Vault is the authorisation system. It is a store of parent/child associations. To determine the authorisation of an entity, you look up the relevant parent object. The authorisation is defined by all the associated child objects.

For example, if you wish to find out the list of advisors belonging to a broker (and that a broker can view), you would query vault for all the child objects of that specific broker parent object.