Skip to main content
Version: 7.0

Vault management

In Passwork 7.1 you can create custom vault types with flexible settings tailored to your organization's needs:

  • For each vault type you can assign administrators, set restrictions on creating new vaults, and define the access level of creators
  • When you create a vault or change its type, select administrators will automatically get access to it, and other administrators won't be able to lower their access level or remove them from the vault

The new feature lets you create different vault types for different departments or projects, assign responsible administrators, and configure permissions accordingly.

Scenarios

Emergency access recovery

Goal: make it possible to recover access to vaults that organization owner doesn't have access to.

Solution:

1

Create a special user (for example, 'Service account').

2

Add them to administrators of corresponding vault types.

3

Block the user or disable their authorization methods.

4

Save the master password offline (for example, on a physical medium inside an infosec director's office vault).

5

If needed to restore access to a vault:

  1. Enable authorization for the service account;
  2. Log in under it and access the data you need;
  3. Create a new master password.

Disable private vaults

Goal: restrict the ability to create private vaults.

Solution:

1

Go to vaults settings and open User vaults type.

2

In Who can create vaults section remove all users except for those, who still will be able to create private vaults.

Corporate vaults with mandatory administrators

Goal: all vaults that employees create should include corporate administrators

Solution:

1

Go to vaults settings and create a new vault type.

2

In Administrators section add the relevant users. They will be automatically added to the appropriate vaults and cannot be demoted or disconnected from the vaults.

Creating personal vaults

Goal: allow employees to create their own personal vaults, but not invite other users to them.

Solution:

1

Go to Vaults settings and open the type creation menu.

2

Create a new type with the Full access level for the creator — it doesn't allow to invite other users.

As custom vault types require setting corporate administrators, you can:

  • Appoint a special service account as an administrator for emergency recovery
  • Set the necessary corporate administrators who will have permanent access to such vaults

Delegating administrative duties

Goal: configure the system so that different departments have their own administrators.

Solution:

1

Go to vaults settings and open the type creation menu.

2

Create separate vault types for each department and connect the corresponding roles. Head of IT operations will be able to create and manage IT vaults, same for sales director and vaults of their department. This will help avoid using a single global administrator for all vaults.

Limited vault management

Goal: prevent administrators from viewing the list of all organization vaults, managing vault types, and access level settings.

Solution:

1

Go to role settings and open the Administrator role.

2

In the Vaults section edit the corresponding settings. You can restrict access either to individual tabs of vaults settings, or the entire page.

FAQ

How do vault types differ from regular vaults?

Regular vaults are containers for passwords. Vault types — are rules and templates which control how vaults of a particular type are created and managed.

Is it necessary to use vault types?

No, the use of custom vault types is not mandatory. Basic types will always be available to you:

Private vaults — for personal user passwords. Shared vaults — for vaults that users share.

However, for corporate use we recommend creating your own vault types to ensure the necessary level of control and compliance with security policies.

How do corporate administrators differ from regular ones?

Corporate administrators are users who automatically receive administrator rights in all vaults of a certain type.

Features of corporate administrators:

  • Automatic assignment — they are added to a vault when it is created;
  • Non-removable — regular users cannot remove them from vaults;
  • Fixed rights — their access level cannot be lowered;
  • Centralized management — changes to the vault type apply to all vaults.

Assigning corporate administrators ensures constant control over important data.

Can I change corporate administrators in an existing type?

Yes, you can edit the list of corporate administrators in the vault type settings.

To add user to corporate administrators:

  1. Go to Vault types tab in Vaults settings.
  2. Open the type you want to edit.
  3. In Administrators section make the necessary changes.
  4. Click Save at the bottom of the page.

When adding a new administrator, the system will automatically create requests to add this user to all existing vaults of this type.

To delete user from corporate administrators:

  1. Delete the user from the list of corporate administrators for the relevant vault type.
  2. Delete the user from the corresponding vaults.

As long as the administrator is specified in vault type settings, they cannot be removed from individual vaults.

How to set a restriction on creating certain types of vaults?

When creating or editing a vault type, the following options are available in the Who can create vaults section:

  • All organization users — any user can create vaults of this type.

  • Restricted access — you can choose which users, roles, or groups can create vaults of this type.

You can combine several criteria: the ability to create a vault is available to users included in at least one of the lists. For example, you can allow the creation of 'IT infrastructure' vaults not only for IT department employees, but also for project managers.

Can I change the type of an existing vault?

Yes, the type of an existing vault can be changed, but only if you have administrator rights for the vault in question.

To change the vault's type:

  1. Go to All vaults tab in Vaults settings.
  2. In the list find the vault you want to edit.
  3. Open the dropdown list in the Type column opposite the vault.
  4. Choose a new type.
  5. Click Save at the bottom of the page.

When the type is changed, new corporate administrators will be automatically added to the vault, new access rules will be applied, and user connection requests will be created.

Why can't I delete some of the administrators from the vault?

If you cannot remove certain administrators from the vault, it means they are corporate administrators.

Corporate administrators:

  • Are assigned automatically based on the vault type;
  • Cannot be deleted by regular users;
  • Ensure constant corporate control over the vault;
  • Can only be remove by editing the corresponding vault type setting (system administrator rights are required).

What happened to my vaults after updating to Passwork 7?

When migrating from Passwork 6 to version 7, the system automatically converted existing vaults.

Personal vaults:

  • Remain personal/private;
  • Have been assigned the Private/Shared vaults type;
  • Your rights and access have not changed.

Shared vaults:

  • Have been assigned the Private/Shared vaults type;
  • All users and their rights are preserved.

Organization vaults:

  • Converted to corporate vault types;
  • Administrators are restored and become unremovable;
  • Access structure is preserved.