Thanks for your post and we think this might be able to be prevented by using our propagating permissions model. Here is a video which shows a bit more about this: https://www.youtube.com/watch?v=QBJE_xD185U
Here's an email that we send to customers occasionally, which may help, happy to work with you on this to make sure you can get something working for your business:
Setting up the structure of the navigation tree is difficult to advise for, as every business is different, but below I've given an example of how you could build yours assuming you have different departments, like “IT Department” or “HR Department”. The top level Folder is set to Manual Permissions (blue padlock), and you would give everyone in the IT Department view access to it. Then each folder nested beneath it is for each team in the department, and these permissions are set to propagate down (green arrow on the folder) and only that team should have access to it. This just means the Linux team will only see "IT Department -> Linux Team", and the Service Desk will only see "IT Department -> Service Desk" etc. You could use this example below and possibly duplicate it for each department in your business, HR, Finance, Marketing etc.
Always use Security Groups if possible. In the above example for the IT Department structure, you could get away with having 4 Security Groups:
· IT Department – Add all users to this from the department and give this group View access to the top level IT Department folder
· Linux Team – Apply this group to only the Linux Folder
· Service Desk – Apply this group to only the Service Desk Folder
· Windows Team – Apply this group to only the Windows Folder
Possibly you could have 2 Security Groups per Team, which gives different permissions:
· Linux Team Read Only
· Linux Team Modify
· Service Desk Read Only
· Service Desk Modify
· Windows Team Read Only
· Windows Team Modify
Setting up permissions like this means all you have to do is add a new user to the relevant AD Security Group. This will sync to Passwordstate automatically and give users appropriate permissions easily.
Also, Adding a Private Password List, or a Shared Password List inside a folder that is propagating permissions down from the top level will not change the permissions.
Another tip to help, consider setting this System Setting option under Administration -> System Settings -> Password List Options to allow user with Modify rights the ability to Add Password Lists:
You could also consider locking down the ability to create folders completely, so to keep your folder structure standard. This can be done under Administration -> Feature Access-> Menu Access.
I hope that's enough to get you started, but please let me know if you have any questions at all about any of this?