Permissions

The sysPass permissions are set in the users profiles. By default only accounts searching can be done.

There are 29 permission types:

  • Accounts
    • Create - allows to add new accounts
    • View - allows to view the accounts’ details [1]
    • View Password - allows to view the accounts’ password [1]
    • Edit - allows to modify the accounts and its files [1]
    • Edit Password - allows to modify the accounts’ password [1]
    • Delete - allows to delete accounts [1]
    • Files - allows to view account’s files
    • Share Link - allows to create public links
    • Private - allows to create private accounts
    • Private for Group - allows to create private accounts only for the main group
    • Permissions - allows to view and modify the accounts’ permissions [1]
    • Global Search - allows to perform a searching in all the accounts except in the private ones [2]
  • Management
    • Users - allows full access to the users management [3]
    • Groups - allows full access to the groups management
    • Profiles - allows full access to the profiles management
    • Categories - allows full access to categories management
    • Customers - allows full access to customers management
    • Custom Fields - allows full access to custom fields management
    • API Authorizations - allows full access to API authorizations management
    • Public Links - allows full access to the public links management
    • Accounts - allows full access to accounts management
    • Files- allows full access to files management
    • Tags - allows full access to the tags management
  • Configuration
    • General - allows full access to the site, accounts, wiki, ldap and email configuration
    • Encryption - allows full access to the master key configuration
    • Backup - allows full access to perform backups [4]
    • Import - allows full access to import XML and CSV files
  • Others
    • Event Log - allows full access to the event log

ACL

Users and Groups

  • User profiles allow to set which actions could be done by the user
  • An user can only display or modify accounts if:
    • Is the account’s owner
    • Is member of account’s primary group
    • Is member of account’s secondary groups
    • His main group is listed as a secondary group of the account
    • Is included through a group and the “Secondary Groups Access” option is enabled
  • An account can only be modified by either the users or secondary groups if the modification permission, on the account accesses, is enabled
  • The private accounts can only be accessed by the owner
  • The private accounts for groups can only be accessed by the users of the main group
  • Application Admin: allows full access to all the application modules
  • Accounts Admin: allows full access to all the accounts except private ones

API

The API access permissions are complementary to the accounts access permissions, so users and groups ACLs will be applied when an account is either listed or accessed.

Notes

[1](1, 2, 3, 4, 5, 6) Only the accounts that the user and its group are granted
[2]When the account access is not granted, it will only be able to perform a “Request for Account Modification”
[3]The “Application Admin” users cannot be modified by other users
[4]Only the “Application Admin” users can download the backup or XML files