You can control which options are enabled/disabled for Users and Roles in the KeePass for Pleasant Password Server application, by creating Enforced Configuration files.

This functionality was designed to be very flexible and powerful: it provides the ability to edit and import a full KeePass config file, and then apply it to various users/roles.

Navigate to:

  • Advanced -> Client Configuration

Enforced Configuration files allow you to selectively enable/disable features such as:

  • Password Export
  • Printing
  • Displaying the Password on the screen
  • The length of time it takes for the Clipboard to be locked and unlocked

An Enforced Configuration file:

  • Can apply to either an individual User or to an entire group of people in a Role.
  • Which applies to a particular User: always take presedence over any other Rules applied.
  • When applied to a Role: can decide which Rule is applied first.

Only one Enforced Configuration file will be applied at a time.

Process Overview

  1. Save your desired settings in KeePass for Pleasant:
    • e.g. navigate to Tools -> Options -> PolicyKeePass-Options-Pic.png
  2. In KeePass select File > Export Configuration.
  3. In the Web Client import this file on the Advanced -> Client Configuration page.
  4. Rename the file by clicking Edit.
  5. Apply this file to Roles or Users.

Detailed Steps to Create an Enforced Configuration File

  1. Open up KeePass for Pleasant Password Server
  2. Open up the Options window by clicking on Tools > Options in the menu bar
  3. Make configuration changes
  4. Click OK
  5. Select the Export Configuration options which can be found in the menu bar under File > Export Configuration
  6. Log into the admin interface of Pleasant Password Server
    • You can do this by typing your server's address into your web browser, for example:
    • Don't forget to include the port number and https
  7. Sign in with your admin credentials If you're signed in already, ignore this step
  8. Click on Advanced > Client Configuration
  9. Upload the client configuration you just created by clicking on the Upload... button
    • Below the upload button, a table displaying all the enforced configuration files you have uploaded will be displayed.
    • You can rename your configuration file here.
  10. Click Add new record in the table in the User Rules section or the Role Rules* section
  11. If you're creating a rule that applies to Users:
    1. Click Add new record at the top of the table in the User Rules section.
    2. Click on the drop down that says Select a user... and select a user
    3. click on the drop down that says none and then select the config file you uploaded
  12. If you're creating a rule that applies to Roles:
    1. Click Add new record at the top of the table in the Role Rules section.
    2. Click on the drop down in the second column and select a Role to apply your config file to.
      • if you select Everyone your config file will apply to everyone, regardless of their role.
    3. Click on the drop down in the 4th column and select the config file you've uploaded.
    4. You may put in a value for Sort Order in the third columns
    5. Sort order is for when two different config files may apply to a given user in an given role.
    6. The Config file with the lowest Sort Order will be selected.
  13. When you're done configuring your rule, make sure to click the save button

Example: Disabling exporting and printing passwords

If you wanted to prevent your entire password database from being very easily leaked, you probably want to disabled the print and export features of KeePass for Pleasant Password Server.

To do so, follow these steps:

  1. Open up KeePass for Pleasant Password Server
    • This is the desktop client
  2. Open up the options window.
    • This can be found by navigating and clicking on Tools > Options in the menu bar.
  3. Select the Policy tab if it is not already selected
  4. Locate the Export feature. Click on the box to make it unchecked
  5. Locate the Print feature. Click on the box to make it uncheck
  6. Click OK
  7. Select Export Configuration ... from File > Menu
  8. Give the file a name.
    • The default name is Export.config.xml
  9. Connect to your password server using a web browser
  10. Click on the Client Config Tab
  11. Click on Advanced > Client Configuration
  12. Upload the client configuration you just created by clicking on the Upload... button
    • Below the upload button, a table displaying all the enforced configuration files you have uploaded will be displayed.
    • You can rename your configuration file here.
  13. Click on the Add new record button in the Role Rules Section
  14. Select the Everyone or the Users role in the drop down list in the second column
  15. Using the drop down list in the last column, select the Config file you just uploaded.
  16. Click the Save button.
  17. You've successfully created a config rule that will prevent users from printing or exporting all of the passwords they have access to.
Tag page
You must login to post a comment.