Sitemap

Requesting View Password Access Example

This steps through a simple example of requesting access for a password.

This same workflow can be used for Dual Control approval process...

Dual Control Explained

Admins can setup a implementation of dual control, also called 4-eyes principle / two-man rule / peer approval.

By having colleagues approve each other's requests, they work together to accomplish the action.

  • For example:
    • Alone, a Requester or Approver still cannot access items (through the directly assigned User Access)
    • Furthermore, Approvers still cannot approve their own requests
  • But together:
    • Users can be setup as Requesters &/or Approvers
    • Requestors can request access that another Approver can approve

Create approver Role:

  • Navigate to Users and Roles: and click "Add New Role" give it a meaningful name like "Approver"
  • On your newly created "Approver" role click the "Actions" button and choose Set Permissions
  • Click the Access Approvals item and hit "Set permission" 

 

Assign an approver:

  • Navigate to Home screen > Select a folder > Click Actions  button > User Access > Access Approvals tab

 

Modify Access Levels

Option A - Modify existing Access Levels

  • Set Request Access = true for your existing Access Levels (Action and/or Grant):
    • Consider giving the action to Full and Read-only, and both Action & Grant abilities to the other Access Levels.

 

Option B - Create a new Access Level

  • Set Request Access = true for Full + Grant + Block (so administrative users can assign this new access level below).
  • Create a new Access Level with the following settings:
    • View Entry Names, View Folders, Request Access

 

Give Request Ability to Requestor

In the Home screen, navigate to the folder(s)/entries you wish your users to be able to request, and assign them the Request Access permission on those items.

  • Open User Access
  • Select a user/role
  • Select the Access Level which has Request Access ability
  • Click Add

Set Time Limit Option

The Request Approve workflow settings can be modified, from the settings menu in Settings > Access Approval. They allow admin to determine who can approve permanent access and to set the default time limits.

  • By default, it allows approvers to Grant access for 30 days and only allows Approvers with "Grant" permissions the option to provide permanent access.

 

Options

1. Approvers who can Grant Permanent access can be set:

  • Never - No approvers can grant permanent access
  • (Default) Approvers with Grant Permissions - Approvers that have been also granted 'Grant' action in User Access
  •  All Approvers - All approvers can can grant permanent access

2. Set the default expiry:

  • Options are either: Permanent, or limited, up to a number of days or hours

3. Set the Maximum expiration time:

  • If a time limit is set, what is the maximum time limit it can be set to

Viewing / Requesting Access

Then your users can view the the folder / entry structure, and request access to it

 

Requesting

 

Cancel / View Pending Requests

 

But although the users can open the entry, they will not be able to view the password or entry contents in the Web client. (Note: However, in the KeePass client some entry content information will still be visible in the Entry list or Preview pane such as the Notes, Title, and Username. This will also be restricted in an upcoming release, to align with the Web client).

 

Viewing Entry Contents

Add the additional action:

  • View Entry Names, View Folders, Request Access, View Entry Contents

 

 

Users would then be able to open the entry, see the contents of the entry, but not the password itself

 

 

Approving Access

Approvers can view the requests

 

Upon clicking Approve (or Deny) include a comment and expiry date/time