Databases - Permissions

In the Permissions tab you can do the rights management and assign access rights to users and groups in detail.

In the main window you can see all users/groups authorized to access the corresponding database. Below you can see the effective rights of single users and groups. If you want to see the effective rights in detail, select the desired user or group from the list.

If you want to remove database access for single users or groups, select the corresponding account and click Delete on the right. Users and groups that have been removed from a database cannot access it anymore, however, those users and groups are still available on the server. Click Select All to select all users/groups with access to the corresponding database. You can then perform further actions which will be applied to all highlighted user/group objects.

New

Select New to add new users/groups to the selected database. Choose a user/group form the list on the left. Finally, click OK to finish.

In the main view, double click the user or group you just added to the database in order to perform detailed rights management. Alternatively, you can also select the user/group form the list and click Properties on the right. A new dialog window opens where you can set the permissions at database level as well as for single folders and entries. Three tabs are available here:

  • General
  • Entries and folders
  • Sealed access

The permissions set in the General tab are applied to the entire database. Further permissions for single entries and folders can be set in the tab of the same name. The sealed access tab is used for changing the status of sealed entries. Detailed rights management as well as the process of sealing entries is explained more precisely below.

Properties

General

The permissions set in the General tab are applied to the entire database. You can see the selected user or group in the upper left corner. Below the user name, administrators can either limit the access of users and groups to a database or grant access without time limitation. If you want to enable limited access only, enter a start date in the Valid from box and define the date of end in the Valid to box. If you want to allow unlimited access for the corresponding user/group, you can uncheck the boxes Valid from/to and define a start date only (by default, the date is set to the day you grant a user or group access to a database and set the permissions). 

Permissions

Here, you can define the access rights at database level, that is, those permissions are applied to the entire database. The following permissions are available:

  • Access to database
  • Read entries
  • Modify entries
  • Add entries
  • Delete entries
  • Use the function "Auto-Complete"
  • Auto-fill web forms using browser add-ons
  • Accept new entries from browser add-ons
  • Print entries
  • Export entries
  • Save local copy
  • Synchronize database
  • Grant access to other users
  • Seal entries
  • Set second password
  • Grant admin rights

HINT: If you click View effective rights you can see a user's or group's effective rights in a separate window more precisely.

NOTE: Enabled permissions in the General tab are global rights and applied to the entire database. If you enable users/groups to Read/Modify/Add/Delete entries at database level, they can see and edit all entries within the corresponding database by default. If you want users/groups to only access specific folders and/or entries within the database, you should not enable the rights Read/Modify/Add/Delete at database level and thus remove the Allow tick accordingly. Attention: Only remove the tick but do not disable those rights! In the Permissions for Users chapter you can learn more about correct rights management and how to ensure that unauthorized users do not see entries they are not allowed to.

Entries and Folders

In the Entries and folders tab you can assign users and groups access rights on single folders and/or entries within a database. This way, administrators can define the user and group access rights in a way that each user/group can only see those objects they should actually be allowed to access.

The Entries and folders tab includes the following permissions:

  • Access to entries
  • Read entries
  • Modify entries
  • Add entries
  • Delete entries
  • Grant access to other users
  • Seal entries
  • Set second password

Select single entries or folders on the left and assign rights in the permissions area afterwards.

HINT: If you click View effective rights you can see a user's or group's effective rights for single entries and folders in a separate window more precisely.

NOTE: Both the General and Entries and Folders tabs inlcude special formatting to make rights management easier. By default, all permissions are depicted in green and bold letters. This means that these permissions are enabled to users. On the other hand, denied permissions are depicted in red and bold letters as well. This way, the administrator can recognize from the start which permissions have been enabled or denied for single users and groups.

Grant access to other users

This permission can be enabled either for the entire database or for single entries and folders within a database only. If the server administrator enables the permission to grant access to entries and folders to other users, a user can share data with other Enterprise Server users in the client. In this case, the administrator does not need to change the access rights in the Server Manager. This is useful, for example, if a user wants to share data with another Enterprise Server user temporarily.

Users can grant access to other users in the client only. The exact procedure is described in our Windows client manual

Seal Entries

If a user has been granted access to an entry, the entry to be shared may be sealed. In this case, accessing the entry will only be possible if the access has been approved or the seal removed by an authorized person in the Server Manager.

NOTE: Only users with admin rights in the Server Manager can change an entry's seal state.

Sealed access to an entry is also set in the client. This feature is available when granting access to an entry to another user. The issuer who would like share an entry can decide whether it should additionally be sealed or not.

The process of sealing entries is also described in detail in our Windows client manual.

Sealed access

If access to an entry in the database has been granted by user A to user B and the entry has been sealed by user A, it is first necessary that a user with admin rights on the Enterprise Server allows access to the selected entry so that access can be granted. The user who grants access determines which user on the server is required to grant access.

To do this, the corresponding user logs on to the Enterprise Server with his access data. In the area Databases → Permissions you can now see that user B has been granted access to an entry in the selected database. This shows the defined period of access, who created the access and whether the entry has been sealed. The permissions can be opened with a double click. The permission is granted in the Sealed Access tab.

Here you can see the state of the entry, which may be set to Sealed, for example, provided the entry has been sealed. The corresponding state can be changed by clicking the Change Seal Status button. You can choose from the following states:

  • Sealed: An entry is still sealed and no attempt has been made to access the corresponding entry.
  • Unsealed: The seal has been removed.
  • Waiting for approval: The user who has been granted access is specifically asking for access permission. In this case, the user would like to open the corresponding entry and asks for permission to do so.
  • Approval granted: An authorized person has granted permission for accessing an entry accordingly.
  • Broken: A seal has been broken and thus, an entry has been accessed.

After changing the seal state, the new state is displayed in the database permissions. If permission has been granted, the user who was granted access can now open the entry and break the seal. 

Authorized persons can change an entry's seal state at any time. Server administrators can also add other authorized persons to change the seal state. This is done in the Sealed Access tab by clicking the Add button.

EXAMPLE: The user Test1 grants access to an entry to user Test2 for 2 weeks in total and seals this entry. If the approval is granted, user Test2 can break the seal and access the entry. If necessary, a server administrator can change the seal state again; for example, the admin can reseal the record so that user Test2 must ask for approval again if they want to access the record, etc.

HINT: For more information about this feature feel free to visit our knowledge base: How to grant access to other users and seal entries in Password Depot.