Jump to content

Question of understanding - Creating Nested Password Lists automatically changes permissions on Root Folders


Mordecai

Recommended Posts

Hi, 

I hope I can explain it in an understandable way, because I don't really understand myself why this feature works the way it does. It is a little bit complicated to understand. 
I have a root folder for some purpose where all sub folders are inheriting permissions from its nested Password Lists but i do not want to change the folder tree structure by anyone (Adding new folders, renaming folders, deleting folders etc.). 

To illustrate my problem let's call the root folder "Company". This root folder has two sub folders called "Finance" and "IT". 
If an employee now creates a private or shared password list in the sub folder "IT" or "Finance", this employee automatically receives admin rights to this password list. This is still okay for me.
But at the same time this employee also gets admin permissions to the root folder "Company" through inheritance. Although this employee had no rights to the root folder before, he can now edit this folder, change the permission model etc. (And also lock out all other employees).
If i change the folder permission model to "Manage permissions manually for this folder", i can rule out this problem, but i can
not grant different permissions to different employees/groups on the sub folders and password lists.

In case of shared password lists you can still assign the permissions by yourself. But as soon as an employee creates a private password list for himself, he automatically gets administrative access to the folders above and can change settings that he was not allowed to change before. How can i prevent this?
I do not want "IT" employees to have access to lists or sub folders of the "Finance" department and I do not want "Finance" or "IT" employees to be allowed to change anything in the folder structure. In this case, am I really not allowed to use sub folders under root level maintenance? So I should create "Finance" and "IT" directly in the root level?


I have already changed the settings, that on root level nobody except a certain group of people may create password lists and folders, but this option only counts for the root level. 
In general I don't want to forbid the creation of password lists and folders via the settings (Set Permissions).


Therefore my question: How is it possible that I can define a folder structure in which people can create password lists and folders according to predefined permissions BUT cannot get any rights on a higher level which they did not have before.

If you have any questions or if you want me to explain something more detailed, please let me know.

Thanks in advance,
René

Link to comment
Share on other sites

Hey Rene,

 

Thanks for your post and we think this might be able to be prevented by using our propagating permissions model.  Here is a video which shows a bit more about this:  https://www.youtube.com/watch?v=QBJE_xD185U

 

 

Here's an email that we send to customers occasionally, which may help, happy to work with you on this to make sure you can get something working for your business:

 

 

Setting up the structure of the navigation tree is difficult to advise for, as every business is different, but below I've given an example of how you could build yours assuming you have different departments, like “IT Department” or “HR Department”.  The top level Folder is set to Manual Permissions (blue padlock), and you would give everyone in the IT Department view access to it.  Then each folder nested beneath it is for each team in the department, and these permissions are set to propagate down (green arrow on the folder) and only that team should have access to it.  This just means the Linux team will only see "IT Department -> Linux Team", and the Service Desk will only see "IT Department -> Service Desk" etc.  You could use this example below and possibly duplicate it for each department in your business, HR, Finance, Marketing etc.

 

clip_image002.jpg

 

Permissions:
Always use Security Groups if possible.  In the above example for the IT Department structure, you could get away with having 4 Security Groups:

 
· IT Department – Add all users to this from the department and give this group View access to the top level IT Department folder
· Linux Team – Apply this group to only the Linux Folder
· Service Desk – Apply this group to only the Service Desk Folder
· Windows Team – Apply this group to only the Windows Folder
 
 
 Possibly you could have 2 Security Groups per Team, which gives different permissions:
· Linux Team Read Only
· Linux Team Modify 
· Service Desk Read Only
· Service Desk Modify
· Windows Team Read Only
· Windows Team Modify
 
Setting up permissions like this means all you have to do is add a new user to the relevant AD Security Group.  This will sync to Passwordstate automatically and give users appropriate permissions easily.

 

Also, Adding a Private Password List, or a Shared Password List inside a folder that is propagating permissions down from the top level will not change the permissions.

 

Another tip to help, consider setting this System Setting option under Administration -> System Settings -> Password List Options to allow user with Modify rights the ability to Add Password Lists:

2020-01-14_15-28-06.png

 

You could also consider locking down the ability to create folders completely, so to keep your folder structure standard.  This can be done under Administration -> Feature Access-> Menu Access.

 

 

 

 

I hope that's enough to get you started, but please let me know if you have any questions at all about any of this?

 

Regards,

Support

 

 

 

 

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...