General Infrastructure Explanation
Scopes are the visible division of Password Server. If you dont want somebody to see certain resources, creating a scope makes a separate view of vaults. This can be used to prevent customers from seeing each others company names if they are given limited access to the Password Server. It could also keep executive or administrative vaults out of sight for general technicians and staff.
- 1 scope per client
- 2-4 scopes for internal company passwords depending on team size
Just like files and documents get stored in a folder, passwords get organized into Vaults. Each vault controls who can use those passwords so everybody gets exactly the access they need; no more, no less. The key info with a vault is the name and the scope. The name of a vault is normally a category like Websites, Domain Credentials, Networking. Assigning a vault to a specific scope determines who can see the vault.
- New vault for each category (Websites, Domain Credentials, Networking)
- New vault for separate permissions
A role is simply a user group. Rather than applying permissions to one person, add them to a role and apply permissions to everybody in that role at once.
- Roles should reflect your internal teams or departments (Sales, Technicians, Executives)
Creating a new organization makes a completely separate division of passwords, users, logs, admins, and settings completely inaccessible from users on other organizations. This is only used when you are selling a customer access to their own Password Server configuration, but they want to manage it themselves (no administration from your company) and they want you to host it on your installation.
- Unless you are selling the Password Server as a separate solution just for your customers to manage their own data (no oversight from your team), we recommend using scopes/roles/vaults and creating a section for your clients to access their own passwords
There are 3 levels of password policies:
1. "Default Password Policy"
This is the option on the Settings page of PWS. It determines the default policy for a Vault when you create it. It also controls your User passwords for logging into AuthAnvil Password Server.
2. "Vault Password Policy"
This has all of the same settings as the "Default Password Policy", except it is customized at the vault level. First, the "Default" policy is assigned to the vault. From there you can customize it to fit a specific collection of passwords. This policy determines the constraints for all of the passwords inside that specific vault. (Keep in mind this can be over-ridden if the "ignore policy" box is checked)
3. "Password Policy Templates"
This one is a new feature to PWS v2.0. Password Policy Templates are custom constraints that are applied to individual passwords inside any vaults. This allows you to customize password generation for a specific record. Just create a password policy on the "Settings" page and on the password record there will be a dropdown to select your password policy.
For more information see the following link under "Configuring the AuthAnvil Password Server" and search for "Password Policy Templates":