Quick Guide
Discover how Pleasant Password Server will enhance KeePass for business
You can control which options are enabled/disabled for Users and Roles in the KeePass for Pleasant Password Server application, by creating Enforced Configuration files.
This functionality was designed to be very flexible and powerful: it provides the ability to edit and import a full KeePass config file, and then apply it to various users/roles.
Navigate to:
-
Advanced -> Client Configuration
Enforced Configuration files allow you to selectively enable/disable features such as:
- Password Export
- Copy Whole Entries (to other KeePass instances)
- Printing
- Displaying the Password on the screen
- The length of time it takes for the Clipboard to be locked and unlocked
An Enforced Configuration file:
- Can apply to either an individual User or to an entire group of people in a Role.
- When applied to a particular User: this always take precedence over any other Rules applied.
- When applied to a Role: can decide which Rule is applied first.
Only one Enforced Configuration file will be applied at a time.
Process Overview
KeePass Enforced Configuration allows us to specify a value for each option, or not.
- Enforced: If the option is specified with a value in the enforced config file, then it will be enforced for the user and the user will not be able to change it,
- Not Enforced: Otherwise if a value is not specified in the enforced config it will not be enforced for the user.
Summary: Save the settings you want in KeePass, export the configuration, double-check the file for the options you want enforce are included, upload to Password Server, and then set the users/roles who will use these enforced settings.
Please note: that KeePass export of configuration, only includes the options which are different from the default value. To enforce an option that is already set to that value by default, then first toggle the value in KeePass and then toggle back in the exported config file.
STEPS:
- Save your desired settings in KeePass for Pleasant -
- e.g. navigate to Tools -> Options -> Policy
- In KeePass select File > Export Configuration.
- Double-Check: That the options that you want to enforce, are specified in the config file. If not, go back to KeePass, toggle the option, export the config, and toggle that option in the file back to the value you want.
- In the Web Client import this file on the Advanced -> Client Configuration page.
- Rename the file by clicking Edit.
- Apply this file to Roles or Users.
Detailed Steps to Create an Enforced Configuration File
-
Create a KeePass Config file:
- Open up KeePass for Pleasant Password Server
- Open up the Options window by clicking on Tools > Options in the menu bar
- Make configuration changes
- Click OK
- Select the Export Configuration options which can be found in the menu bar under File > Export Configuration
-
Double-Check:
-
That the options that you want to enforce, are specified in the config file. If not, go back to KeePass, toggle the option, export the config, and toggle that option in the file back to the value you want.
-
-
Upload the Client Config file:
- Log into the admin interface of Pleasant Password Server
- You can do this by typing your server's address into your web browser, for example:
- Don't forget to include the port number and https
- Sign in with your admin credentials If you're signed in already, ignore this step
- Click on Advanced > Client Configuration
- Upload the client configuration you just created by clicking on the Upload... button
- Below the upload button, a table displaying all the enforced configuration files you have uploaded will be displayed.
- You can rename your configuration file here.
- Log into the admin interface of Pleasant Password Server
-
Assign the Config to users or roles:
- Click Add new record in the table in the User Rules section or the Role Rules* section
- If you're creating a rule that applies to Users:
- Click Add new record at the top of the table in the User Rules section.
- Click on the drop down that says Select a user... and select a user
- click on the drop down that says none and then select the config file you uploaded
- If you're creating a rule that applies to Roles:
- Click Add new record at the top of the table in the Role Rules section.
- Click on the drop down in the second column and select a Role to apply your config file to.
- if you select Everyone your config file will apply to everyone, regardless of their role.
- Click on the drop down in the 4th column and select the config file you've uploaded.
- You may put in a value for Sort Order in the third columns
- Sort order is for when two different config files may apply to a given user in an given role.
- The Config file with the lowest Sort Order will be selected.
-
When you're done configuring your rule, make sure to click the save button
Example: Disabling exporting and printing passwords
If you wanted to prevent your entire password database from being very easily leaked, you probably want to disabled the print and export features of KeePass for Pleasant Password Server.
Note: The "Copy Whole Entries" option also can allow effectively export (by copying entries to another KeePass instance). It is now unchecked by default to prevent entries from being copied out. But you may wish to lock this option.
To do so, follow these steps:
-
Open up KeePass for Pleasant Password Server
- This is the desktop client
-
Open up the options window.
- This can be found by navigating and clicking on Tools > Options in the menu bar.
-
Select the Policy tab if it is not already selected
-
Locate the Export feature. Click on the box to make it unchecked
-
Locate the Print feature. Click on the box to make it uncheck
-
Click OK
-
Select Export Configuration ... from File > Menu
-
Give the file a name.
-
The default name is Export.config.xml
-
-
Double-Check:
-
That the options that you want to enforce, are specified in the config file. If not, go back to KeePass, toggle the option, export the config, and toggle that option in the file back to the value you want.
-
-
Connect to your password server using a web browser
- Type the name of your server into the address bar, for example:
- Type the name of your server into the address bar, for example:
-
Click on the Client Config Tab
-
Click on Advanced > Client Configuration
-
Upload the client configuration you just created by clicking on the Upload... button
- Below the upload button, a table displaying all the enforced configuration files you have uploaded will be displayed.
- You can rename your configuration file here.
-
Click on the Add new record button in the Role Rules Section
-
Select the Everyone or the Users role in the drop down list in the second column
-
Using the drop down list in the last column, select the Config file you just uploaded.
-
Click the Save button.
- You've successfully created a config rule that will prevent users from printing or exporting all of the passwords they have access to.