As an admin I can audit passwords that are not shared with anyone

Feature requests
,
1

Q1. What is the problem that you are trying to solve?
This is to protect from a scenario like this: Employee adds a critical company credential. Perhaps they even share it with some relevant groups. Employee leaves the company, remove the permissions, there is no way for us to access their account and change ownership of passwords. I don’t see an easy way to identify non-personal passwords that a user added but didn’t change the ownership to the proper user/group.

Q2 - Who is impacted?
Administrator that manage user coming and leaving their org.

Q3 - Why is it important and/or urgent?
It can create security issues in the sense that password availability can be reduced by a rogue or careless employee.

Q4 - What is your proposed solution? (optional)
To prevent this I would like to periodically run an “audit” and request those users that retained ownership of non-personal passwords to relinquish ownership to a designated owners “group”. Perhaps this could also be managed through a checkbox or tag when creating a new password: “Personal”, and if it is NOT marked personal, the owner is automatically (and mandatory) set to a particular group, and the creating user is ONLY added as a “can change” credential.

ref. https://github.com/passbolt/passbolt_api/issues/110

Q5 - Community poll
What does the community think about this? Let’s vote!

  • Must have: this is critical for me to have this
  • Should have: this is important for me to have this
  • Could have: this could be nice to have
  • Won’t have: we should not schedule this (explain why)

0 voters

Show results
2

any update on this, we are reviewing passbolt and feel this is a limitation. We would like an auto share feature which I guess gives the same result. We don’t want user x to create a password for client y and then go on holiday and we have a problem and we cannot access the passwords for the client.

3

@SteveDrakey we have not started working on this yet, but it is still on our radar.

4

I believe the following mysql query will show all passwords which are not shared, and therefore are only accessible by a single user:

mysql> select r.id, r.name, u.username, p.type from resources r
       join permissions p on p.aco='Resource' and p.aco_foreign_key=r.id
       join users u on p.aro='User' and p.aro_foreign_key=u.id where r.id in
       (select resource_id from users_resources_permissions group by resource_id having count(*) < 2);

@SteveDrakey:

We would like an auto share feature which I guess gives the same result. We don’t want user x to create a password for client y and then go on holiday and we have a problem and we cannot access the passwords for the client.

Related issues: