Roles and permissions
Passbolt proposes two system roles “admin” and “user”. This system is the first line of the authorization mechanism performing checks directly for each user’s actions.
In a nutshell, an administrator manages the instance. In practice it means that they can manage organization-wide settings such as the content of the email notifications or which multiple factor authentication provider is enabled. Another responsibility is to create or delete users, manage groups and group managers, perform synchronization with a user directory, etc.
|Manage email notification settings||Yes||No|
|Manage MFA settings||Yes||No|
|Manage LDAP settings / sync||Yes||No|
|Choose organization default language||Yes||No|
|Rename user||Yes||Yes (if own)|
|Update email address||Yes||No|
|Select user preferred language||Yes||Yes (if own)|
|Add user to group||See. “Group level roles”||See. “Group level roles”|
|View group composition||Yes||Yes|
|Resources / Action||Admin||User|
|Manage resources||See “Resource level roles”||See “Resource level roles”|
|Delete comments||Yes||Yes (if own)|
|Manage folders||See “Folder level roles”||See “Folder level roles”|
|Manage tags||See “Folder level roles”||See “Folder level roles”|
Group level roles
Each group must have at least one group manager in charge of adding and removing group members. The administrators can appoint themselves as group administrator or appoint a regular user.
Due to the nature of the encryption in passbolt, only someone with access to the secrets of a given group can add a member to that group (as they need to be able to decrypt and encrypt the secret for the new member).
|Action||Group manager||Group member|
|Add user to group||Yes||No|
|Remove user to group||Yes||No|
|Promote/Demote group manager||Yes||No|
Resource level roles
Passbolt offers three permissions on the resource level:
- Owner: can manage share settings, delete, update, read.
- Update: can update the record and delete.
- Read: can only read and use the password metadata and secret.
|Operation / Folder Permission||Owner||Update||Read|
|View resource metadata and secret||Yes||Yes||Yes|
|Edit resource metadata and secret||Yes||Yes||No|
|Share resource, e.g. edit permissions||Yes||No||No|
Folder Level roles
Behind the scenes, permissions for folders will reuse the same permissions system than the one available for the resources. This will allow the user to associate a set of permissions to one or more folders, while reusing the metaphors the users are already accustomed to.
Like resources, a folder must have an owner permission defined in the folder permissions. Two other permissions types are available: update and read. Each permission type give access to operations as described in the grid below:
|Operation / Folder Permission||Owner||Update||Read|
|View folder permissions||Yes||Yes||Yes|
|Create an item inside a folder||Yes||Yes||No|
|Move an item inside a folder||Yes||Yes||No|
|Edit folder permissions||Yes||No||No|
Once an item is inside a folder what can be done with the items does not depend on the folder permission but the item itself, like on a regular file system. For a user to move an item that is inside a folder they must generally at least have update rights on the item and the destination folder.
|Operation / Enclosed Item Permission||Owner||Update||Read|
|Move an item outside the folder||Yes||Yes||Only in some cases. See Approach to personal & shared folder organizations|
|Edit the resource||Yes||Yes||No|
|Delete the resource||Yes||Yes||No|
Approach to folder permissions inheritance
One of the key requirements is to be able to apply a given folder permission to the items inside it. For example when a user “share” a folder or create a new item in that folder, or drop an existing resource in a folder, the folder permissions will be applied to the items where possible.
The “where possible” is important here. While folders in passbolt can be used to organize resources and apply permissions, folders do not enforce the permission on its enclosed content at all times, but serve as a guide when an operation such as create or move is performed. As we have seen exceptions can be created, i.e. it is possible for a user to have more rights on an item than they have on a given folder. The opposite is also possible, the same way it is possible to create a hidden or restricted file in a shared folder in a traditional filesystem.
One should picture a folder permission list as a permission mask, i.e. a predefined set of group/user rights, that could be applied to the folder content whenever a user is interacting with it. Applying permissions on a folder is the equivalent of selecting all the resources the user has the right to share inside the given folder and apply a new set of permission to this selection. Items where the user does not have access to (or cannot edit the permissions) will be ignored.
This approach is also needed to work with the limitation of the end to end encryption scheme. Indeed only a user that has access to a secret can provide such access to another user.
Other frequently asked questions in the same category
- How to install and remove browser extensions
- How to create and setup an account
- What can I do if my registration token expired?
- How can I change the profile picture
- How to copy a password to clipboard
- Password basics
- Managing your favorites
- How to share passwords
- How to import passwords from a csv or kdbx file
- How to disable your browser/mobile built-in password manager
- How to use tags (PRO)
- Roles and permissions FAQ
- Roles and permissions
- How to subscribe to the account recovery program?
- How to review an account recovery request
- How to generate an OpenPGP key
- How to recover my passphrase?
- How to recover an account?