#638 Users and group rights access

KeePass
open
nobody
5
2012-12-14
2006-02-01
Anonymous
No

Congratulation for your software!

It will be nice to have the choice of creating
several users/password into one database et give
access to certain group. Let say I would like to give
access to certain information’s to specific users...

That would be a very nice feature, everyone would
like to have.

Have a good day!

Andre F

Discussion

  • Logged In: NO

    I second this. We need a central password store at my
    company, but some passwords should only be accessible to
    finance, and some to administration, and some (like
    create/modify) should only be the database admin.

    Ideally:
    *User logs in (welcome screen can show list of users or
    groups, user chooses login and enters appropriate master
    password for that logon.
    *Each logon can be assigned to an 'access group' or multiple
    access groups (such as accounting, sales)
    *When choosing 'create password group' or 'modify password
    group', the dialog would show all the 'access groups', and
    allow you to set the rights to that password group for each
    'access group' (no access, read only, read+modify, create
    new entries, delete entries)

    *Database administrator 'access group' level - can
    create/remove users and assign them to groups.

    Database administrator needs to be thought out, since some
    password groups (such as HR for example) and their contents
    might need to be protected from access by administrator.
    Non-removable audit trail should show all account creations,
    user password changes, and rights changes to protect against
    administrator creating dummy accounts with escalated rights,
    or promoting rights of an existing employee temporarily. We
    can't keep an admin from seeing the passwords, but can audit
    what an admin has been doing.

     
  • loremari
    loremari
    2006-02-02

    Logged In: YES
    user_id=1348445

    Keepass is an application that enforces security at data
    level, i.e. the password you enter at login is used as a
    key to encrypt/decript the DB. You cannot read data
    without the correct password. This also means that the
    same piece of information (an entry) can't be read using
    different login passwords for different users: everyone
    must have the same password and thus can read the whole DB.

    What you are asking is security at application level,
    which is a completely different (and less secure)
    approach. It implies that the application "knows" the
    encryption password and can read the entry, but allows
    viewing to different users according to ACL's. So user
    login is "into the application" but not "into the
    database".

     
  • Paul
    Paul
    2006-02-03

    Logged In: YES
    user_id=1174665

    This would make KeePass multi user, something Dominik has
    said he will not do - see FAQ.
    Break your database into groups and export each group for
    specific users. Slightly more administration, much better
    for KeePass.

    cheers, Paul

     
  • Logged In: NO

    That's exactly what I am looking for!!

     
  • Francois C.
    Francois C.
    2006-06-02

    Logged In: YES
    user_id=1165235

    Many thanks for your software!

    It would be also nice to determine whether a group can see
    expired password or not.

    The idea is to minimize the consequences of the theft of a
    database.

    Best regards,
    Francois C

     
  • Paul
    Paul
    2006-06-02

    Logged In: YES
    user_id=1174665

    Expired passwords can be shown at startup. Tools | Options |
    Advanced.

    cheers, Paul