TrustVault permissions are broadly broken into 3 main areas (There are additional permissions such a Account Administrator which gives you access to change account details but this is handled through our support rather than through our Apps):
API Key Users
Wallet Policy Users
Address Book approvers
All users (except those who are solely address book approvers) must be in the first category. i.e. each user MUST be added to the organisation. Once a user has set their PIN (via the TrustVault iOS App), this will give the following permissions
Access to TrustVault iOS App.
Access to TrustVault Web.
Ability to view all the wallets and sub-wallets for your organisation.
Ability to view all portfolio balances.
Ability to view all transactions for all sub-wallets in TrustVault Web and TrustVault iOS App.
Ability to initiate unsigned transactions from either TrustVault Web or TrustVault iOS App.
Ability to cancel any request that appears in the TrustVault iOS App "inbox".
Ability to connect any sub-wallet to MetaMask and view data there or initiate an unsigned transaction.
Ability to create a sub-wallet (from TrustVaultWeb).
Ability to delete a sub-wallet (from iOS App).
Ability to rename a sub-wallet (from iOS App).
Ability to add users to address book (Approval May be required).
API Keys are a subset of an organisation user. They operate as the organisation (no individual user assigned) and have the same features as above except they can access the API to perform most of the functions.
Wallet Policy Users
Users who are in the organisation can then be added to a wallet policy. This gives the additional permissions:
Ability to sign requests (requests can include transactions, wallet creations or policy changes)
NB: The policy must still be satisfied by all signers before a transaction is completed.
Address Book Approvers
Users who are solely an address book approver do not need to be in an organisation.
It is possible to be an Organisation User AND an Address Book Approver.