Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

You should be able to put an expiration date on sharing permission for a password #114

Closed
bluenetinc opened this issue Jul 5, 2017 · 8 comments
Closed

You should be able to put an expiration date on sharing permission for a password #114

bluenetinc opened this issue Jul 5, 2017 · 8 comments
Labels
enhancement requirements wanted

Comments

@bluenetinc
Copy link

Sometimes it becomes necessary to give a user or group access to a password that they normally do not require. (the critical person is on vacation, and someone needs to fill in temporarily) It would be convenient if when sharing to a user/group you could set an expiration date (would default to never), at which time the server would automatically remove the permission for the user/group.
@ktosiek
Copy link

ktosiek commented Jul 5, 2017

Wouldn't the user still get that password (as a copy encrypted with user's key) by email, which defeats the expiration?
Or do you need that for passwords that are rotated often anyway?

@bluenetinc
Copy link
Author

My thoughts are that once there is logging/auditing trails in the future, you could query IF a user actually looked at a password.

We will see when the auditing feature is eventually added. My thought is, let's say you had an employee leave the company. You could run an audit report and show me all the passwords that the user accessed (excluding passwords that had not been accessed since they were last changed). Now you would have a list of all the passwords that required changing due to employee turn-over.

The expiration just removes future access from the password. I'm not assuming they actually "looked" at every password that they had access to, only that they COULD if then needed to (ie: employee B is taking over for employee A, who is on vacation. If they didn't actually ever have to USE any of the passwords, the audit trail would reflect that, and I can assume the password is still secure).

Maybe I'm not understanding how the access is actually controlled, but that was my thinking.

@bluenetinc
Copy link
Author

Oh - I just understood your question - the user getting the key via email... I personally think that is silly to send the password via email, and the passwords should be held in the passbolt vault until requested by the user, so you could have an accurate audit trail of who access which passwords, and when.

@silentsilas
Copy link

Yeah, I also think the password shouldn't be included in the email templates, even if it is encrypted.

@stripthis
Copy link
Member

Will add "As an administrator I can prevent encrypted secret or username to be sent in email notification" as part of PASSBOLT-2284 (merge/rewrite of PR #98)

@stripthis
Copy link
Member

@bluenetinc @PoetiCode With v1.6.2 it is now possible hide username and encrypted secret from the email notifications. Check default.php in app/Config for examples.

@bryanmathers
Copy link

@stripthis - should this be closed?

@stripthis
Copy link
Member

Moved to: https://community.passbolt.com/t/as-a-password-owner-i-can-set-an-expiry-date-on-a-user-access-right-for-a-given-resource/54

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement requirements wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@stripthis @ktosiek @bryanmathers @silentsilas @bluenetinc