What’s the difference between a Security Administrator and Administrator of a Password List?

Passwordstate uses the concepts of Security Administrators and Password List Administrators.  Both roles are specific in what they allow the user to do within Passwordstate and in relation to accessing Password Records.  The two named roles are sometimes used interchangeably by customers new to Passwordstate. 

While it is quite possible, even probable, that a Security Administrator will be a Password List Administrator of some Password Lists, most Password List Administrators will not be assigned Security Administrator roles.  What are the differences and what do they allow?

What is a Security Administrator!

A Security Administrator is a User Account within Passwordstate, that has been granted access to one, many or all of the roles or features shown under the Administration Tab.  Security Administrators in large organizations typically have access to one or multiple roles but not all.  This allows better segregation of administrative duties and ensures separation of elevated privilege responsibilities.  Conversely, Security Administrators in smaller organizations typically have access to all roles as there are less staff to apportion them to. 

Security Administrators cannot modify their own assigned roles.  This is a built-in feature intended to prevent Security Administrators assigning additional elevated privilege roles to their account.  To modify, including adding or removing roles or access to the features, requires another Security Administrator to do it for them.  For this reason, Click Studios recommendation is there is a minimum of 2 Security Administrators assigned within Passwordstate.

Security Administrators cannot manage permissions or settings on Private Password Lists owned by other accounts.  Using the Password Lists feature they can only see that a Password List exists and who owns it.

They cannot grant themselves access to, or modify their own permissions on Shared Password Lists they don’t already have access to.  In this case when clicking on Shared Password Lists, all passwords will be hidden and some features will be disabled for them.  Note: Under System Settings you can elect to grant Security Administrators Admin Rights to new Shared Password Lists as they are created.

What is a Password List Administrator?

A Password List Administrator is the owner of a Password List.  By default, they have administrative rights to their Password List and are the only account with permission to grant additional users rights to the Shared Password List (Private Password Lists cannot have access granted to other users).

Can you have Multiple Password List Administrators?

For Private Password Lists the answer is no.  There can only be one Password List Administrator for a Private Password List.  Having said that, you can add multiple Password List Administrators to a Shared Password List, however, there is only one owner that originally created the Shared Password List.

Shouldn’t Security Administrators Access Everything?

In short no!  Passwordstate in its default configuration does not allow Security Administrators access to everything.  The founding principle for Passwordstate is to grant access to password records using RBAC (Role Based Access Control).  All users should only be provided with access to the Password Records they need to be able to perform their duties.  This means Security Administrators cannot by default grant themselves access to, or modify their own permissions on Shared Password Lists.

The analogy I like to use here is based on Segregation of Duties (SOD).  This is a basic building block of sustainable risk management and internal control for a business.  In this analogy, a person raising a Purchase Order for goods should not also be the person receiving the goods and then paying the invoice for those goods.  If the same person raises the order, receipts the goods and then pays the invoice, the end to end transaction is open to a lack of appropriate authorization, potential errors, and at worst fraud.

Likewise, Security Administrators responsible for the effective running of your Passwordstate instance, should not also need access to password records allowing access to all Employee Records in your Human Resources System, or, the credentials for the organization’s primary banking account.  In 99.9% of organizations your Security Administrators role won’t include Passwordstate Management, reviews of HR records direct from the database and shuffling funds in and out of the business bank account.  

Relevant Configuration Options

Security Administrators can, if granted access to the Systems Settings role/feature, configure the following under Administration->System Settings->password list options,

  • When administering Password List permissions from within the ‘Administration’ area, prevent Security Administrators from granting themselves permissions to passwords – either via their own account, or security groups which they are a member of (Yes/No)
  • When searching for users in order to grant them access to Password Lists, only show users who are in the same Security Groups as the person granting the access (Yes/No)
  • When a new Shared Password List is created, apply the following permission to the user who created the list (List Administrator/Modify/View)
  • When new Shared Password Lists are created, grant Security Administrators with the selected role below admin rights to the Password List (Do Not Provide Admin Access/All Security Administrators/Password Lists)

We hope this explains the differences between Security Administrators and Password List Administrators and what they can do.  If you’d like to share your feedback please send it through to support@clickstudios.com.au.