Buckit Posted November 23, 2017 Share Posted November 23, 2017 Hi guys, I'm playing around in our DEV sandbox, with PasswordState. Stumbled upon something that I wanted to discuss briefly. Reproduction: Install PasswordState. Setup my own AD account as the first admin account. Create a group in AD, "pstate-admins". Add multiple AD users to AD group "pstate-admins", including myself. Import the AD group "pstate-admins" as an AD security group into PasswordState. Go to security Administrators and try to add the security group "pstate-admins" with privileges. The group in question stays greyed out and cannot be adjusted. Is this a bug, or is it a design feature to prevent me from expanding my current set of access permissions? I could understand it being the latter, now that I think of it. But on the other hand, the account I'm currently working with is the primary / first full admin user. You'd expect that one to not be limited Then again, proper security considerations would suggest that even the primary admin is limited by access permissions. Workaround would be to remove myself from the AD group, then add permissions, then re-add myself to the group. Yup. However, now I get stuck when working with password lists! I've set up a few lists and I want to ensure that the "pstate-admins" can administer the lists in question. I cannot add list admin rights to "pstate-admins", because I'm a member of that group. Despite my account already having full access to the lists, because I'm the one who created the list. This is a bit messy :/ Suggestions? I could remove my account from the AD-group again, but in the long run I want the first admin account (mine) to be removed in full, so my rights work through the AD-group. Link to comment Share on other sites More sharing options...
support Posted November 23, 2017 Share Posted November 23, 2017 Hello Buckit, I think I understand what your issue is, but please let me know if I've got it wrong. Are you trying to apply/change permissions to Password Lists from within the Administration area? If so, then there is a System Setting here preventing you from doing this. By default we prevent this, so that any Security Admin cannot just grant themselves access to any Password Lists they like. If you go to the screen Administration -> Passwordstate Administration -> System Settings -> Password List Options tab, you will see the setting below which you can change: "When administering Password List permissions from within the 'Administration' area, prevent Security Administrators from granting themselves permissions to passwords - either via their own account, or security groups which they are a member of:" Can you let me know if this was the issue? Regards Click Studios Link to comment Share on other sites More sharing options...
Buckit Posted November 23, 2017 Author Share Posted November 23, 2017 Yep, that's exactly the issue I was trying to explain. And what I expected is what you explained: it's an additional layer of security. Glad to know things work as designed. Now I just have to make sure that particular checkbox cannot be unchecked Thanks for further explaining! Link to comment Share on other sites More sharing options...
support Posted November 23, 2017 Share Posted November 23, 2017 Excellent - thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.