We receive quite a few support calls from customers wanting to understand the differences in our permission models. To that end we’ve provided examples of the Standard, Advanced and Advanced Permission with Disabled Inheritance in this week’s blog. Please note that all user account names have been redacted in the images used.
Standard Permission Model
The Standard Permission Model is probably the easiest to understand for those new to Passwordstate. It works by you applying the required permissions to a Password List, and the direct folder hierarchy or folder path required to access that Password List, inheriting those permissions. Think of it as a bottom-up application of permissions.
In our example, the Standard Folder Permission Model is the default setting in Passwordstate. You can confirm the permission model via two different ways. The folder icon has no indicators next to it – all you can see is the folder. This is the quick visual indicator that the folder is using the Standard Permission Model. The second way is by clicking on the folder in the navigation pane and the Folder Properties on the right hand side of the screen will show the Permission Model in use,
We’ve assigned the permissions on the Password List SharePoint Accounts, having added 2 Users and a Security Group with Admin permission. This is done by selecting the Password List, right clicking on it, selecting View Permissions, clinking on Grant New Permissions, selecting the intended recipients or groups, adding them to the Administrator Permissions box and clicking Save,
Now if we look at the Folder Permissions on the Business Systems folder you can see the 2 Users and Security Group with Admin permission have had those permissions applied at that folder level. This shows that the folder has inherited those permissions from the nested Password List, in this case the SharePoint Accounts Password List. You’ll also note there are additional Modify permissions on the folder. These have been inherited from a different Password List in the Business Systems Folder.
Advanced Permission Model
Next, we have the Advanced Permission Model. This works by you applying the required permissions to a top level folder, and all objects beneath that folder, including nested folders and Password Lists, have the same permissions propagated down to them. Think of this as a top-down application of permissions.
Again, using our example, you can confirm the permission model via two different ways. The folder icon has a downward pointing blue arrow next to it. This is the quick visual indicator that the folder is using the Advanced Permission Model. The second way is by again clicking on the folder in the navigation pane and the Folder Properties on the right hand side of the screen will show that the Permission Model in use is the Advanced Model,
To confirm this, we’ll check the permissions on the Password List Web Sites. This Password List is located in a nested folder called Halox. This means the Advanced Permission Model will have propagated the permissions down to both the nested folder Halox and the Password List Web Sites.
The folder Customers has just 2 Users with permissions set to Admin. To view this, we’ve selected the Password List Web Sites, right clicked on it and selected View Permissions. You’ll note that the Grant New Permissions option is greyed out. This is correct as the permissions on the Password List have been propagated down to it from the top level folder Customers,
Next, we’ll confirm the permissions on the Password List Web Sites (image above) match the permissions set on the Customers and Halox folders. To do this we’ve selected the folder Customers, right clicked on it and selected View Permissions. Again note, at the Customers folder level the Grant New Permissions option is available as this is the top level folder. However, when you select the Halox folder the Grant New Permissions option isn’t available. This is because the permissions on Halox are propagated down from the Customers folder,
Advanced Permission with Disabled Inheritance
The last Permission model we’ll discuss in this blog is a variation of the Advanced Permission Model. This model blocks inheritance of permissions from any folder above, set’s the permissions for a specific folder and propagates these permissions to any nested folders and password lists. We typically refer to this model as the Advanced Permission with Disabled Inheritance and it effectively replaces the old Manual Permissions model used in Passwordstate Version 8.
To confirm the permission model for Advanced Permission with Disabled Inheritance you can look for the quick visual indicator next to the folder icon. This indicator is a downward pointing blue arrow followed by a red cross. If you click on the folder in the navigation pane the Folder Properties on the right hand side of the screen will show that the Permission Model in use is the Advanced Model with extra detail stating disabling inheritance of permissions from any parent level folders.
For this example, we’re going to build on the Advanced Permissions Model shown earlier in this blog. In that example permissions were set at the Customers folder and propagated down to all nested folders and Password Lists. Now, at the Allsand folder, we want to disable inheritance of permissions from Customers and instead set new permissions for the Allsand folder. These will then be propagated down to all nested objects under Allsand including the Workstation Accounts Password List,
To set Disable Inheritance of any permissions from upper-level folders we right click on the Allsand folder, select Edit Properties and set the Disable Inheritance option to Yes and then click on Save,
We have then set two different User Accounts to have Admin permission on Allsand and these are propagated down to all nested objects, in this case the Workstation Accounts Password List.
Now we’ll confirm the permissions on the Password List Workstation Accounts (image below) match the permissions set on the Allsand folder. To do this we’ve selected Workstation Accounts, right clicked on it and selected View Permissions.
Take Care When Changing Permission Models
The ability to convert between permission models is protected under Administration->Feature Access->folder options->Convert Folder Permission Models. You can both restrict this Administration functionality to specific Security Administrators and only these individuals can specify which Users and Security Groups can covert folders between different permission models.
When converting Folder Permission Models take the time to read through the information presented. Implications with the move to the new permission model will be presented to you and it is important that you understand what those implications mean, i.e., overwriting existing Standard Permissions (bottom-up approach) with Advanced Permissions (top-down approach).
If you’d like to share your feedback please send it through to support@clickstudios.com.au.