How does rights management in Password Depot Enterprise Server work?

Server Policies

Before you start assigning rights to users and groups, check the default (or global) server policies first.

The server policies can be accessed through the Server Manager. To do so, please go to Manage -> Server Policies.

Three different states are available in the server policies:

  • Not defined
  • Enabled
  • Disabled

Please note the following:

  • If you grant access rights in the server policies, state "Enabled", they are available for all users. However, rights can still be deactivated for individual users and groups in the database's permissions tab.
  • If you do not grant access rights in the server policies, state "Disabled", they are NOT available for all users and can no longer be activated for individual users and groups in the database's permissions tab.
  • If you do not define access rights in the server policies, you can define them for individual users and groups separately in the database's permissions tab.

 

mceclip1.png

 

We recommend setting the rights status in the server policies on Not defined. Individual rights management for users and groups can then be carried out in the database's permissions tab.

Examples for using the server policies:

If you want to disable the printing of passwords on the server for all users and groups in general, make sure to disable the right Print entries by setting this option on Disabled.

If you want to enable using the browser add-ons without any restrictions throughout the entire company, make sure to enable the option Auto-fill web forms using browser add-ons as well as Accept new entries from browser add-ons.

 

Individual rights management

Once you have checked the settings in the server policies and changed them as desired, you can assign individual access rights to users and groups within the selected database.

To do so, right-click on a database in the Databases area and select Permissions. In the main view of the Server Manager, you can now see all users/groups who can access this database currently. 

You can add new users or groups to the database by double clicking on it and selecting the option + New at the right. Select a single user or group next by double clicking on it. A new dialog window called Permissions will open. Two tabs are available here for individual rights management: The General and Entries and folders tab.

 

If the Access to database permission is "Enabled", the user can see the database in the list of existing server databases. If the option Read entries is enabled, the user can see all entries and folders which are stored to the root directory of the database. If the option Read entries is enabled the Access to database permission will be activated automatically because it is not possible to allow reading of entries without accessing a database.

If you enable the Access to database option but disable the Read/Modify/Add/Delete entries permissions, the user can see the database and receive it from the server. However they cannot see any entries within the database. In this case, you can assign access rights to a user or group for individual entries and/or folders within the database (see screenshots below).

 

General tab

mceclip2.png

 

The access rights in detail

  • Access to database: Users can see the database in the list of available databases and receive it from the server.
  • Read entries: Users can read entries within the database.
  • Modify entries: Users may edit existing entries or folders. The permission of modifying entries only works if the option Read entries is also enabled because it is required to see an entry or folder in plain text if you want to modify it.
  • Add entries: Users may add new entries and folders.
  • Delete entries: Users may delete existing entries or folders.
  • Use the function "Auto-Complete": Users may use the feature of the same name to automatically fill in data on web forms.
  • Auto-fill web forms using browser add-ons: Users may have web forms filled in automatically by the add-on.
  • Accept new entries from browser add-ons: Users may create new entries using the add-on. Those new entries will be saved to the database subsequently.
  • Print entries: Users may print entries in readable form (on paper and/or as PDF).
  • Export entries: Users may export entries to the XML or other formats. Please note that exported entries are not encrypted!
  • Save local copy: Users may store local or backup copies of server databases on their local system. Please note that the user or group can only save those entries/folders locally which they can also see during active server connection.
  • Synchronize database: Users can synchronize two databases. This may be helpful if there are two different databases with different content. By synchronizing them you can update their content.
  • Grant access to other users: Users may share entries within the client with other users. In this case, the server admin does not have to change rights management in the Server Manager. Users can share entries with other users both temporarily or without any time limitation.
  • Seal entries: Users may also seal entries if they are shared with other users on the server. In this case, the seal status has to be changed accordingly in order to access the sealed entry. Learn more about this feature here.
  • Grant admin rights: Users can log in to the Enterprise Server using the control panel (Server Manager) and enable other users to access the database. If a user is a "Database Administrator" (Users -> Roles) it is also required that the option "Grant admin rights" is enabled, too so that the user can change the rights management of this database.

 

Entries and folders

In the Entries and folders tab, you can assign access rights to users or groups for individual folders, sub folders or entries.

 

mceclip3.png

 

Example

The Support group should access the company's database. However, the members should only see the IT folder within the database and have full access to this IT folder.

First, make sure to enable the option Access to database for the Support group. Next, please define all other permissions as follows. It is mainly important to uncheck the boxes Read/Modify/Add/Delete entries. All other permissions can also be defined differently from what is shown in the screenshot below):

 

mceclip4.png

 

Since the Support group cannot read/modify/add/delete entries in general, you just need to enable those rights for the IT folder in the Entries and folders tab (permissions for all other folders within the database have been set in the General tab before. In this case, you don't have to enable or disable access to other folders or entries visible in the Entries and folders tab):

 

mceclip5.png

 

If access to a single entry within the IT folder should be disabled for the Support group, you can do that in the Entries and folders tab, too, as shown in the screenshot below:

 

mceclip6.png

 

Now, the Support group can only see the IT folder within the database "AceBIT GmbH". However, they can only see and access the entry "Mantis" because access to the entry "Stack Overflow" has been denied within the IT folder.

Tip: The different colours show you which permissions are enabled or disabled. Green always indicates "Allowed/Enabled" permissions and red always indicates "Denied/Disabled" permissions. Thus, you can detect very easily which permissions are currently allowed or denied.

Was this article helpful?
9 out of 9 found this helpful

Comments

0 comments

Please sign in to leave a comment.