Q1. What is the problem that you are trying to solve?
Having clients that use Passbolt to be able to share a folder with their MSP who also uses Passbolt.
Allowing for passwords to be kept in sync between the client and the managed service provider.
Q2 - Who is impacted?
This would affect MSP’s who they themselves and their clients use Passbolt.
Q3 - Why is it important and/or urgent?
It would help MSP’s to keep up-to-date passwords with their clients. The clients would have a copy of the passwords needed in their IT operations.
Q4 - What is your proposed solution? (optional)
One idea on how to implement would be to have the ability to share a folder with a passbolt uri. The receiving passbolt server would need to accept the connection and then set up a two way sync for said folder. Each server would be responsible for sharing out said folder within their system. I believe some identifying tags would need to be displayed so users on both sides are aware that said folder is shared outside of the organization. E.G. This folder is shared with “MSP Company Name” any passwords created in this folder will be accessible to said company.
Since this would pose a high security risk I believe the option to share a folder with an additional passbolt server should be limited to the admins.
Hi @dnamobility Thanks for posting the feature request.
Assuming the folder was shared as you described, how are you imagining the local folder contents would be decrypted remotely if remote users are not users on the local instance?
In the current model, the process of sharing involves encrypting the contents with a user’s public key. But in this case the target user would be on a different passbolt.
Any thoughts on this part of it?
Maybe there would need to be an initial configuration performed by the admins of the two servers. Allowing a secure way to exchange the public keys of the users of each server, or at least the public keys of the client server to the MSP server.
A initial connection sync from the client server to the MSP server to allow the client machine to sync the public keys to the MSP server, setup the ability for the MSP server to share a folder to the client system. This would need to be something that is performed anytime new users/groups are created on the client machine.
The folder could be created and shared out from the MSP server, the sharing settings would then be able to list the groups/users of the client machine to be added.
As an MSP user myself Example NinjaOne - I understand your request about having the opportunity on safely having access for your Staff and the one for the Costumer IT-Staff.
My idea would be as follows:
Central Multi-Tenant Passbolt Server (Self-Hosted or as SaaS from Passbolt) and RBAC - Thru the Power of GEO Blocking / IP-Whitelisting or even VPN Tunnel / Cloudflare Tunnel you can ensure that the Costumer IT-Staff has Secure Access to their Passwords.
The hard-core approach if a costumer leaves your MSP Service you can Export the Passwords for that Tenant and Securely give it to them as they have the power of Passbolt too. (Self-Hosted or even SaaS)
This brings IT-Cost to a minimum for your Company and that for the Tenant. As you only need to configure Users / Tunnel, IP Access and Passbolt RBAC once.
Why that approach?
Costumer IT-Infrastructure Complexity - Some have Air gapped Infrastructures others have Proxys and so on and so on… This would bring that complexity. Down to a minimum for both.
Hope I understood your request as intended.