User management
Passwork lets you build a flexible, role- and group-based access model, automate onboarding/offboarding, and collaborate securely with external users.
Scenarios
Simple employee onboarding
Goal: quickly add new employees and automatically assign the right permissions.
Solution:
Send the new employee an invite so they can register on their own. You can send it via email or as a unique link with a set expiration date.
When creating the invite, pre-assign the groups that the user will automatically be added into after registration.
You can also add a user manually
Offboarding and instant access termination
Goal: revoke every access right when an employee leaves the company.
Solution:
Block the user or delete their account. When you block a user, they will not be able to log into Passwork and their active sessions will be terminated.
Use the “User” and “Threats” filters in the Security Dashboard to find and update the passwords that are at risk after the employee has been offboarded.
If you use an AD/LDAP integration, manage access through the source group and scheduled synchronization.
Temporary access for external contractors
Goal: grant third-party users access for the duration of a project.
Solution:
Create an invite with an expiration date and add the contractor to a project group.
If needed, assign a role with necessary permissions to limit access to specific Passwork sections.
Once the project is over, deactivate or delete the group and associated users, then rotate the passwords that were used.
Separation of duties and delegated administration
Goal: assign each department its own administrators without full system-wide rights.
Solution:
Create dedicated roles for IT, finance, sales, and other department heads. In the “User management” permission block enable the options those admins should have access to.
Create similar roles for department employees, for example “IT Department — Staff”.
In the administrator role enable Role-based user management and pick the corresponding employee role. This constrains administrators to managing only the employees of their department.
Create groups for each department. They will be used to distribute access to vaults and passwords. Administrators will be able to fine-tune an individual employee’s access level when needed.
Principle of least privilege
Goal: restrict users to the minimum permissions required for their work.
Solution:
Select a user and configure their vault and folder access levels in User access. The “Read only” level lets them view vaults, folders, and passwords without editing.
Review the user’s role permissions and grant access only to features and settings they truly need.
Mass and fast access assignment and redistribution
Goal: change permissions for many users at once.
Solution:
Control permissions through the role settings. Updates apply automatically to all linked users.
Use groups to control access to vaults and folders. You can add or remove multiple users through the group management menu.
LDAP/AD integration
Goal: centrally manage accounts and groups from the directory.
Solution:
Import LDAP users in the LDAP settings section.
Map AD groups to Passwork groups so employees automatically receive the right access.
Manage users and permissions by updating the AD groups.
If required, you can prevent changes to users during synchronization.
Temporary handover of duties during manager leave
Goal: temporarily transfer responsibilities without compromising login or password.
Solution:
In the Roles tab, open the manager’s role and temporarily add the employee who will act on their behalf.
Record the expiration date in your internal processes (ticket/calendar) so you can remove the employee from the role when the period ends.
Limited access for interns
Goal: grant interns access for the duration of their internship.
Solution:
Edit the role to keep only the required permissions and connect the group to the needed vaults.
Send interns an invite and pre-assign the “Interns” group.
Once the internship ends, temporarily disable the "Interns" group to revoke access quickly while keeping it available for future use.
FAQ
How are roles different from groups?
Roles are sets of administrative permissions and policies applied to users. Groups manage access to vaults and folders. Roles define what a user can do in the system, while groups define which data they can access.
Who can invite new users?
Users whose role includes the necessary permissions in the User management section. Also see the Invites article.
How do I assign access to hundreds of users quickly?
Use roles and groups. Role changes apply to every linked user, while group membership provides access to vaults and their contents.
How can I limit administrator privileges?
Create a dedicated administrator role and remove access to unneeded system sections (for example, LDAP, system settings, or vault types). Enable “Role-based user management” if you need to limit which users they can manage.
What happens to access when a user’s role changes?
Permissions and policies from the new role apply automatically. Access to data granted through groups remains unchanged unless you also change the user’s groups.
How do I change a user’s access without changing the group settings?
Open User access and adjust their access to vaults or folders. To make the user inherit group access again, select Reset access.
Why does a user still have the old access after switching groups?
They likely received a level different from the group’s default. Go to User access and click “Reset access” for the vaults or folders with individual permissions.
Can a user be added to multiple groups at once?
Yes. Unlike roles, users can belong to multiple groups simultaneously.