Skip to main content

Roles and Permissions

System-wide roles

Passbolt proposes two system roles "admin" and "user". This system is the first line of the authorization mechanism performing checks directly for each user's actions.

In a nutshell, an administrator manages the instance. In practice it means that they can manage organization-wide settings such as the content of the email notifications or which multiple factor authentication provider is enabled. Another responsibility is to create or delete users, manage groups and group managers, perform synchronization with a user directory, etc.

Settings

ActionAdminUser
Manage email notification settingsYesNo
Manage MFA settingsYesNo
Manage LDAP settings / syncYesNo
Choose organization default languageYesNo

Users

ActionAdminUser
Create usersYesNo
Rename userYesYes (if own)
Update email addressYesNo
Delete usersYesNo
Promote/Demote adminYesNo
View usersYesYes
Select user preferred languageYesYes (if own)

Groups

ActionAdminUser
Create groupsYesNo
Rename groupsYesNo
Add user to groupSee. "Group level roles"See. "Group level roles"
Delete groupsYesNo
View groupsYesYes
View group compositionYesYes

Others

Resources / ActionAdminUser
Create resourcesYesYes
Manage resourcesSee “Resource level roles”See “Resource level roles”
Create commentsYesYes
Delete commentsYesYes (if own)
Manage foldersSee “Folder level roles”See “Folder level roles”
Manage tagsSee “Folder level roles”See “Folder level roles”

Group level roles

Each group must have at least one group manager in charge of adding and removing group members. The administrators can appoint themselves as group administrator or appoint a regular user.

Groups workflow
fig. Groups workflow

Due to the nature of the encryption in passbolt, only someone with access to the secrets of a given group can add a member to that group (as they need to be able to decrypt and encrypt the secret for the new member).

ActionGroup managerGroup member
Rename groupYesNo
Add user to groupYesNo
Remove user to groupYesNo
Promote/Demote group managerYesNo

Additional resources:

Resource level roles

Passbolt offers three permissions on the resource level:

  • Owner: can manage share settings, delete, update, read.
  • Update: can update the record and delete.
  • Read: can only read and use the password metadata and secret.
Operation / Folder PermissionOwnerUpdateRead
View resource metadata and secretYesYesYes
Edit resource metadata and secretYesYesNo
Delete resourceYesYesNo
Share resource, e.g. edit permissionsYesNoNo

Folder Level roles

Behind the scenes, permissions for folders will reuse the same permissions system than the one available for the resources. This will allow the user to associate a set of permissions to one or more folders, while reusing the metaphors the users are already accustomed to.

Like resources, a folder must have an owner permission defined in the folder permissions. Two other permissions types are available: update and read. Each permission type give access to operations as described in the grid below:

Operation / Folder PermissionOwnerUpdateRead
View folder permissionsYesYesYes
View folderYesYesYes
Rename folderYesYesNo
Delete folderYesYesNo
Create an item inside a folderYesYesNo
Move an item inside a folderYesYesNo
Edit folder permissionsYesNoNo

Once an item is inside a folder what can be done with the items does not depend on the folder permission but the item itself, like on a regular file system. For a user to move an item that is inside a folder they must generally at least have update rights on the item and the destination folder.

Operation/ Enclosed Item PermissionOwnerUpdateRead
Move an item outside the folderYesYesOnly in some cases. *
Edit the resourceYesYesNo
Delete the resourceYesYesNo

(*) See Approach to personal & shared folder organizations

Approach to folder permissions inheritance

One of the key requirements is to be able to apply a given folder permission to the items inside it. For example when a user “share” a folder or create a new item in that folder, or drop an existing resource in a folder, the folder permissions will be applied to the items where possible.

The “where possible” is important here. While folders in passbolt can be used to organize resources and apply permissions, folders do not enforce the permission on its enclosed content at all times, but serve as a guide when an operation such as create or move is performed. As we have seen exceptions can be created, i.e. it is possible for a user to have more rights on an item than they have on a given folder. The opposite is also possible, the same way it is possible to create a hidden or restricted file in a shared folder in a traditional filesystem.

One should picture a folder permission list as a permission mask, i.e. a predefined set of group/user rights, that could be applied to the folder content whenever a user is interacting with it. Applying permissions on a folder is the equivalent of selecting all the resources the user has the right to share inside the given folder and apply a new set of permission to this selection. Items where the user does not have access to (or cannot edit the permissions) will be ignored.

This approach is also needed to work with the limitation of the end to end encryption scheme. Indeed only a user that has access to a secret can provide such access to another user.

A user with can update as a permission is able to move a secret from one folder to another folder. In this case if the new folder is shared with more users these users won't have the secret shared with them. This is because to share a secret a user needs to have the owner permission on the secret. To ensure a secret inherits the permissions you expect it is best to have a user with the owner permission move the secret to the new folder.

Additional resources