Setting up users and roles correctly is one of the most import elements in maintaining the security of your AuthAnvil Password Server. What passwords a user can access is based on the combined privilege of their own user level permissions, and any role permissions they may have. A user's scopes are also determined by their roles. For more information, check out our previous post on Scopes.
Roles are very similar to Windows User Groups. You can assign any combination of users to a role, and then use that role as the basis for permission assignment in vaults. There are two major components to a role, the scopes and the users.
Selecting a scope for a role means that the role can be used by any vault within that scope. If you wanted to make a single role for all the users of a given client, you could grant them access only to the client scopes you set up for them, while denying them access to scopes belonging to other clients, or your own company.
Adding users is straightforward, any user that is selected as a member of the role will get any and all permissions that are assigned to this role.
Role and user permissions always give the best combined permission. If a user, Bob, has only read permissions to your Sample Vault, but a role Bob belong to is given full Owner permissions to the Sample Vault, Bob will be treated as a full owner of that vault. This also will override the Requires Approval permission, so be sure to practice least privilege in your user role assignment.
As a general rule, only give a user a specific permission if they need improved access. For large groups of users, assign their permissions via roles, and then grant other individuals, like team leaders or manager, the greater permissions they might need to perform their tasks on a per-user basis. This makes it easier to avoid accidentally granting permissions you don't intend to, and makes it easier to manage whole groups of users at a time.
This article originally appeared written by Cody Marbach in the Scorpion Software blog