Exporting Passwords for Secure Offline Access

PMP provides multiple export options for secure offline access and safekeeping of password information.

 

 

Administrators can decide which option (encrypted HTML or auto-sync to mobile devices) to be used in their organization. In addition, the export can be enabled or disabled to specific users or user groups based on requirements.

 

In all the options above, you can export the resources, accounts and passwords for offline access.

Administrative Setting for Exporting of Passwords

Administrators have to determine whether to allow the users in their organization to export passwords using any of the three options. Administrators can change this setting anytime on need basis. The settings done here take effect globally for all users and administrators.

 

This can be done from Admin >> Customize >> Export Passwords - Offline Access GUI.

 

offline

 

By default, the first two options - exporting passwords in plain-text to .xls and exporting passwords to an encrypted HTML file have been enabled to all users and administrators. You can disable this permission by deselecting the respective check-box. The third option to allow the users to export the passwords to encrypted HTML file and automatically sync it users' mobile devices through Dropbox has to be enabled if you want this option.

Settings for exporting resources in plain-text to a .xls file

While allowing the users and administrators to export the passwords, you have the option to just export the resource and account details alone and prevent the passwords from being printed in plain-text in the .xls file. This can be done by deselecting the check-box "Include passwords in plain-text in the exported file".

Settings for exporting passwords in encrypted HTML file

Password Policy for offline copy

 

You can export passwords to an encrypted HTML file so as to view the passwords even when there is no internet connection. This offline option is very secure. The contents of the file for offline access will be encrypted using AES-256 bit algorithm with the passphrase supplied by the users when exporting the passwords. PMP will not store this passphrase anywhere.

 

As the name itself indicates, the passphrase is different from the usual passwords. Since these phrases are not stored anywhere, it is necessary that you should be able to remember them. A weak passphrase is not desirable from the standpoint of security. Your passphrase could be up to 32 characters long, including blank spaces.

Administrators can enforce standard policies for specifying the passphrases. The required policy can be selected from the three default password policies of PMP or the custom policies created by you, if any. You can select the desired policy here in the "Encryption Passphrase Policy". PMP has created a policy named "Offline Password File" and this policy is enforced by default.

 

Inactivity Logout

 

You can also specify the inactivity log out time period in minutes, after which the user will be automatically logged out from the offline file while viewing the passwords in the browser. You can specify the timeout against the textfield "Allowed Inactivity Period".

Settings for syncing encrypted HTML to mobile devices through Dropbox

If you want to enable this option for the users in your organization, select the checkbox "Allow automatic syncing of encrypted HTML file to users' mobile device through Dropbox". Then, press the link "Test Dropbox connection for this PMP installation". This operation does the necessary background processes to enable users upload the encrypted HTML file to their Dropbox account. This basically checks the proxy settings (if applicable in your environment) and tries to connect to the Dropbox app named "ManageEngine Password Manager Pro" created by PMP for this purpose.

 

Also, you can specify the places where the export option should be shown. By default, the options would be displayed at three places - Home Tab, Resources Tab and Resource Groups Tab at the extreme right corner. You select or de-select any location anytime.

 

Important Note: All the above options take effect globally for all users and administrators in the organization. In case, you want enable or disable specific options for specific users, follow the 'User-specific settings' procedure as explained below.

User-specific settings

If you want to restrict certain users from having one or all the options of exporting passwords or if you want to allow only specific users to have this permission, you need to do user specific setting from the Admin >> Users >> Export Passwords Settings.

 

You may select or deselect the check-box against any of the three options to enable or disable specific option. User-specific settings are subject to the global administrative setting as described above. That means, if any of the options had been disabled globally, it cannot be enabled for a specific user alone. Conversely, if the option had been enabled globally, it can be enabled or disabled at will for specific users.

 

offline-user-setting

 

Imposing restrictions for users

You can also impose fine-grained restrictions for the users when enabling/disabling options to export passwords.

 

Least privilege model for security reasons

For ensuring security, PMP adopts the 'lest privilege' model for users. For example, assume that a particular user is part of three user groups. Also, assume that there is group level restriction for one of the groups - the members of that group are not allowed to export passwords in plain-text. In the above scenario, even if the user has permission to export passwords in plain-text at the individual level, the restriction imposed on one of the groups in which the user is part of, will take precedence. The above rule applies for all types of restrictions as explained above.

Exporting Resources

The passwords can be exported by users and administrators as per the settings done by the PMP administrator. If you have the permission to export the passwords through any or all of the export options, you will see the "Export Passwords" button in 'Home Tab' or 'Resources Tab' or 'Resource Groups' or in all these tabs at the right hand corner in the GUI (if you are an administrator/password administrator). If your role is 'Password User', you will see this option in the RHS corner of 'Enterprise' tab.

 

Exporting Passwords

Option 1: Exporting resources in plain-text in a spreadsheet

Note: If the resources/accounts/passwords contain non-English characters, the application in which you open the exported resources, should support UTF-8 encoding.

Option 2: Exporting passwords as encrypted HTML

encrypted html

 

Option 3: Automatically syncing the encrypted HTML to users' mobile devices through Dropbox



PMP-Dropbox


©2012, ZOHO Corp. All Rights Reserved.