise Vault - Administration

# Quick start guide

This quick start admin guide is divided into two parts.  
First, the **BUILD**, which explains the operations to be carried out before starting to use the Enterprise Vault.  
Secondly, the **RUN**, which lists the product life operations that can be performed.

### BUILD

Enterprise Vault user creation and management uses <span data-teams="true">WALLIX ONE IDaaS (also known as Trustelem)</span>, so the BUILD phase will involve configuring both Enterprise Vault and WALLIX ONE IDaaS.

#### 1/ Subscription creation

When you subscribe to WALLIX ONE Enterprise Vault, you'll need to provide several pieces of information: among others the name of your company, and the names of future administrators.

Your company name will be used to create a WALLIX ONE IDaaS subscription.

<p class="callout info">For instance, MyCompany could have the subscription named "mycompany.trustelem.com".</p>

The list of admins provided will be automatically provisioned when the subscription is created.  
They will receive an email with :

- A link to initialize the account
- The subscription admin url (admin-your\_name.trustelem.com) for WALLIX ONE IDaaS
- The subscription user url (your\_name.trustelem.com) for WALLIX ONE IDaaS
- The link to the documentation

So, your first action as an administrator is to create your account using the link provided in the email, and then to go on the WALLIX ONE IDaaS administration page.

#### 2/ Setup WALLIX ONE IDaaS

When you log on to the admin page, the subscription is empty, except for the first administrators. So you'll need to configure it.  
There are 3 main things to do on WALLIX ONE IDaaS:

- Add Enterprise Vault applications
- Add users
- Give users access to Enterprise Vault

##### 2.1/ Add Enterprise Vault applications

There are two applications to add:

- One for administrators, which includes auditing, logs and security policies.  
    [Link to Enterprise Vault admin app documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/administration-application)
- The other for users, in which secrets are managed, as well as a few administrative tasks such as recovery.

Go to **Apps**, then **Add an application**, then select **WALLIX Enterprise Vault** and **WALLIX Enterprise Vault administration**.

[![2025-vault-2.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/2025-vault-2.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/2025-vault-2.png)

##### 2.2/ Add users

If you want to use directory or IDP users, you can do the following setup.

- [Link to Active Directory documentation](https://trustelem-doc.wallix.com/books/trustelem-administration/page/active-directory-users-trustelem-adconnect)
- [Link to Azure AD documentation](https://trustelem-doc.wallix.com/books/trustelem-administration/page/azure-ad-users)
- [Link to External IDP (Azure, Okta...) documentation](https://trustelem-doc.wallix.com/books/trustelem-administration/page/authentication-with-an-external-idp)

But if you want to use local users, you don't want to create them right away: they'll receive enrollment emails, while the rest of the setup isn't ready yet. That said, you can still create user groups, as they will be used for the next steps.  
For instance, you can create a "Users" group, and an "Admins" group.  
  
Go to **Groups**, then **Create**.

[![2025-vault-3.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/2025-vault-3.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/2025-vault-3.png)

##### 2.3/ Give users access to Enterprise Vault

You need to define who can access Enterprise Vault and how. To do this, you'll add permissions.  
Permissions can be 1-factor, usually login and password, or two-factor with an additional secret.

Full documentation is available here:

- [Link to access rules documentation](https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules)
- [Link to multi factors documentation](https://trustelem-doc.wallix.com/books/trustelem-administration/page/multi-factors-authentication)

Here's a summary of the main steps:

1. Create permissions for users and administrators, usually in 2-factor mode.  
    Go to **Access rules**, select **Create**, then choose your apps et your groups  
      
    [![2025-vault-4.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/2025-vault-4.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/2025-vault-4.png)  
    *Internal &amp; External zone depend of the users public IP which is compared to what is provided in Security &gt; General &gt; Internal network.*
2. Enable the desired multi-factors in **Security**, **Authentication factors**, **Login** column  
      
    [![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/LWwimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/LWwimage.png)
3. In the same page, create an **enrollment campaign** to automate the 2nd factor enrollment  
      
    [![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/M7bimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/M7bimage.png)
    
    *You'll probably want to use "enrollment during login", which allows the form to be displayed directly after authentication if the user doesn't yet have a 2nd factor.*

#### 3/ Setup Enterprise Vault admin application

The next step is to define Enterprise Vault administration policies.   
[Link to Enterprise Vault admin app documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/administration-application)  
  
Today there are 3 policies:

- **Log**: which information do you want to log?
- **Recovery**: do you allow master password reset ? Do you allow data recovery?
- **Security**: do you allow to list existing users in the forms that offer it in the user application?

If you want to use Recovery features, it is very important to enable it right now.  
Indeed, if a user hasn't logged in AFTER you've activated the option, it won't be possible to help him if he loses his master password.

