Requesting View Password Access Example
This steps through a simple example of requesting access for a password.
This same workflow can be used for Dual Control approval process...
Admins can setup a implementation of dual control, also called 4-eyes principle / two-man rule / peer approval.
By having colleagues approve each other's requests, they work together to accomplish the action.
- For example:
- Alone, a Requester or Approver still cannot access items (through the directly assigned User Access)
- Furthermore, Approvers still cannot approve their own requests
- But together:
- Users can be setup as Requesters &/or Approvers
- Requestors can request access that another Approver can approve
Create approver Role:
- Navigate to Users and Roles: and click "Add New Role" give it a meaningful name like "Approver"
- On your newly created "Approver" role click the "Actions" button and choose Set Permissions
- Click the Access Approvals item and hit "Set permission"
Assign an approver:
- Navigate to Home screen > Select a folder > Click Actions button > User Access > Access Approvals tab
Modify Access Levels
Option A - Modify existing Access Levels
- Set Request Access = true for your existing Access Levels (Action and/or Grant):
- Consider giving the action to Full and Read-only, and both Action & Grant abilities to the other Access Levels.
Option B - Create a new Access Level
- Set Request Access = true for Full + Grant + Block (so administrative users can assign this new access level below).
- Create a new Access Level with the following settings:
- View Entry Names, View Folders, Request Access
Give Request Ability to Requestor
In the Home screen, navigate to the folder(s)/entries you wish your users to be able to request, and assign them the Request Access permission on those items.
- Open User Access
- Select a user/role
- Select the Access Level which has Request Access ability
- Click Add
The Request Approve workflow settings can be modified, from the settings menu in Settings > Access Approval. They allow admin to determine who can approve permanent access and to set the default time limits.
By default, it allows approvers to Grant access for 30 days and only allows Approvers with "Grant" permissions the option to provide permanent access.
1. Approvers who can Grant Permanent access can be set:
- Never - No approvers can grant permanent access
- (Default) Approvers with Grant Permissions - Approvers that have been also granted 'Grant' action in User Access
All Approvers - All approvers can can grant permanent access
2. Set the default expiry:
Options are either: Permanent, or limited, up to a number of days or hours
3. Set the Maximum expiration time:
If a time limit is set, what is the maximum time limit it can be set to
Viewing / Requesting Access
Then your users can view the the folder / entry structure, and request access to it
Cancel / View Pending Requests
But although the users can open the entry, they will not be able to view the password or entry contents in the Web client. (Note: However, in the KeePass client some entry content information will still be visible in the Entry list or Preview pane such as the Notes, Title, and Username. This will also be restricted in an upcoming release, to align with the Web client).
Viewing Entry Contents
Add the additional action:
- View Entry Names, View Folders, Request Access, View Entry Contents
Users would then be able to open the entry, see the contents of the entry, but not the password itself
Approvers can view the requests
Upon clicking Approve (or Deny) include a comment and expiry date/time