i created a keepass database and want to put it on a network drive (whats supported), giving multiple users access to it.
a, is it possible to create different user accounts within the database file? (so that different users have different access to passes/entries)
b,if users got access to a database file they can easily copy pass to clipboard and see it in plain text, but i dont want that, they just should be able to open the entries in browsers,windows programs without catching pass,modifying,deleting anything (is that maybe possible with a plugin, i havent found anything though)
greetings
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
ok i tried this tricky thing with application policy…
when i right click on an entry, choosing copy username or password it doesnt work like supposed to be.
i can duplicate or delete an entry but since keepass folder is write-protected and the changes have to be saved this has no negative consequences. (still its a little bit bothering that this cant be forbidden in the policy tab and users can play around with it)
but whats really frightening is the matter that im still able to edit entry, (either by just cklicking enter on entry or right click on entry and choosing "edit/view entry") clicking on "show/hide password using asteriks". then i see pass in plain text and can even copy it in any other program i want.
in policy tab i dont see anything to uncheck regarding this option, or did i something wrong?? :/
i just want following: a grp of users share one keepass database and they should be only to perform autotype on applied entries (what i checked on policy tab and works), nothing else
plz help me :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Regarding database saving: you can forbid that in policy too, you know, to prevent saving databases anywhere.
Regarding entry editing: I'm afraid you're right; that's a hole in the current policies, I think. dreichl, what do you think of adding a policy option to forbid opening entry edit screens?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So you don't want users to see the stored passwords. For this, we'd have to disable the clipboard functionality. The {PASSWORD} and data referencing placeholders would need to be disabled (otherwise users can read the password by indirections, like changing the URL field to http://testurl.com/{PASSWORD} and opening it - they'd see the password in the address bar of the browser). Of course, explicit auto-type has to be disabled (otherwise users execute auto-type into a text editor window). Also, global auto-type based on window titles has to be disabled (otherwise users could for example create a text file with a name that includes the window title for an entry and execute auto-type into in the editor). Printing and exporting, disabled obviously. And, not to forget, passwords must never be displayed as plain text in any KeePass window. So, now users probably can't see any passwords anymore. Unfortunately, now KeePass is also completely useless, because you can't transfer the passwords to anywhere anymore.
There is a multitude of ways getting access to passwords when they're entered somewhere locally on your computer. For example, let's assume a password would have been entered into a browser window and is hidden by asterisks. For most browsers, there are easy ways to retrieve this password (for IE there's a whole bunch of utilities, for Firefox you'd maybe use the 'Show My Password' extension, etc.). For non-browser windows there are many tools to unhide asterisks, too.
Also, even if there would be a policy to disable viewing/editing passwords, nothing stops users to copy the KDBX file and open it in their KeePass at home, which doesn't follow any policies.
In short: either trust your users and share the password for a service, or don't trust them and create different service accounts with limited rights.
Best regards
Dominik
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
hello,
i created a keepass database and want to put it on a network drive (whats supported), giving multiple users access to it.
a, is it possible to create different user accounts within the database file? (so that different users have different access to passes/entries)
b,if users got access to a database file they can easily copy pass to clipboard and see it in plain text, but i dont want that, they just should be able to open the entries in browsers,windows programs without catching pass,modifying,deleting anything (is that maybe possible with a plugin, i havent found anything though)
greetings
a. See http://keepass.info/help/base/multiuser.html#shareddb for details; the short answer is no, KeePass has no access controls within a database. You can create multiple databases to simulate this, though.
b. Yes, KeePass has fine-grained support for this; see http://keepass.info/help/v2/policy.html
ok thnkz for giving me feedback
regarding b,
is there not a way that keepass gets installed on all clients and just the databases are stored on the network drive?
ok i tried this tricky thing with application policy…
when i right click on an entry, choosing copy username or password it doesnt work like supposed to be.
i can duplicate or delete an entry but since keepass folder is write-protected and the changes have to be saved this has no negative consequences. (still its a little bit bothering that this cant be forbidden in the policy tab and users can play around with it)
but whats really frightening is the matter that im still able to edit entry, (either by just cklicking enter on entry or right click on entry and choosing "edit/view entry") clicking on "show/hide password using asteriks". then i see pass in plain text and can even copy it in any other program i want.
in policy tab i dont see anything to uncheck regarding this option, or did i something wrong?? :/
i just want following: a grp of users share one keepass database and they should be only to perform autotype on applied entries (what i checked on policy tab and works), nothing else
plz help me :)
Regarding database saving: you can forbid that in policy too, you know, to prevent saving databases anywhere.
Regarding entry editing: I'm afraid you're right; that's a hole in the current policies, I think. dreichl, what do you think of adding a policy option to forbid opening entry edit screens?
ah ok so hes the coder and he is also reading here
maybe we have overseen this feature and it can be enabled on any other way or is there atm no possibility to prevent that?
dreichl plz enlighten us ;)
So you don't want users to see the stored passwords. For this, we'd have to disable the clipboard functionality. The {PASSWORD} and data referencing placeholders would need to be disabled (otherwise users can read the password by indirections, like changing the URL field to http://testurl.com/{PASSWORD} and opening it - they'd see the password in the address bar of the browser). Of course, explicit auto-type has to be disabled (otherwise users execute auto-type into a text editor window). Also, global auto-type based on window titles has to be disabled (otherwise users could for example create a text file with a name that includes the window title for an entry and execute auto-type into in the editor). Printing and exporting, disabled obviously. And, not to forget, passwords must never be displayed as plain text in any KeePass window. So, now users probably can't see any passwords anymore. Unfortunately, now KeePass is also completely useless, because you can't transfer the passwords to anywhere anymore.
There is a multitude of ways getting access to passwords when they're entered somewhere locally on your computer. For example, let's assume a password would have been entered into a browser window and is hidden by asterisks. For most browsers, there are easy ways to retrieve this password (for IE there's a whole bunch of utilities, for Firefox you'd maybe use the 'Show My Password' extension, etc.). For non-browser windows there are many tools to unhide asterisks, too.
Also, even if there would be a policy to disable viewing/editing passwords, nothing stops users to copy the KDBX file and open it in their KeePass at home, which doesn't follow any policies.
In short: either trust your users and share the password for a service, or don't trust them and create different service accounts with limited rights.
Best regards
Dominik