1. Go to your **user dashboard** (your\_name.trustelem.com) with an account that has access to the admin app
2. Click the **Admin app**
3. Go to **Settings**
4. Enable the desired settings, then **Save** each categories

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/tQNimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/tQNimage.png)

#### 4/ Add the Enterprise Vault specific recovery rights for user

<p class="callout info">This step is only necessary if you want to use recovery.  
</p>

There are 2 types of recovery:

- Account recovery, to manage master password reset requests  
    [Link for account recovery documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/recovery-account)
- Data recovery, to access a user's personal secrets.  
    [Link for data recovery documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/recovery-data)

Each requires specific rights, which are controlled by WALLIX ONE IDaaS.  
To carry out a data recovery action, a validation is required, with a quorum to be reached.  
Defining quorum members also requires a specific right.

1. Go to WALLIX ONE IDaaS admin dashboard, then click **Users**
2. Select a User, click **Edit** and **Add attribute**
3. For recovery account:  
    **name**: recovery\_account  
    **kind**: bool  
    **value**: true
4. For recovery data:  
    **name**: recovery\_data  
    **kind**: bool  
    **value**: true
5. For recovery data quorum:  
    **name**: recovery\_data\_workflow  
    **kind**: bool  
    **value**: true

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/uq9image.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/uq9image.png)  
*Of course, recovery\_data and recovery\_data\_workflow should never be assigned to the same person.*

<p class="callout warning">The first user with data/account recovery rights will automatically have the encryption keys needed for these operations. However, this will not be the case for subsequent administrators.   
The first admin will have to share these keys via the recovery key sharing page on the user application.  
(Settings &gt; Recovery keys &gt; Activate access)</p>

#### Notes

- WALLIX ONE IDaaS administration page should always be secured using multi-factor authentication. To do so you need to enroll a 2<sup>nd</sup> factor for the admin accounts, then enable multi-factor using the option **Authentication level for Trustelem admin console** on **Security settings** &gt; **General**.
- More information about WALLIX ONE IDaaS is available here: [https://trustelem-doc.wallix.com/books/trustelem-administration](https://trustelem-doc.wallix.com/books/trustelem-administration)

<p class="callout success">Now you're all set, you can create local users if you need to, and communicate about the availability of this new application.</p>

### RUN

Once Enterprise Vault is up and running, here's a list of the most important things administrators can do.

#### WALLIX ONE IDaaS  


- **Add / edit / delete users**  
    \- Change a user email on WALLIX ONE IDaaS will also change the email on Enterprise Vault.  
    \- Deleting a user from WALLIX ONE IDaaS does not delete him from Enterprise Vault, but he will no longer be able to authenticate there.  
    \- Re-creating a user identical to the one deleted will not allow data recovery from Enterprise Vault either: the 2 users will have different IDs. If you need to restore a user, you should use the **Display recently deleted users** option in the User list.
- **Unblocking a user**  
    A user may have lost his first or second factor.  
    In both cases, you can unblock the user by clicking on his profile in the User list.
- **Add or remove Enterprise Vault rights to users**  
    As explained above, on WALLIX ONE IDaaS you define the Enterprise Vault user rights: recovery\_account, recovery\_data or recovery\_data\_workflow.
- **View logs**  
    On WALLIX ONE IDaaS, you can view all authentication-related information: when, who, what, how, from which IP, with which browser…

#### WALLIX Enterprise Vault admin app  


[Link to Enterprise Vault admin app documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/administration-application)

- **Audit Enterprise Vault usage**   
    You can see how your users use the product via the Dashboard, Users and Shared Vault tabs.
- **Delete a user**  
    In the Users tab, you can delete a user with his or her personal vault.
- **Force a change of master password or user encryption key**  
    In the Users tab, you can force specific users to change their master password, with or without renewing their encryption keys.
- **Delete a shared vault**  
    In the Shared Vault tab, you can delete a shared vault with all its objects.
- **View logs**  
    In the Logs tab, you can audit all Enterprise Vault logged actions.  
    What is logged is defined in the log policy.
- **Change policies**  
    In the Settings tab, you can modify your policies, particularly for recovery and logs.

#### WALLIX Enterprise Vault user app

- **Validate a master password reset request**  
    If a user has lost his master password and wishes to reset it, you must validate the request.  
    [Link for account recovery documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/recovery-account)
- **Request access to a user's personal vault**  
    If you wish to retrieve a secret that is no longer accessible due to the unavailability of its owner, you must make the request. Secrets will be accessible after approval by a quorum.  
    [Link for data recovery documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/recovery-data)
- **Share recovery keys with a new admin**  
    When a new admin has the recovery rights on WALLIX ONE IDaaS (recovery\_data or recovery\_account) it is not sufficient to perform recovery tasks. Indeed, another admin with access to the recovery keys must share them with the new admin first (Enterprise Vault user app &gt; Settings &gt; Recovery keys &gt; Activate access).  
    [Link for data recovery documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/recovery-data) or [Link for account recovery documentation](https://vault-doc.wallix.com/books/enterprise-vault-administration/page/recovery-account)

# Administration application

The Enterprise Vault admin application is dedicated to 5 usages :

- See Enterprise Vault usage
- Watch Enterprise Vault logs
- Define Enterprise Vault policies
- Manage Enterprise Vault existing users
- Manage Enterprise Vault existing shared vault

Do do so, you'll find 4 menus:

- **Dashboard**: a general overview of the existing vaults, with the clients used to access the secrets
- **Users**: information about the existing users (dates, vaults…)
- **Shared** Vault: information about the existing shared vault
- **Logs**: information about what happens on Enterprise Vault
- **Settings**: the global settings for Enterprise Vault

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/O5Simage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/O5Simage.png)

### Dashboard

The dashboard tab displays a summary of the contents as well as the client interfaces used to access it.

