E. Access Levels

Access Levels define how Users and Roles are permitted to interact with Folders and Entries.

Each Access Level combines a set of allowed access permissions which get assigned as a whole unit. Each access permission has two associated parts: A ("Action") permits the action itself, while G ("Grant") permits the holder to assign the corresponding A permission to other users.

Access is inherited: "Full" access on a folder means "Full" access to all of its contents (Entries, Subfolders, sub-Subfolders...) unless that inheritance is explicitly Blocked.

Assigning Access Levels

Access levels must be assigned to become effective. Access is assigned from a folder or credential, to a user or role.

Modifying Access Levels

Access Levels can be viewed or modified from the Web Admin client here:

  • Navigation menu -> Access Levels

Community editions do not allow the default Access Levels to be modified.

Default Access Levels

Included in all editions (click to enlarge)
Community-Default-Access-Level-Settings.png

Included in Enterprise or higher editions (click to enlarge)
Read-Only-Access-Level-Settings.png

Community Edition, includes three built-in access levels:

  • Full, Full + Grant, and Full + Grant + Block

Enterprise Edition or higher, includes an additional access level:

  • Read-only

Also allows the ability to create or modify Access Levels (via the "Access Levels" tab).

List of Access Actions

Action Notes
Add Entries  
Add Subfolders  
Delete Entries Applies to folders only (no effect if directly applied to entry).
Delete Subfolders  
Modify Entries Allows: modifying all fields (web client only: modifying password also requires View Entry Password), adding and removing attachments.
Modify Subfolder Names1  
Move Entries Applies to folders only (no effect if directly applied to entry). Must be enabled on source and destination.
Move Subfolders Must be enabled on source and destination.
View Entry Names Required to make an entry visible at all (Web client only: visibility outside of search also requires View Folders on the containing folder).
View Folders  This allows a user to know that a folder exists and see its names.
View Entry Contents

Everything except the password and title. Web client only: users without View Entry Password must also lack Modify Entries (or receive an error).

View Entry Password Web client only: required to allow editing a password.
View Entry History  
View Security (v7.5.3+) Controls Security window visibility for users without Grant access on the target entry/folder (those with Grant access can always see the Security window).
View Entry Offline (v7+) Controls visibility in the KeePass Client's Offline Mode.

Use Via SSO (v7.3.1+) /
Use Via Proxy (v7.2.6-)

Displays SSO Server tab, allows usage of SSO.

Proxy/SSO Server details

Modify SSO Settings (v7.3.1+) / Modify Proxy Settings (v7.2.6-) Proxy/SSO settings are inherited just like access.
View Recorded Sessions Allows viewing of Recorded SSO Sessions for permitted entries
Modify Notification Settings (v7+) Allows attaching/detaching existing Notification Triggers. Attached triggers are inherited just like access.
Modify Comment Settings (v7+) Allows attaching/detaching existing Comment Triggers. Attached triggers are inherited just like access.
Modify PasswordAutoChange Settings (v7.0.16+) Allows creating, editing, and choosing among Credential Hosts. Credential Hosts are inherited like access, with one difference: they can be deleted at any level in the inheritance tree.
Set Block Inheritance Block or Unblock Inheritance
Permit Granting Grant only. Changes all other G permissions so they permit themselves and the corresponding A's to be assigned (rather than only the latter).

 1 - The ability to rename the Root folder is controlled by the Global Settings role permission:

  • Users and Roles -> Manage Roles -> Actions dropdown -> Set Permissions

Move Actions

Move Entries and Move Subfolders behave slightly differently than other access types. In addition to the requirements listed above, the mover needs:

  • G permissions on both source and destination for each action and for any users and roles that will be gaining access.

Interaction with Block Inheritance

Be sure to double-check your settings prior to setting Block Inheritance. Especially when using any of the following Access types:

  • Modify Entries, Modify Proxy Settings, View Entry Contents, View Entry Password, View Entry History, Use Via SSO, Set Block Inheritance

If you now decide to block inheritance on an entry or folder without attaching the relevant access types to it, you will then lose the ability to perform these actions.

Explanation: The listed access types apply to the entry or folder they are set on. Typically, they are inherited, allowing you to use them without explicitly setting them on a particular entry or folder.


Tag page
You must login to post a comment.