Access control model
Enclave uses a layered model. A user must satisfy all of the following to access a file:- Authentication — valid session token
- Org Unit membership — member of the Org Unit that owns the room
- Room membership — explicitly added to the room with a role
- Clearance level — effective clearance ≥ file classification
Organisation roles
| Role | Description |
|---|---|
| Owner | Full control of the organisation, all rooms, all users |
| Domain Admin | Manages all Org Units, users, and rooms within the domain |
| Department Admin | Manages their assigned Org Units only |
| Security Officer | Read-only access to audit logs; cannot access room files |
| Member | Regular user — access determined by room and Org Unit membership |
| Auditor | Read-only access to compliance reports and audit logs |
Org Unit membership
Org Units gate which rooms a user can be a member of. A user without Org Unit membership cannot be added to any room that Org Unit owns. Adding a user to an Org Unit does not automatically grant them room access. Room membership is a separate, explicit grant.Room roles
Within a room, members have one of three roles:| Role | Download | Upload | Rename / Delete files | Manage members |
|---|---|---|---|---|
| Owner | ✓ | ✓ | ✓ | ✓ |
| Contributor | ✓ | ✓ | — | — |
| Viewer | ✓ | — | — | — |
Clearance levels
Files carry a classification (C1–C4). Users carry a clearance level. Access is granted only whenuser clearance ≥ file classification.
| Classification | Label | Minimum clearance |
|---|---|---|
| C1 | Public sensitivity | Any authenticated user |
| C2 | Internal | C2 (default for Members) |
| C3 | Confidential | C3 (Department Admins by default) |
| C4 | Restricted | C4 (Owners, Domain Admins, Security Officers) |
Access reviews
Org Unit memberships can be periodically reviewed through an Access Review campaign:- An admin starts a review — Enclave snapshots all current memberships
- Each membership is marked as pending
- Reviewers approve (keep) or revoke each membership
- Revoked memberships are removed immediately
- The review is closed — remaining pending entries are auto-approved