Blocking Access Inheritance

Table of contents
No headers

 

If you've blocked inheritance and are unable to restore it, see here.

Warning: Blocking access inheritance will:

  • Block all inherited permissions, including Administrators
    • Unless you explicitly grant access: Administrators will no longer have access to a folder when block inheritance has been used
  • Affect Notification Rules:
    • The Block Inheritance feature will also block inheritance of Notification rules. This prevents admin from receiving notifcations from credentials that they would not know exist.

  

Password Server uses a tree structure to organise credentials and folders, much like the nested folders used to store files on any modern operating system. If a user has some set of access rights (permissions) on a folder, all the subfolders and credentials inside it (children) receive the same permissions. This is called access inheritance. When Password Server is deciding whether a user is allowed to perform some action on a folder or credential (such as renaming, deleting, or viewing a password), it considers the permissions the user has specifically on that object, as well as the permissions inherited from the folder(s) containing it. If a user has Full access to the Marketing folder, she also has Full access to all the folders and entries inside it.

Typically, ordinary users have limited access to a few passwords in the areas their areas of concern, while managers have more access rights to a wider area, and IT administrators usually have total access over the entire tree. In most cases, this is a good arrangement, but sometimes it's preferable to prevent administrators from being able to access everything. This can be done with Inheritance Blocking, which prevents a folder from inheriting from its ancestors (but does not prevent descendants from inheriting from it). If someone blocks access inheritance on the folder HR, then an administrator who has even Full+Grant permission on a containing folder won't be able to use that permission to look inside that folder. Users who have some access directly to HR or the folders inside it will still have access and normal inheritance rules still apply to folders and entries inside HR. For example, someone with Read Only access to HR will also be able to read passwords in the Payroll and Vacation subfolders.

 

block_inheritance-admin.png

The administrator can see many folders because they have Full+Grant access on the root, but they can't look inside the Human Resources or Private Folders because inheritance is blocked on those folders.

 

block_inheritance-alice.png

Alice, a regular user, can look inside Human Resources and her own private folder because she has access directly to those folders -- it's not inherited from a containing folder.


A user can block permission inheritance on areas of the tree where they have Set Block Inheritance permission. This ability is included as part of the Full+Grant+Block default access level. You can also include it in your own custom access levels, if you create them. To do this, open the Security dialog on a folder or entry, click Block Access Inheritance, and read the warning confirming you want to block inheritance (if you want to).

Since blocking permission inheritance affects every user, including the user doing the blocking, it's a pretty powerful operation. If you block inheritance on a folder and you don't have any non-inherited access on that folder, you'll lose your own access to it and you won't even be able to remove the inheritance block, since you no longer have that permission.

If you think you might want to restore regular inheritance in the future, you should grant yourself (or someone else) the Set Block Inheritance permission on the exact item you're blocking inheritance for before you block inheritance.

If you've already blocked inheritance and are unable to restore it, see here.

Tag page
You must login to post a comment.