Q1. What is the problem that you are trying to solve?
A group manager can add users to that group; therefore, he/she is able to share all passwords (which are shared with the group) with anyone.
However, the group manager is not automatically owner of those passwords, which can cause recovery problems when deleting or recreating users.
A typical problem is: password X is shared with group Y (as can-read or can-update), but password X is owned only by individual Z. This is what happens by default, i.e. the person who created the password is the sole owner.
Everything works fine, until individual Z leaves. At this point manual recovery is required. The only solution is to promote group Y as owner of X - which of course makes all members of group Y owners of the password - to allow Z to be deleted. Then some other member of group Y can assign new ownership and clean up.
To attempt to avoid this, you might try to structure things so that each password has a group of users and a group of owners (rather than individual owners). You then end up with pairs of groups:
- Group Foo
- Group Foo Owner
Passwords are shared with “Group Foo” as “can read” and “Group Foo Owner” as “is owner”. Individuals are added to “Group Foo” (as member) if they need only read access. Individuals are added to both groups (as manager) if they need management access.
This is rather complex and error prone.
Q2 - Who is impacted?
Organisations with significant amount of group structure / group sharing.
Q3 - Why is it important and/or urgent?
To make ongoing management easier and reduces the scope for operational problems.
Q4 - What is your proposed solution? (optional)
I would like to propose that a Group Manager automatically gains Owner access to any password shared with the group.
This would result in no longer having the ability to have a Group Manager who could only read a password but not change it. If this is considered problematic then it could be made a configuration option.
Alternative: there could be an third category of group membership:
- Group Manager
- Group Manager + Owner
Another alternative: change the sharing model so that when sharing with a group, the permissions come from the group membership, not from how you share with the group.
That is: change groups so that their membership becomes one of:
- Can read
- Can update
- Owner + group manager
Then you simply share a password with a group (without selecting any rights for the group); the rights come from the group memberships.
Q5. Community support
People can vote for this idea to show traction:
- Must have: this is critical for me to have this
- Should have: this is important for me to have this
- Could have: this could be nice to have
- Won’t have: we should not schedule this (explain why)