Help Search

Roles and permissions

System-wide roles

Passbolt proposes two system roles “admin” and “user”. This system is the first line of the authorization mechanism performing checks directly for each user’s actions.

In a nutshell, an administrator manages the instance. In practice it means that they can manage organization-wide settings such as the content of the email notifications or which multiple factor authentication provider is enabled. Another responsibility is to create or delete users, manage groups and group managers, perform synchronization with a user directory, etc.

Settings

Action Admin User
Manage email notification settings Yes No
Manage MFA settings Yes No
Manage LDAP settings / sync Yes No
Choose organization default language Yes No

Users

Action Admin User
Create users Yes No
Rename user Yes Yes (if own)
Update email address Yes No
Delete users Yes No
Promote/Demote admin Yes No
View users Yes Yes
Select user preferred language Yes Yes (if own)

Groups

Action Admin User
Create groups Yes No
Rename groups Yes No
Add user to group See. “Group level roles” See. “Group level roles”
Delete groups Yes No
View groups Yes Yes
View group composition Yes Yes

Others

Resources / Action Admin User
Create resources Yes Yes
Manage resources See “Resource level roles” See “Resource level roles”
Create comments Yes Yes
Delete comments Yes Yes (if own)
Manage folders See “Folder level roles” See “Folder level roles”
Manage tags See “Folder level roles” See “Folder level roles”

Group level roles

Each group must have at least one group manager in charge of adding and removing group members. The administrators can appoint themselves as group administrator or appoint a regular user.

Groups workflow fig. Groups workflow

Due to the nature of the encryption in passbolt, only someone with access to the secrets of a given group can add a member to that group (as they need to be able to decrypt and encrypt the secret for the new member).

Action Group manager Group member
Rename group Yes No
Add user to group Yes No
Remove user to group Yes No
Promote/Demote group manager Yes No

Additional resources:

Resource level roles

Passbolt offers three permissions on the resource level:

  • Owner: can manage share settings, delete, update, read.
  • Update: can update the record and delete.
  • Read: can only read and use the password metadata and secret.
Operation / Folder Permission Owner Update Read
View resource metadata and secret Yes Yes Yes
Edit resource metadata and secret Yes Yes No
Delete resource Yes Yes No
Share resource, e.g. edit permissions Yes No No

Folder Level roles

Behind the scenes, permissions for folders will reuse the same permissions system than the one available for the resources. This will allow the user to associate a set of permissions to one or more folders, while reusing the metaphors the users are already accustomed to.

Like resources, a folder must have an owner permission defined in the folder permissions. Two other permissions types are available: update and read. Each permission type give access to operations as described in the grid below:

Operation / Folder Permission Owner Update Read
View folder permissions Yes Yes Yes
View folder Yes Yes Yes
Rename folder Yes Yes No
Delete folder Yes Yes No
Create an item inside a folder Yes Yes No
Move an item inside a folder Yes Yes No
Edit folder permissions Yes No No

Once an item is inside a folder what can be done with the items does not depend on the folder permission but the item itself, like on a regular file system. For a user to move an item that is inside a folder they must generally at least have update rights on the item and the destination folder.

Operation / Enclosed Item Permission Owner Update Read
Move an item outside the folder Yes Yes Only in some cases. See Approach to personal & shared folder organizations
Edit the resource Yes Yes No
Delete the resource Yes Yes No

Approach to folder permissions inheritance

One of the key requirements is to be able to apply a given folder permission to the items inside it. For example when a user “share” a folder or create a new item in that folder, or drop an existing resource in a folder, the folder permissions will be applied to the items where possible.

The “where possible” is important here. While folders in passbolt can be used to organize resources and apply permissions, folders do not enforce the permission on its enclosed content at all times, but serve as a guide when an operation such as create or move is performed. As we have seen exceptions can be created, i.e. it is possible for a user to have more rights on an item than they have on a given folder. The opposite is also possible, the same way it is possible to create a hidden or restricted file in a shared folder in a traditional filesystem.

One should picture a folder permission list as a permission mask, i.e. a predefined set of group/user rights, that could be applied to the folder content whenever a user is interacting with it. Applying permissions on a folder is the equivalent of selecting all the resources the user has the right to share inside the given folder and apply a new set of permission to this selection. Items where the user does not have access to (or cannot edit the permissions) will be ignored.

This approach is also needed to work with the limitation of the end to end encryption scheme. Indeed only a user that has access to a secret can provide such access to another user.

Additional resources

Not finding what you are looking for? You can also ask the community on the forum.

Talk to a human
🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!