User Permissions

In general, you can use Password Depot Enterprise Server to create one single database only and enable your entire company including all employees accessing it. Administrators can perform detailed rights management in the Server Manager and thus, can ensure that server users can only see those objects within a database they are allowed to access. If rights management is carried out properly by the server administrator users and groups do not know about the entire database content. Therefore, they can only access and work with those entries and folders displayed in their client.

NOTE: The user permissions described in this chapter can be applied to groups accordingly. 

Please note that you do not have to work with one single server database only. However, the idea behind all this is that you can basically work with one single server database only and still meet all the requirements even though working with a large number of users. If you prefer working with multiple databases though, this is also possible. Besides, you can also create private databases for individual server users and groups which can be used, for example, to store private data that should either not be part of the shared database but still stored to the server. If you would like to learn more about private databases, please click here.

How is rights management realised in Password Depot Enterprise Server?

In general, we recommend assigning user permissions in the Databases → Permissions area. Here you can assign users and groups individual rights

  1. at database level
  2. for single folders and entries

Apart from that, you can also find global policies by going to Manage → Server policies. The latter are applied on the entire server. This way, you can define specific permissions which will then be valid for all users/groups available on the server. Therefore, the server policies are global policies.

What to consider when working with the server policies?

The permissions that can be found in the server policies are the same permissions you can find in the Databases → Permissions area at database level. In general, the permissions of the server polices can have three different settings:

  1. Enabled
  2. Not defined
  3. Disabled

When installing the Enterprise Server the server policies are either enabled or not defined by default. As best practice, we recommend not changing the default settings here and mainly carry out rights management in the Databases → Permissions area. However, please note the following: You can also change a permission's state in the server policies and set it to disabled, for example but if so, please take the following into consideration:

If a permission has been disabled in the server policies, you cannot enable it at database level or for single folders and entries later when performing rights mangement in detail! Disabled permissions in the server policies are valid for ALL users and groups (the super administrator included) as well as ALL server databases. Therefore, the disabled state is very restrictive and you should only use it if really required. Otherwise you may disable permissions at a global level you would like to enable for special users and groups at database level afterwards which, however, will then not be possible anymore.

HINT: Learn more about the Enterprise Server's server policies in the Permissions chapter or have a look at the following knowledge base article: How does rights management in Password Depot Enterprise Server work?

CONCLUSION: You should only disable global permissions in the Manage → Server policies area, if required.

EXAMPLE: You can disable the export of entries in the Server policies area. In this case, exporting entries will be disabled for all server users and databases, thus exporting entries in order to import them into a new database will not be possible at all. Therefore, the export will be deactivated on the entire server and cannot be performed by any server user.

Defining rights in a database's permissions dialog window

If you open a database's permissions dialog window, you can start assigning single users and groups individual permissions. Individual rights management is done in the General and Entries and folders tab. 

If you would like to enable multiple users/groups to access the same database but see different database content at the same time you should

  1. go to the General tab and remove the tick for Reading/Modifying/Adding and Deleting entries and
  2. go to the Entries and folders tab afterwards and specifically select those objects you would like a user or group to access within the database.

WARNING: You should not use the deny flag in the General tab for the above permissions (Read/Modify/Add/Delete entries) at all because if so, you will enable a user or group to access the corresponding database in the first place, however, since the deny flag is the most restrictive, users and groups affected will not see the database content at all and thus, they will not be able to work with it or use it.

You should enable the Access to database permission if you want a user or group to access a database and work with its content. You can disable the other permissions available at database level (in the General tab). In this case, the selected user or group cannot perform the corresponding action within the selected database (permissions in the General tab refer to the entire database). 

What is the point of removing the ticks for Reading/Modifying/Adding and Deleting entries?

If you remove the ticks for Reading/Modifying/Adding and Deleting entries in the General tab and enable the Access to database permission, users and groups will be able to receive a database and access it in general. At the same time, however, those users and groups cannot see any entries and folders within the database (or the database's root directory) in the first place because the ticks for Reading/Modifying/Adding and Deleting entries have been removed. These rights, however, are mandatory if users should work with entries and folders.

If you go to the Entries and folders tab afterwards, you can see that the entire database content is displayed in red colour which means that accessing entries and folders within the database is not allowed. In order to enable users and groups to see and access the database content, in this tab you have to select the single folders and/or entries and define the permissions for accessing those objects accordingly. This way, you can assign users and groups specific rights and determine in detail which objects (entries and folders) should be accessed by which user or group. The colours will help you: Permissions displayed in red are denied, thus a user or group cannot access such objects. Permissions displayed in green, however, are enabled and users/groups can access such objects.

If you follow rights management as described above, you can organize your server databases and create a database tree which includes both shared and private folders/entries ensuring at the same time that users and groups will only be able to access those objects they are allowed to. 

NOTE: The permissions Read/Modify/Add/Delete entries are somehow dependent on each other. Thus, you should either enable or deny them all together, if possible. For example, if you enable the Add entries permission but disable the Modify entries permission at the same time, it will not work since adding a new entry also requires changing the database content in general. Therefore, there is no point in separating these four permissions from one another but you should always consider them as dependent from one another.

For more information about rights management in Password Depot Enterprise Server, please visit our knowledge base:

How to ensure users can only see those objects they are allowed to?