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/dutimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/dutimage.png)

This page gives a quick overview of Enterprise Vault adoption in your company. Among other things, you can see:

- Number of users (Personnal vaults &gt; Vaults)
- Number of personal secrets (Personnal vaults &gt; Items)
- Number of shared vaults (Shared vaults &gt; Vaults)
- Number of shared secrets (Shared Vaults &gt; Items)
- Type of client used (User interface)

<p class="callout info">There is one clickable information: the icon at the end of the user interface lines.   
It gives details of the software used per user.</p>

### Users

The Users tab displays a list of WALLIX Enterprise Vault users. Users with anomalies are displayed in red.

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/TUAimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/TUAimage.png)

This page shows, user by user:

- Creation, update and last access dates
- The number of personal secrets, as well as the number of personal folders and the number of existing sends
- The number of shared vaults where the user is owner or user

In addition, for each user it is possible to:

- Force a master password reset. In this case, the user must enter his old master password, then a new one.
- Force rotation of the user main encryption key, in addition to the master password reset.
- Delete the users and its secrets.

<p class="callout info">A user deleted on Enterprise Vault still exists on WALLIX ONE IDaaS.</p>

<p class="callout info">Certain scenarios prevent the user from being deleted: for example, if the user is the only owner of the recovery key, or the only owner of a shared vault with members.</p>

A user displayed in red has been deleted on the WALLIX ONE IDaaS side. But the user still exists on Enterprise Vault.  
It is not possible to automate the user deletion on Enterprise Vault from WALLIX ONE IDaaS.

### Shared Vault

The Shared Vault tab displays a list of vaults shared by WALLIX Enterprise Vault users.

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/BbKimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/BbKimage.png)

This page shows, vault by vault:

- The creation date
- The active, unauthorized, deleted owners of the vault
- The active, unauthorized, deleted users of the vault
- The item and collection number

In addition, for each vault it is possible to delete the vault.

<p class="callout info">All owner/other member fields (active/unauthorized/deleted) are clickable, giving details of the users concerned.</p>

### Logs

The Logs tab displays the logs of actions performed and items viewed

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/YXaimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/YXaimage.png)

This page shows:

- The creation date
- The user who performed the action
- Action category (administration, item, collection, shared vault, domain, recovery)
- Event corresponding to the action (User registration, Item creation, Item access...)
- The name of the shared vault associated with the item, if the action is relevant
- Additional data, such as the strength of the password created, or the IDs of objects affected by the action

There are 3 types of filters for searching logs, which can be combined:

- A **text** field, allowing you to enter any information you wish to search for on the page
- A **records** field, for filtering by category or event
- A **date** field, allowing you to select the range over which you wish to examine the logs.

<p class="callout info">At present, it is not possible to extract logs (export or link with SIEM).</p>

### Settings

The Settings tab allows the personnalisation of WALLIX Enterprise Vault according to your choices and security policies.

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/tQNimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/tQNimage.png)

Today there are 3 policies:

- **Log**: which information do you want to log?
- **Recovery**: do you allow master password reset ? Do you allow data recovery?
- **Security**: do you allow to list existing users in the forms that offer it in the user application?

#### Log

- **Log password acces**s: define if password access are logged or not

<p class="callout warning">If password access are logged, it is not possible anymore to have an offline access</p>

- **Log user actions client side**: define if actions done on user client (browser/plugin...) are logged
- **Log actions on user accounts**: define if actions related to accounts (creation, deletion...) are logged
- **Log actions on ciphers**: define if actions related to encryption keys (creation, rotation...) are logged
- **Log actions on collections**: define if actions related to shared vault collections (creation, deletion...) are logged
- **Log actions on shared vaults**: define if actions related to share vaults (creation, changes, deletion...) are logged
- **Log recovery actions**: define if recovery actions (requests, validation, quorum...) are logged

#### Recovery

- **Authorize account recovery**: define if users can ask for a master password reset or not
- **Account recovery request timeout**: define the maximum validity period of a master password reset request
- **Authorize data recovery**: define if an admin can ask access to a user personal vault or not
- **Data recovery request timeout**: define the maximum validity period of an access to a user personal vault from an admin

<p class="callout warning">When recovery is enabled, each item will be encrypted with an additional key dedicated to recovery.  
This encryption is added the first time the user decrypts his items with his own key.  
Consequently, even if the recovery is enabled, these operations can only be performed AFTER the user has made a new access.  
<span style="text-decoration: underline;">So if you want to use them, it's important to activate recovery features from the beginning!</span></p>

#### Security

- **Allow all users of a shared vault to be displayed**: when you add new shared vault members, you have to provide a valid email address of an existing vault user. But if this option is enabled, you'll have the list of existing users instead.

