Users can be grouped together for easier management. User grouping helps in carrying out operations in bulk for all the resources of the group. The resources added to Password Manager Pro can be quickly assigned to a user group instead of choosing each user individually.
To add user groups,
- Navigate to "Users" tab and switch to 'User groups' tab.
- Click "Add Group" button.
- In the pop-up form that appears, enter a name for the user group.
- Optionally, you can provide a description about the group being created. This would be helpful for future reference.
- Click "Save & Proceed".
- A new window will open where you can add desired users to the group. Alternatively, you can also add users to the group later from'Associate Users' column.
Importing user groups from Active Directory (AD)
You can import specific user groups and organizational units (OUs) from AD and retain the same user group structure in Password Manager Pro. You can even choose to synchronize the user group structure in Password Manager Pro with that of AD at periodic intervals. Refer to the AD integration section for more details.
Settings for user groups
In order to achieve high level of security, Password Manager Pro provides the option to configure the following settings for user groups. User group settings can be changed from User Groups >> Actions icon (of desired group) >> User Group Privileges. A dialog box will open, as shown in the image below.
You can enable or disable any of the settings shown in the above window and the changes will be applicable for the users who are part of the selected user group. Few of the settings are explained below:
Allow to manage and export personal passwords
Password Manager Pro provides personal password management feature as a value addition for individual users to manage their personal passwords such as credit card PIN numbers, bank accounts etc. while using the software for enterprise password management. The personal password management section belongs exclusively to the individual users. For security reasons, if you do not wish to allow personal password management for a group of PMP users, you can simply disable the option "Manage personal passwords" in the User Group Privileges window. Once you do this, the 'Personal' tab will not appear in the PMP GUI for all the members of that particular group.
Apart from this, there is also another option "Export personal passwords". This option will allow users of the group to export the personal passwords that they store in Password Manager Pro. For security reasons, if you do not wish to allow export option for a user group, you can simply disable it in the User Group Settings window.
Permit group members to grant 'Full Access' of their dynamic resource groups to others
By default, permission to grant 'Full Access' for dynamic resource groups will be disabled in the User Group Settings window. To enable it, you need to first carry out a configuration setting at the user group level.Why is the setting disabled by default?
The main reason is because 'Full Access' for dynamic resource groups is fraught with a risk of exploitation. There is a possibility that an administrator, password administrator or a privileged administrator could gain unauthorized Full Access permission for resources that are not allotted to them by intelligently creating a series of Resource Groups specifying certain matching criteria for the condition "Resource name contains".
Security best practice: With regards to this setting, we recommend that you create a user group containing only the administrators/password administrators/privileged administrators who require the authorization to grant Full Access permission for their dynamic resource groups with other users. After creating the group, enable the setting "Permit group members to grant 'Full Access' of their dynamic resource groups to others" under User Group Settings window.
Include passwords in plain text in the exported file
When a user exports Password Manager Pro resources to a CSV file, by default, password of the accounts are included in plain text. In case, for security reasons, you wish not to allow the members of a specific user group to export passwords during resource import, you can do disable the option by carrying out the following steps:
- Navigate to Users tab, and switch to Groups tab.
- Click the icon "Actions" against the desired group and select "Change Offline Access Settings" from the drop down list.
- In the pop-up form that appears, disable the checkbox against the field "Include passwords in plain text in the exported file".
- Click "Save".
Managing User Groups
Editing a user group
You can edit an existing user group to add more users to the group or remove existing users.To edit a user group,
- Navigate to "User Groups" tab.
- Click the "Actions" icon present against the required group and select "Edit Group Attributes".
- In the pop-up form that opens, you can change the group name and description.
- If you want to add new users to the group or remove previously added users from the group, click "Associate Users" icon and execute the changes.
- Click "Save".
Deleting User Group
You can delete an existing user group in Password Manager Pro. When you do so, the group will no longer exist. The group level settings done for that group will no longer apply for the users who were members of that group. Deletion of user group will not have any impact on the resources stored in Password Manager Pro. The resource shares done for the group will also vanish.
To delete a user group,
- Naviagte to "User Groups" tab.
- Select the required user group.
- Click the "Delete" button.
- In the pop-up form that appears, click "OK" to confirm.