Blocking Access Inheritance
Discover how Pleasant Password Server will enhance KeePass for business
Administrators can configure Password Server to block all access to a folder, only providing access to selected users or roles. This is possible using the Block Inheritance functionality.
User Access is inherited to subfolders and entries (similar to Windows file permissions), and it is possible to block inherited access, and keeping only the access applied directly to a folder.
- Convert the inherited access on a folder to direct access:
- Keep this default option checked: "Make current access non-inherited..."
- Then remove or add the desired access directly to the folder.
Note: If you have blocked inheritance and are unable to restore it, see "Restore Access Inheritance" (in Common Issues).
Warning: When Blocking access inheritance be sure to allow at least one user with access. This operation will:
- Block all inherited permissions including administrators
- Unless you explicitly grant access: Administrators will no longer have access to a folder when block inheritance has been used
- Affect Notification rules:
- The Block Inheritance feature will also block inheritance of Notification rules. This prevents admin from receiving notifications from credentials that they would not know exist.
Password Server uses a tree structure to organize credentials and folders, much like the nested folders used to store files on any modern operating system. If a user has some set of access rights (permissions) on a folder, all the subfolders and credentials inside it (children) receive the same permissions. This is called access inheritance.
When Password Server is deciding whether a user is allowed to perform some action on a folder or credential (such as renaming, deleting, or viewing a password), it considers the permissions the user has specifically on that object, as well as the permissions inherited from the folder(s) containing it.
- For example, if a user has Full access to the Marketing folder, she also has Full access to all the folders and entries inside it.
Typically, ordinary users have limited access to a few passwords in the areas their areas of concern, while managers have more access rights to a wider area, and IT administrators usually have total access over the entire tree.
In most cases, this is a good arrangement, but sometimes it's preferable to prevent administrators from being able to access everything. This can be done with Inheritance Blocking, which prevents a folder from inheriting from its ancestors (but does not prevent descendants from inheriting from it).
-
If someone blocks access inheritance on the folder HR,
-
then an administrator who has even Full+Grant permission on a containing folder won't be able to use that permission to look inside that folder.
-
Users who have some access directly to HR or the folders inside it will still have access and normal inheritance rules still apply to folders and entries inside HR.
-
For example, someone with Read Only access to an HR folder will also be able to read passwords in the Payroll and Vacation subfolders underneath it.
-
The administrator can see many folders because they have Full+Grant access on the root, but they can't look inside the Human Resources or Private Folders because inheritance is blocked on those folders.
-
Alice, a regular user, can look inside Human Resources and her own private folder because she has access directly to those folders -- it's not inherited from a containing folder.
A user can block permission inheritance on areas of the tree where they have Set Block Inheritance permission. This ability is included as part of the Full+Grant+Block default access level. You can also include it in your own custom access levels, if you create them.
- To do this, open the Security dialog on a folder or entry, click Block Access Inheritance, and read the warning confirming you want to block inheritance (if you want to).
Since blocking permission inheritance affects every user, including the user doing the blocking, it's a pretty powerful operation.
- If you block inheritance on a folder and you don't have any non-inherited access on that folder, you'll lose your own access to it and you won't even be able to remove the inheritance block, since you no longer have that permission.
- If you think you might want to restore regular inheritance in the future, you should grant yourself (or someone else) the Set Block Inheritance permission on the exact item you're blocking inheritance for before you block inheritance.
If you have already blocked inheritance and are unable to restore it, see "Restore Access Inheritance" (in Common Issues).