# Recovery account

Account recovery allows users to request a reset of their master password if they have lost it.

There are 3 prerequisites:

- Account recovery must be enabled in the administration page
- At least one user must have account recovery rights.
- The user must have a valid email address

The workflow will be as follows:

1. User requests master password reset
2. Admin accepts reset
3. User sets new master password

### Enable account recovery

1. Go to the **Enterprise Vault admin app**
2. Go to **Settings**
3. Enable the line **Authorize account recovery**
4. Click **Save** button

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/HfLimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/HfLimage.png)

<p class="callout info">The length of time for which the request is valid can also be set here.  
The default setting is 2 hours.</p>

### Add account recovery rights to a user

1. Go to your **WALLIX ONE IDaaS admin page**
2. Go to **Users** and select an existing user
3. Click **Edit** then **Add an attribute**
4. Provide the following attribute:  
    **name**: recovery\_account  
    **kind**: bool  
    **value**: true

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/iM5image.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/iM5image.png)

  
When this user will log in the Enterprise Vault user app, and if he is the first one with recovery rights(data or account), he will have the following message:

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/BxLimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/BxLimage.png)

In fact, specific encryption keys are required to carry out recovery operations.  
These are created when the first admin is authenticated.  
Consequently, for subsequent admins, an admin who has the keys must share them.

1. Go to your **Enterprise Vault user app** with an admin who has the recovery key
2. Go to **Settings**, then **Recovery keys**
3. Click **Activate access** for the new admins

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/5uEimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/5uEimage.png)

### Workflow

#### User requests master password reset

- The user clicks **Start a password reset procedure**  
      
    [![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/686image.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/686image.png)

<p class="callout info">If the button "Start a password reset procedure" is not displayed, causes can be:  
- The "recovery account" option is not enabled in the admin page  
- No admin has the right "recovery account"  
- The user has not been logged in since the recovery account option was activated.</p>

- Then he defines a reset code, which will be used later to complete the procedure  
      
    [![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/IkCimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/IkCimage.png)
- Finally, he receives a confirmation email about his request

#### Admin accepts reset

- The admin is alerted by email
- He goes to his **Enterprise Vault user app**
- Then he clicks **Recovery**, an **Approbation requests**
- He can click **Approve** or **Dismiss**

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/Nedimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/Nedimage.png)

#### User sets new master password

- When the master password reset request is validated, the user receive an email with a reset link
- He clicks the link, and arrives on the reset page
- He provides the initial reset code
- He can define the new master password

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/ownimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/ownimage.png)

# Recovery data

Data recovery allows admin to access personal items for selected users.

<p class="callout warning">The point is to recover a secret which is no longer accessible due to the owner's unavailability.  
Consequently, in this mode it is only possible to copy a personal secret's identifier, a personal secret's password, or to export the personal vault.  
No other action is possible.</p>

There are 4 prerequisites:

- Data recovery must be enabled in the administration page
- At least one user must have data recovery rights.
- At least one user must have the rights to manage data recovery quorum.
- The quorum must be defined.

The workflow will be as follows:

1. An admin requests the access to a specific user account
2. The quorum members are notified and accept the request
3. The admin is notified and reload his user app: he has access to the user personal items

<p class="callout info">Shared Vaults are not accessible through data recovery.</p>

### Enable Data recovery

1. Go to the **Enterprise Vault admin app**
2. Go to **Settings**
3. Enable the line **Authorize data recovery**
4. Click **Save** button

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/3HSimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/3HSimage.png)

<p class="callout info">The length of time for which the request is valid when accepted can also be set here.  
The default setting is 12 hours.</p>

### Add data recovery rights to a user

1. Go to your **WALLIX ONE IDaaS admin page**
2. Go to **Users** and select an existing user
3. Click **Edit** then **Add an attribute**
4. Provide the following attribute:  
    **name**: recovery\_data  
    **kind**: bool  
    **value**: true

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/uNDimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/uNDimage.png)

When this user will log in the Enterprise Vault user app, and if he is the first one with recovery rights (data or account), he will have the following message:

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/BxLimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/BxLimage.png)

In fact, specific encryption keys are required to carry out recovery operations.  
These are created when the first admin is authenticated.  
Consequently, for subsequent admins, an admin who has the keys must share them.

