Advanced Access Levels
Website Documentation for your KeePass client and Pleasant Password Server
This section discusses Advanced Access Level Features that some Users may find helpful.
There are situations where you may want other users to have the ability to Grant Access Levels: there may be multiple administrators, multiple department heads, or you may simply want your regular user to be able to share some of their passwords more easily. Our multiple administrators (multi admin) feature handles these situations through the use of Grant Permissions.
On the Access Levels page, you will see that each Access Level lists two columns of permissions. One labelled A for Access and the other labelled G for Grant.
Action Column (A) represents regular Access permissions everyone is familiar with in previous versions of Pleasant Password Server (PPASS). When this Access Level is assigned to a Folder or Entry, it means that the assigned User/Role has permission to do anything the Access Level has set to "true".
Grant Column (G), however, represents our new Grant permissions. When this Access Level is assigned to a Folder or Entry, it means that the assigned User/Role has permission to do anything the Access Level has set to "true". That is, the User/Role will be able to Grant any Access Level that has "true" set in the corresponding Column A values. For example, all Grants are set to true, and all Actions are set to false.
The Grant Only Access Level lets a User/Role assign ANY access level with true or false in Column A since it has "true" set for all G permissions. The G Permissions value allows a User/Role to assign Access Levels that contain the same true G permissions that they have as well. If it were set to false, someone with Grant Only would not be able to Grant any permissions with a true value in the G column. But because Grant Only has true set for the entire G column, it can even allow a User to grant the Full + Grant permission. The default Admin user has Full + Grant set at the very top of the password tree, but they could just as easily be given the Grant Only Access Level instead if they were never expected to use passwords themselves.
It's important to remember that the two columns can basically be looked at completely separately from each other: A tells you what the User/Role can see or do while G tells you what the User/Role can give away.
Experiment with Granting permissions and you are bound to find some interesting uses for them. For example, you can give Granting Permissions without the Permissions G value to your Employees' Private Folders to allow them to share passwords with each other easily and quickly.
Private Folders offer a place for Users to store their passwords by default. You can create Private Folders for your users using the Users & Roles -> Private Folders page . Another way to create Private Folders is by setting the "Automatically create Private Folders for imported Active Directory users" checkbox in the Settings tab. This option only applies for new Active Directory users though. In the Settings tab, you can also find the "Default Access Level set for Private Folders" option. Set the Access Level you want your users to have for their Private Folders. It is up to the Administrator to set this default. In some cases, you may wish to give Grant permissions so that users can share passwords with each other as needed.