Blocking Access Inheritance

Administrators can configure Password Server to block all access to a folder, only providing access to selected users or roles. This is possible using the Block Inheritance functionality.

User Access is inherited to subfolders and entries (similar to Windows file permissions), and it is possible to block inherited access, and keeping only the access applied directly to a folder.

 

Note: If you have blocked inheritance and are unable to restore it, see "Restore Access Inheritance" (in Common Issues).

 

Warning: When Blocking access inheritance be sure to allow at least one user with access. This operation will:

  • Block all inherited permissions including administrators
    • Unless you explicitly grant access: Administrators will no longer have access to a folder when block inheritance has been used
  • Affect Notification rules:
    • The Block Inheritance feature will also block inheritance of Notification rules. This prevents admin from receiving notifications from credentials that they would not know exist.

  

Password Server uses a tree structure to organize credentials and folders, much like the nested folders used to store files on any modern operating system. If a user has some set of access rights (permissions) on a folder, all the subfolders and credentials inside it (children) receive the same permissions. This is called access inheritance.

When Password Server is deciding whether a user is allowed to perform some action on a folder or credential (such as renaming, deleting, or viewing a password), it considers the permissions the user has specifically on that object, as well as the permissions inherited from the folder(s) containing it.


Typically, ordinary users have limited access to a few passwords in the areas their areas of concern, while managers have more access rights to a wider area, and IT administrators usually have total access over the entire tree.

In most cases, this is a good arrangement, but sometimes it's preferable to prevent administrators from being able to access everything. This can be done with Inheritance Blocking, which prevents a folder from inheriting from its ancestors (but does not prevent descendants from inheriting from it).


A user can block permission inheritance on areas of the tree where they have Set Block Inheritance permission. This ability is included as part of the Full+Grant+Block default access level. You can also include it in your own custom access levels, if you create them.


Since blocking permission inheritance affects every user, including the user doing the blocking, it's a pretty powerful operation.

 

If you have already blocked inheritance and are unable to restore it, see "Restore Access Inheritance" (in Common Issues).