1. Go to your **Enterprise Vault user app** with an admin who has the recovery key
2. Go to **Settings**, then **Recovery keys**
3. Click **Activate access** for the new admins

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/5uEimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/5uEimage.png)

### Add quorum rights to a user

1. Go to your **WALLIX ONE IDaaS admin page**
2. Go to **Users** and select an existing user
3. Click **Edit** then **Add an attribute**
4. Provide the following attribute:  
    **name**: recovery\_data\_workflow  
    **kind**: bool  
    **value**: true

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/RF0image.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/RF0image.png)

### Define the quorum

1. Go to your **Enterprise Vault user app** with an admin who has the quorum rights
2. Go to **Settings**, then **Approvers groups**
3. Click **Add group**
4. Choose a name and a quorum number (number of validation needed to accept the request), then click **Save**   
    [![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/K5gimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/K5gimage.png)
5. Click **+** on the Users column, then provide the approvers email address then click **Validate**  
    Press "Enter" if you want to add multiple approvers  
      
    [![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/dxaimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/dxaimage.png)
6. Click the **Group name** the **Quorum** or the **Users** if you need to change an information  
      
    [![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/bRCimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/bRCimage.png)
7. Click **Save**

### Workflow

#### The admin requests the access to a specific user account

- The admin goes to his **Enterprise Vault user app**
- He clicks on **Recovery** then **Data recovery**
- He selects a user, then click **Send**
- The request appears in the history

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/HpKimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/HpKimage.png)

#### The quorum members are notified and accept the request

- A quorum user goes to his **Enterprise Vault user app**
- He clicks **Recovery** then **Approbation requests**
- He clicks **Approve** or **Dismiss**

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/xtpimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/xtpimage.png)

#### The admin has access to the user personal items

- The admin <span style="text-decoration: underline;">**logout** </span>from his web client then perform a new authentication
- He clicks his profile
- He selects the user account

[![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/7Hcimage.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/7Hcimage.png)

- He has access to the user's personal items  
      
    [![image.png](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/scaled-1680-/bK0image.png)](https://vault-doc.wallix.com/uploads/images/gallery/2025-01/bK0image.png)
    
      
    As mentioned in the introduction, it is only possible to retrieve secrets from the personal vault.   
    Any other action will display an error, which indicates that it is prohibited.

# Synchronizing Trustelem Groups with the Enterprise Vault CLI

### 🎯 Goal

Automatically define access rights to **shared vaults** and **collections** in Enterprise Vault based on membership in **Trustelem groups**, using a custom JSON attribute called `vaultSync`.

---

### 🧩 Overall Workflow

The script reads all Trustelem groups that include the `vaultSync` attribute.

1. For each Trustelem group with the attribute:
    
    
    - A **shared vault** is created or updated.
    - **Collections** can be created or removed according to the configuration.
    - **User permissions** are applied.
2. If a user also has a `vaultSync` attribute, it **overrides** the group configuration.

---

### 🧷 Trustelem Configuration

#### Step 1 – Add custom attributes

##### 🔹 `vaultSync` JSON attribute on a **Trustelem Group** (mandatory)

Example to adapt:

```json
[
  { 
    "sharedVault": "SharedVault1",
    "mode": "exact",
    "collections": ["Collec1", "Collec2"],
    "createCollections": true,
    "deleteCollections": false,
    "role": "User",
    "permission": "view" 
  },
  { 
    "sharedVault": "SharedVault2",
    "mode": "exact",
    "collections": ["Colletion1", "Collection2"],
    "createCollections": true,
    "deleteCollections": false,
    "role": "User",
    "permission": "edit" 
  }
]
```

<div class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary" id="bkmrk--2"><div class="overflow-y-auto p-4" dir="ltr">  
</div></div><div class="_tableContainer_16hzy_1" id="bkmrk-field-type-descripti"><div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" tabindex="-1"><table class="w-fit min-w-(--thread-content-width)" data-end="1707" data-start="1102" style="width: 100%;"><thead data-end="1150" data-start="1102"><tr data-end="1150" data-start="1102"><th data-col-size="sm" data-end="1122" data-start="1102" style="width: 18.0445%;">Field</th><th data-col-size="sm" data-end="1135" data-start="1122" style="width: 10.5043%;">Type</th><th data-col-size="md" data-end="1150" data-start="1135" style="width: 71.4375%;">Description</th></tr></thead><tbody data-end="1707" data-start="1199"><tr data-end="1267" data-start="1199"><td data-col-size="sm" data-end="1218" data-start="1199" style="width: 18.0445%;">`sharedVault`</td><td data-col-size="sm" data-end="1231" data-start="1218" style="width: 10.5043%;">`string`</td><td data-col-size="md" data-end="1267" data-start="1231" style="width: 71.4375%;">Name of the shared vault to sync</td></tr><tr><td style="width: 18.0445%;">`mode`</td><td style="width: 10.5043%;">`string`</td><td style="width: 71.4375%;">"exact" or "pattern". Not mandatory, default to "exact"

If "exact" is used, "collections" list must be exact names of synchronized collections

if "pattern" is used, "collections" list is patterns for collections names.

