Jump to content

Managing security groups that contain yourself


Recommended Posts

Hi guys,


I'm playing around in our DEV sandbox, with PasswordState. Stumbled upon something that I wanted to discuss briefly.



  1. Install PasswordState.
  2. Setup my own AD account as the first admin account.
  3. Create a group in AD, "pstate-admins".
  4. Add multiple AD users to AD group "pstate-admins", including myself.
  5. Import the AD group "pstate-admins" as an AD security group into PasswordState.
  6. Go to security Administrators and try to add the security group "pstate-admins" with privileges.


The group in question stays greyed out and cannot be adjusted. Is this a bug, or is it a design feature to prevent me from expanding my current set of access permissions? I could understand it being the latter, now that I think of it. But on the other hand, the account I'm currently working with is the primary / first full admin user. You'd expect that one to not be limited :) Then again, proper security considerations would suggest that even the primary admin is limited by access permissions.


Workaround would be to remove myself from the AD group, then add permissions, then re-add myself to the group. Yup.


However, now I get stuck when working with password lists! I've set up a few lists and I want to ensure that the "pstate-admins" can administer the lists in question. I cannot add list admin rights to "pstate-admins", because I'm a member of that group. Despite my account already having full access to the lists, because I'm the one who created the list. This is a bit messy :/


Suggestions? I could remove my account from the AD-group again, but in the long run I want the first admin account (mine) to be removed in full, so my rights work through the AD-group.

Link to comment
Share on other sites

Hello Buckit,


I think I understand what your issue is, but please let me know if I've got it wrong.

Are you trying to apply/change permissions to Password Lists from within the Administration area? If so, then there is a System Setting here preventing you from doing this. By default we prevent this, so that any Security Admin cannot just grant themselves access to any Password Lists they like.

If you go to the screen Administration -> Passwordstate Administration -> System Settings -> Password List Options tab, you will see the setting below which you can change:


"When administering Password List permissions from within the 'Administration' area, prevent Security Administrators from granting themselves permissions to passwords - either via their own account, or security groups which they are a member of:"


Can you let me know if this was the issue?


Click Studios

Link to comment
Share on other sites

Yep, that's exactly the issue I was trying to explain. And what I expected is what you explained: it's an additional layer of security. Glad to know things work as designed. Now I just have to make sure that particular checkbox cannot be unchecked ;)


Thanks for further explaining!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...