We are often asked what is the best way to set up or configure a Password Server. This is a tricky question to answer. Each company is completely different, there fore one answer may not cover every company. So with this article we will lay out the basics that will allow you to decide your own Best Practice!
Understanding Vaults and Scopes
Scopes are used to organize users and vaults. Vaults are assigned to one scope each and users are assigned to one or more scopes. Users can only see vaults in scopes that they are members of. Scopes can only be deleted if they have no vaults as members, and have no users exclusively assigned to them.
Scopes are the “visible” division of Password Server. If you don’t want somebody to see certain resources, creating a scope makes a separate “view” of vaults. This can be used to prevent customers from seeing each other’s company names if they are given limited access to the Password Server. It could also keep executive or administrative vaults out of sight for general technicians and staff.
- 1 scope per client.
- 1+ scopes for internal company passwords depending on team size. (This will depend on your internal usage). There is no requirement for multiple internal scopes.
Note: See this article for creating a new Scope.
Just like files and documents get stored in a folder, passwords get organized into Vaults. Each vault controls who can use those passwords so everybody gets exactly the access they need; no more, no less. The key info with a vault is the name and the scope. The name of a vault is normally a category like “Websites”, “Domain Credentials”, “Networking”. Assigning a vault to a specific scope determines who can see the vault.
- New vault for each category (“Websites”, “Domain Credentials”, “Networking”).
- New vault for separate permissions.
The Vaults tab lets the user access all of the vaults that they are allowed to see, and to create new ones if they are assigned that privilege.
See these Blog post for more help.
Password Server: In The Trenches - Scopes - http://blog.scorpionsoft.com/blog/2013/01/password-server-in-the-trenches-scopes.html
AuthAnvil Password Vault Feature Focus: Scopes - http://blog.scorpionsoft.com/blog/2012/03/password-vault-feature-focus-scopes.html
Shared Vaults can be shared between multiple users. Upon creation they are bound to a certain Scope, or visibility level, and only members with access to that scope can see this vault. They will have one or more Owners to manage user access and permissions. These vaults are the most common as they allow the full range of features for administration and management of passwords, including synchronization and password rotation.
Note: See this article for help creating a Shared Vault.
Personal Vaults provide the ability to synchronize passwords. By default a personal vault is only accessible by the user that created it, but access can also be granted to admins. Organization Administrators are able to see users’ Personal Vaults and they may also request access to them, but there is no way for an admin to forcibly take control of one. This vault type is for limited-access passwords that can be synchronized and used in remote desktop connections, or personal passwords that may need to be viewed by an admin.
If the AuthAnvil Password Server administrator has allowed the permission, users can maintain private vault. These vaults are completely private, and cannot be viewed or seized by administrators, or even shared with other users. Additionally, the user must enter a unique password in order to log into their private vault, so the private vault is kept safe even if the user’s login password is changed or compromised. This password can be changed if the user is logged into the private vault, but cannot be reset if the user forgets it. This means that they will lose access to all of their stored passwords.
You may also want to read these Blog posts.
Password Server: In The Trenches - Scopes http://blog.scorpionsoft.com/blog/2013/01/password-server-in-the-trenches-scopes.html
AuthAnvil Password Vault Feature Focus: Scopes http://blog.scorpionsoft.com/blog/2012/03/password-vault-feature-focus-scopes.html
Understanding Users and Roles
Everyone who needs to log in to AuthAnvil Password Server requires a User. Each username is unique as it is tied to a specific email address. This email will be used for logging in as well as for user notifications (i.e. password expiry, requesting access, permission approval).
Roles provide an easy method to apply configuration to a large group of users, rather than to each user individually. Scopes and Vault permissions can be applied to Roles to allow visibility and access control to specific user templates, such as “Administrator”, “Technician”, and “Client”. Users can also be assigned to multiple roles, and they will always take the best policy available to them.
For example, if you create an “Admin” role which has access to the “Administration” scope, but the “Users” role only has access to the “Default Scope”, a user assigned to both roles will have access to both scopes respectively.
Roles were introduced in AuthAnvil Password Server v1.6. Any customers upgrading from earlier versions will automatically have a role created for each individual scope, mapping up the current scope members with access to that scope
You may also want to read this Blog post. Password Server: In The Trenches - Users and Roles - http://blog.scorpionsoft.com/blog/2013/01/password-server-in-the-trenches-users-and-roles.html
You may also want to read this Blog post.
Password Server: In The Trenches - Users and Roles http://blog.scorpionsoft.com/blog/2013/01/password-server-in-the-trenches-users-and-roles.html
You can subdivide the AuthAnvil Password Server into multiple Organizations. Each Organization is a logically distinct grouping with its own Users, Vaults, Scopes, and Settings. Only Administrators from the first Organization can create new Organization. After they are created, you will see a dropdown on the log in page, allowing Users to select which Organization to log in to.
Creating a new organization makes a completely separate division of passwords, users, logs, admins, and settings completely inaccessible from users on other organizations. This is only used when you are selling a customer access to their own Password Server configuration, but they want to manage it themselves (no administration from your company) and they want you to host it on your installation.
Unless you are selling the Password Server as a separate solution just for your customers to manage their own data (no oversight from your team), we recommend using scopes/roles/vaults and creating a section for your clients to access their own passwords
For more information check out this article. How can I Manage multiple Organizations with AuthAnvil Password Server? - https://helpdesk.kaseya.com/entries/26219237
There are 3 levels of password policies:
- "Default Password Policy" This is the option on the Settings page of PWS. It determines the default policy for a Vault when you create it. It also controls your User passwords for logging into AuthAnvil Password Server.
- "Vault Password Policy" This has all of the same settings as the "Default Password Policy", except it is customized at the vault level. First, the "Default" policy is assigned to the vault. From there you can customize it to fit a specific collection of passwords. This policy determines the constraints for all of the passwords inside that specific vault. (Keep in mind this can be over-ridden if the "ignore policy" box is checked)
- "Password Policy Templates" This one is a new feature to PWS v2.0. Password Policy Templates are custom constraints that are applied to individual passwords inside any vaults. This allows you to customize password generation for a specific record. Just create a password policy on the "Settings" page and on the password record there will be a dropdown to select your password policy.
For more information see the following link. "Password Policy Templates": https://helpdesk.kaseya.com/entries/39502298