</td></tr><tr data-end="1333" data-start="1268"><td data-col-size="sm" data-end="1287" data-start="1268" style="width: 18.0445%;">`collections`</td><td data-col-size="sm" data-end="1300" data-start="1287" style="width: 10.5043%;">`string[]`</td><td data-col-size="md" data-end="1333" data-start="1300" style="width: 71.4375%;">List of collections name or patterns</td></tr><tr data-end="1403" data-start="1334"><td data-col-size="sm" data-end="1356" data-start="1334" style="width: 18.0445%;">`createCollections`</td><td data-col-size="sm" data-end="1368" data-start="1356" style="width: 10.5043%;">`boolean`</td><td data-col-size="md" data-end="1403" data-start="1368" style="width: 71.4375%;">Auto-create missing collections (can only be used with exact mode)</td></tr><tr data-end="1476" data-start="1404"><td data-col-size="sm" data-end="1426" data-start="1404" style="width: 18.0445%;">`deleteCollections`</td><td data-col-size="sm" data-end="1438" data-start="1426" style="width: 10.5043%;">`boolean`</td><td data-col-size="md" data-end="1476" data-start="1438" style="width: 71.4375%;">Auto-remove collections not listed (can only be used with exact mode)</td></tr><tr data-end="1570" data-start="1477"><td data-col-size="sm" data-end="1496" data-start="1477" style="width: 18.0445%;">`role`</td><td data-col-size="sm" data-end="1509" data-start="1496" style="width: 10.5043%;">`string`</td><td data-col-size="md" data-end="1570" data-start="1509" style="width: 71.4375%;">User role in the vault: `"Owner"`, `"Admin"`, or `"User"`</td></tr><tr data-end="1707" data-start="1571"><td data-col-size="sm" data-end="1590" data-start="1571" style="width: 18.0445%;">`permission`</td><td data-col-size="sm" data-end="1603" data-start="1590" style="width: 10.5043%;">`string`</td><td data-col-size="md" data-end="1707" data-start="1603" style="width: 71.4375%;">Permission in the collection: `"view"`, `"viewExceptPass"`, `"edit"`, `"editExceptPass"`, `"manage"`</td></tr></tbody></table>

</div></div>`createCollections` and `deleteCollections` are automatically considered to false with mode "pattern".

You can synchronize a group in one or more shared vaults.

You can synchronize one or more Trustelem groups in the same Shared Vault. By this way, you can affect different roles and rights to the differents groups of users.

##### 🔹 `vaultSync` JSON attribute on a **Trustelem User** (optional)

Overrides group settings when applied.  
Example to adapt (the value needs to be an array):

```json
[ 
  { 
    "sharedVault": "SharedVault1",
    "mode": "pattern",
    "collections": ["collection1", "collection1/**"],
    "role": "Admin",
    "permission": "edit" 
  }
]
```

<p class="callout info">**How to use patterns ?**</p>

Patterns uses **glob matching** syntax to consider collections names as filesystem path. It allow you to use wildcard and more complex syntax.

**Glob matching** - Using wildcards (`*` to match at one level of directories and `?` to replace one character), globstars (`**`) to include nested directories.

You can use POSIX character classes \[:alpha:\] or \[:digit:\], regex classes \[1-5\], regex logical (abc|xyz) and brace expansion. If you wont to have an exhausted documentation, you can refer to the library [micromatch](https://www.npmjs.com/package/micromatch "micromatch").

**examples :**

With collections tree as follow

```
collection1/
      collection11
      collection12/
          collection121
          collection122
collection2/
      collection21
```

<table border="1" id="bkmrk-pattern-matching-res" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 35.0001%;"></col><col style="width: 65.1235%;"></col></colgroup><tbody><tr><td class="align-center">**Pattern**</td><td class="align-center">**Matching results**</td></tr><tr><td>`collection1/**`</td><td>`collection1`, `collection11`, `collection12`, `collection121`, `collection122`

collection1 and all childs of collection1

with wildcard "\*\*", parent is included

</td></tr><tr><td>`*`</td><td>`collection1`, `collection2`

all collection of first level

</td></tr><tr><td>`collection?/*`</td><td>`collection11`, `collection12`, `collection21`

all collection of second level with parent 'collection' and an other character.

with wildcard "\*", parent is not included

</td></tr><tr><td>`*/collection[0-9]{1,2}`</td><td>all second level collections with a name 'collection' followed by one or two digits.</td></tr></tbody></table>

#### Step 2 – Generate a Trustelem API Key

1. In the Trustelem admin console, go to **Rest API &gt; New API key** ⚠️if you can't see the **Rest API** tab, you have to create a ticket to require the feature.
2. Click the **edit (pencil)** icon
3. Check:
    
    
    - `users_read`
    - `groups_read`
4. Save.
5. Note the following values:
    
    
    - **KEY ID**
    - **Bearer Token**

---

### 🛠 CLI Script Configuration

##### 1/ Download Enterprise Vault CLI.

##### 2/ Create the `synchro` script

Example with the Linux CLI:

```shell
#!/bin/bash
# --- Configuration ---
vault_id="to_replace"
vault_secret="to_replace"
vault_password="to_replace"
vault_url="to_replace"
trustelem_key_id="to_replace"
trustelem_bearer="to_replace"
trustelem_url="to_replace"

# --- Function: Connect and unlock the Vault CLI ---
connect_to_vault() {
    ./wv logout > /dev/null 2>&1
    ./wv config server "$vault_url" > /dev/null 2>&1
    export WV_CLIENTID=$vault_id
    export WV_CLIENTSECRET=$vault_secret
    export WV_TRUSTELEMKEYID=$trustelem_key_id
    export WV_TRUSTELEMBEARER=$trustelem_bearer
    export WV_TRUSTELEMURL=$trustelem_url
    ./wv login --apikey > /dev/null 2>&1
    export WV_SESSION=$(./wv unlock "$vault_password" --raw)
}

# --- Main Execution ---
connect_to_vault
./wv syncgroups

