Requesting View Password Access Example

This steps through a simple example of requesting access for a password.

This same workflow can be used for Dual Control approval process...

Dual Control Explained

Admins can setup a implementation of dual control, also called 4-eyes principle / two-man rule / peer approval.

By having colleagues approve each other's requests, they work together to accomplish the action.

  • For example:
    • Alone, a Requester or Approver still cannot access items (through the directly assigned User Access)
    • Furthermore, Approvers still cannot approve their own requests
  • But together:
    • Users can be setup as Requesters &/or Approvers
    • Requestors can request access that another Approver can approve
Assign an approver:
  • Navigate to Home screen > Select a folder > Click Actions  button > User Access > Access Approvals tab

Access-Approvals-pic.png

Set Role Permission

Provide a Role permission to the user/role:

  • Roles > Actions > Set Permissions

Modify Access Levels
Option A - Modify existing Access Levels
  • Set Request Access = true for your existing Access Levels (Action and/or Grant):
    • Consider giving the action to Full and Read-only, and both Action & Grant abilities to the other Access Levels.

Option B - Create a new Access Level
  • Set Request Access = true for Full + Grant + Block (so administrative users can assign this new access level below).
  • Create a new Access Level with the following settings:
    • View Entry Names, View Folders, Request Access

Give Request Ability to Requestor

In the Home screen, navigate to the folder(s)/entries you wish your users to be able to request, and assign them the Request Access permission on those items.

  • Open User Access
  • Select a user/role
  • Select the Access Level which has Request Access ability
  • Click Add
Set Time Limit Options

The Request Approve workflow settings can be modified, from the settings menu in Settings > Access Approval. They allow admin to determine who can approve permanent access and to set the default time limits.

  • By default, it allows approvers to Grant access for 30 days and only allows Approvers with "Grant" permissions the option to provide permanent access.

Access-Approvals-pic.png

Options

1. Approvers who can Grant Permanent access can be set:

Access-Approvals-pic.png

  • Never - No approvers can grant permanent access
  • (Default) Approvers with Grant Permissions - Approvers that have been also granted 'Grant' action in User Access
  •  All Approvers - All approvers can can grant permanent access

2. Set the default expiry:

  • Options are either: Permanent, or limited, up to a number of days or hours

3. Set the Maximum expiration time:

  • If a time limit is set, what is the maximum time limit it can be set to

Viewing / Requesting Access

Then your users can view the the folder / entry structure, and request access to it:

Requesting:

Cancel / View Pending Requests:

But although the users can open the entry, they will not be able to view the password or entry contents in the Web client. (Note: However, in the KeePass client some entry content information will still be visible in the Entry list or Preview pane such as the Notes, Title, and Username. This will also be restricted in an upcoming release, to align with the Web client).

Viewing Entry Contents

Add the additional action:

  • View Entry Names, View Folders, Request Access, View Entry Contents

 

Users would then be able to open the entry, see the contents of the entry, but not the password itself:

 

Approving Access

Approvers can view the requests:

Upon clicking Approve (or Deny) include a comment and expiry date/time:

Tag page
You must login to post a comment.