Access control at the credential level, not the project level.
In Aegis, being added to a team or project does not grant access to any credentials. Every access grant is explicit, recorded, and can be time-bounded.
Per-credential grants, not per-project membership.
Most credential tools grant access at the vault or project level. If you have access to the project, you have access to all its credentials. This simplifies the access model but creates a surface problem: production database credentials become visible to anyone working on any ticket in the project.
Aegis grants access per credential. A developer can have read access to staging API keys but no access to production database credentials - even within the same project. The grant is explicit, separate, and logged.
Five of the nine roles, and what each controls.
The full 9-role model includes additional roles for Contractor, Auditor, Billing Manager, and Support access.See full access control docs →
Access that expires automatically.
JIT grants are time-bounded. When the duration expires, the access is removed automatically - no manual revocation required.
The grant event, any reveal events during the window, and the expiry event are all logged. This gives auditors a complete picture of the temporary access period.
Available durations