```

PowerShell example with the Windows CLI:

```powershell
# --- Configuration ---
$vault_id = "to_replace"
$vault_secret = "to_replace"
$vault_password = "to_replace"
$vault_url = "to_replace"
$trustelem_key_id = "to_replace"
$trustelem_bearer = "to_replace"
$trustelem_url = "to_replace"

# --- Function: Connect and unlock the Vault CLI ---
function Connect-ToVault {
    ./wv.exe logout | Out-Null
    ./wv.exe config server $vault_url | Out-Null
    $env:WV_CLIENTID = $vault_id
    $env:WV_CLIENTSECRET = $vault_secret
    $env:WV_TRUSTELEMKEYID = $trustelem_key_id
    $env:WV_TRUSTELEMBEARER = $trustelem_bearer
    $env:WV_TRUSTELEMURL = $trustelem_url
    ./wv.exe login --apikey | Out-Null
    $session = ./wv.exe unlock $vault_password --raw
    $env:WV_SESSION = $session.Trim()
}

# --- Main Execution ---
Connect-ToVault
./wv.exe syncgroups

```

Values to replace:

<div class="_tableContainer_16hzy_1" id="bkmrk-variable-description"><div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" tabindex="-1"><table class="w-fit min-w-(--thread-content-width)" data-end="2941" data-start="2336" style="width: 104.565%; height: 296.915px;"><thead data-end="2376" data-start="2336"><tr data-end="2376" data-start="2336" style="height: 29.4147px;"><th data-col-size="sm" data-end="2361" data-start="2336" style="width: 22.7952%; height: 29.4147px;">Variable</th><th data-col-size="md" data-end="2376" data-start="2361" style="width: 77.1529%; height: 29.4147px;">Description</th></tr></thead><tbody data-end="2941" data-start="2418"><tr data-end="2515" data-start="2418" style="height: 30.5357px;"><td data-col-size="sm" data-end="2443" data-start="2418" style="width: 22.7952%; height: 30.5357px;">`vault_id`</td><td data-col-size="md" data-end="2515" data-start="2443" style="width: 77.1529%; height: 30.5357px;">API service account ID (web client &gt; Account parameters &gt; Security &gt; API Keys)</td></tr><tr data-end="2577" data-start="2516" style="height: 30.5357px;"><td data-col-size="sm" data-end="2541" data-start="2516" style="width: 22.7952%; height: 30.5357px;">`vault_secret`</td><td data-col-size="md" data-end="2577" data-start="2541" style="width: 77.1529%; height: 30.5357px;">API service account secret (web client &gt; Account parameters &gt; Security &gt; API Keys)</td></tr><tr data-end="2644" data-start="2578" style="height: 30.5357px;"><td data-col-size="sm" data-end="2603" data-start="2578" style="width: 22.7952%; height: 30.5357px;">`vault_password`</td><td data-col-size="md" data-end="2644" data-start="2603" style="width: 77.1529%; height: 30.5357px;">Master password for the service account</td></tr><tr data-end="2741" data-start="2645" style="height: 30.5357px;"><td data-col-size="sm" data-end="2670" data-start="2645" style="width: 22.7952%; height: 30.5357px;">`vault_url`</td><td data-col-size="md" data-end="2741" data-start="2670" style="width: 77.1529%; height: 30.5357px;">Vault instance URL (e.g., `https://vault-yourdomain.trustelem.com`)</td></tr><tr data-end="2789" data-start="2742" style="height: 48.4524px;"><td data-col-size="sm" data-end="2767" data-start="2742" style="width: 22.7952%; height: 48.4524px;">`trustelem_key_id`</td><td data-col-size="md" data-end="2789" data-start="2767" style="width: 77.1529%; height: 48.4524px;">KEY ID from Step 2</td></tr><tr data-end="2843" data-start="2790" style="height: 48.4524px;"><td data-col-size="sm" data-end="2815" data-start="2790" style="width: 22.7952%; height: 48.4524px;">`trustelem_bearer`</td><td data-col-size="md" data-end="2843" data-start="2815" style="width: 77.1529%; height: 48.4524px;">Bearer Token from Step 2</td></tr><tr data-end="2941" data-start="2844" style="height: 48.4524px;"><td data-col-size="sm" data-end="2869" data-start="2844" style="width: 22.7952%; height: 48.4524px;">`trustelem_url`</td><td data-col-size="md" data-end="2941" data-start="2869" style="width: 77.1529%; height: 48.4524px;">Trustelem admin URL (e.g., `https://admin-yourdomain.trustelem.com`)</td></tr></tbody></table>

</div></div>##### 3/ Start the script.

