Requesting View Password Access Example

This steps through an simple example of requesting access for a password.

Note:

  • Admins can setup a simplistic implementation of 4-eyes principle" / "two-man rule"
  • By allowing colleagues to approve each other's requests, they can work together
    • For example:
      • Alone, a Requester still cannot access to items (through User Access)
      • Alone, an Approver also cannot access to items (through User Access)
      • Furthermore, Approvers still cannot approve their own requests
    • But together:
      • Users can be setup as an Approver
      • Requestors can request access from an Approver
      • The Approver can approve access
Assign an approver:
  • Actions > User Access > Access Approvals tab

Access-Approvals-pic.png

Set Role Permission

Provide a Role permission to the user/role:

  • Roles > Actions > Set Permissions

Modify Access Levels
Option A - Modify existing Access Levels
  • Set Request Access = true for your existing Access Levels (Action and/or Grant):
    • Consider giving the action to Full and Read-only, and both Action & Grant abilities to the other Access Levels.

Option B - Create a new Access Level
  • Set Request Access = true for Full + Grant + Block (so administrative users can assign this new access level below).
  • Create a new Access Level with the following settings:
    • View Entry Names, View Folders, Request Access

Give Request Ability to Requestor

In the Home screen, navigate to the folder(s)/entries you wish your users to be able to request, and assign them the Request Access permission on those items.

  • Open User Access
  • Select a user/role
  • Select the Access Level which has Request Access ability
  • Click Add
Viewing / Requesting Access

Then your users can view the the folder / entry structure, and request access to it:

Requesting:

Cancel / View Pending Requests:

But although the users can open the entry, they will not be able to view the password or entry contents in the Web client. (Note: However, in the KeePass client some entry content information will still be visible in the Entry list or Preview pane such as the Notes, Title, and Username. This will also be restricted in an upcoming release, to align with the Web client).

Viewing Entry Contents

Add the additional action:

  • View Entry Names, View Folders, Request Access, View Entry Contents

 

Users would then be able to open the entry, see the contents of the entry, but not the password itself:

 

Approving Access

Approvers can view the requests:

Upon clicking Approve (or Deny) include a comment and expiry date/time:

Tag page
You must login to post a comment.