---

### ⚙️ Detailed Synchronization Behavior

#### 1. Shared Vault Management

- **If the shared vault doesn't exist**:
    
    
    - It is **automatically created** and the service account becomes the `Owner`.
- **If it already exists**:
    
    
    - The script checks if the service account is the `Owner`.
    - If not, an **error is returned**.

⚠️ **Important**: if the service account is not a shared vault member, it has no way to know if the shared vault already exists or not. In this case, the script will assume the shared vault doesn't exist and a new shared vault with the same name will be created.

#### 2. Collection Management

- **With `createCollections=true`**:
    
    
    - Collections missing in the vault but listed in the JSON will be created.
    - The service account is given `manage` rights on these.
- **With `deleteCollections=true`**:
    
    
    - Collections present in the vault but not in the list will be deleted.
    - The service account must have `manage` rights to delete them.

⚠️ **Important**: do not set both `createCollections=true` and `deleteCollections=true` at the same time.

🔸 **Note on User Attributes**: User-level `vaultSync` attributes **cannot** create or delete collections—only assign permissions.

#### 3. User Membership &amp; Permissions

- **If a user is not in Vault**:
    
    
    - An **error is returned**.
- **Adding users to collections**:
    
    
    - If the user is not already in a listed collection, they are added with the `role` and `permission` defined.
    - If the user has their own `vaultSync` config, it **overrides** the group config.
    - The service account must have `"manage"` rights.
- **Updating permissions**:
    
    
    - If the user has different permissions in a collection, they are updated accordingly.
    - Requires `"manage"` permission.
- **Removing from collections**:
    
    
    - If a user is in a collection not listed, they are removed.
    - Requires `"manage"` permission.

---

### 🧾 Special Cases

<div class="_tableContainer_16hzy_1" id="bkmrk-scenario-behavior-%F0%9F%94%81-"><div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" tabindex="-1"><table class="w-fit min-w-(--thread-content-width)" data-end="5078" data-start="4749"><thead data-end="4772" data-start="4749"><tr data-end="4772" data-start="4749"><th data-col-size="sm" data-end="4760" data-start="4749">Scenario</th><th data-col-size="md" data-end="4772" data-start="4760">Behavior</th></tr></thead><tbody data-end="5078" data-start="4797"><tr data-end="4889" data-start="4797"><td data-col-size="sm" data-end="4832" data-start="4797">🔁 Trustelem group renamed in AD</td><td data-col-size="md" data-end="4889" data-start="4832">Synchronization continues (attribute remains present)</td></tr><tr data-end="4977" data-start="4890"><td data-col-size="sm" data-end="4919" data-start="4890">🗑 Trustelem group deleted</td><td data-col-size="md" data-end="4977" data-start="4919">Synchronization stops, but the vault remains unchanged</td></tr><tr data-end="5078" data-start="4978"><td data-col-size="sm" data-end="5011" data-start="4978">♻️ Group deleted and recreated</td><td data-col-size="md" data-end="5078" data-start="5011">Vault is no longer linked; re-adding the attribute resumes sync</td></tr></tbody></table>

</div></div>---

### ✅ Permissions Summary

<div class="_tableContainer_16hzy_1" id="bkmrk-action-required-righ"><div class="_tableWrapper_16hzy_14 group flex w-fit flex-col-reverse" tabindex="-1"><table class="w-fit min-w-(--thread-content-width)" data-end="5423" data-start="5111"><thead data-end="5156" data-start="5111"><tr data-end="5156" data-start="5111"><th data-col-size="sm" data-end="5120" data-start="5111">Action</th><th data-col-size="sm" data-end="5156" data-start="5120">Required Right (Service Account)</th></tr></thead><tbody data-end="5423" data-start="5203"><tr data-end="5251" data-start="5203"><td data-col-size="sm" data-end="5225" data-start="5203">Create shared vault</td><td data-col-size="sm" data-end="5251" data-start="5225">None (becomes `Owner`)</td></tr><tr data-end="5295" data-start="5252"><td data-col-size="sm" data-end="5276" data-start="5252">Modify existing vault</td><td data-col-size="sm" data-end="5295" data-start="5276">Must be `Owner`</td></tr><tr data-end="5335" data-start="5296"><td data-col-size="sm" data-end="5323" data-start="5296">Create/delete collection</td><td data-col-size="sm" data-end="5335" data-start="5323">`manage`</td></tr><tr data-end="5384" data-start="5336"><td data-col-size="sm" data-end="5372" data-start="5336">Add/remove users from collections</td><td data-col-size="sm" data-end="5384" data-start="5372">`manage`</td></tr><tr data-end="5423" data-start="5385"><td data-col-size="sm" data-end="5411" data-start="5385">Update user permissions</td><td data-col-size="sm" data-end="5423" data-start="5411">`manage`</td></tr></tbody></table>

<div class="sticky end-(--thread-content-margin) h-0 self-end select-none">  
</div></div></div>