A user can only have one role, which is assigned when creating the user, but it can be changed whenever is required.
There are 5 possible roles:
- Admin: can do anything.
- Normal user: create and manage passwords on assigned projects.
- Project manager: create and manage projects (plus normal user rights).
- IT: like a project manager plus access to users/groups, log and settings.
- Only read: only read passwords on assigned projects.
Note that all the users can manage their account ("My Account" option in the top menu) and use the "My Passwords" feature to manage their personal passwords. "My Passwords" is not available for "Only read" users.
Here's some more detail about them:
Admin
Admin users can do anything in Team Password Manager. They have absolute control of anything (passwords, projects, users/groups, log, settings) and have access to any password or project without any restriction.
There are only two things that an Admin user cannot do:
- Delete herself/himself. When installing the software, an Admin user is created. Team Password Manager requires that there's always one Admin user. So, any Admin user can delete other Admin users but cannot delete herself/himself.
- Access the personal passwords of other users.
Normal user
Normal users can:
- Create passwords in the projects they have been granted access to and manage them.
- See information (basic data, notes) of the projects they have been granted access to.
- Read the passwords managed by other users in the projects they have been granted access to if the "Editing policy" setting is set to "USER" (this is the default).
- Manage the passwords in the projects they have been granted access to if the "Editing policy" setting is set to "ANYONE".
- Read or manage (depending on the "Editing policy" setting) the passwords they have been granted access to (regardless of their projects).
To manage a password means to edit it, edit its security, upload files to it, move it to another project or delete it. To read a password means being able to read its basic data, notes, security information and log.
Access to a project/password be granted directly to a user or indirectly via a group the user belongs to.
Normal users cannot:
- Create projects.
- Access users/groups, the general log and settings.
Project manager
Project managers are like normal users and in addition they can create projects and manage them.
Managing a project means being able to edit it (including its security), uploading files to it, archiving/unarchiving it and deleting it. Project managers can manage the projects they have created or that have been assigned as managers.
Project managers are like normal users for the projects they aren't managers. That is, they can't access them if they haven't been granted access to them.
IT
IT users are project managers with access to users/groups, the general log and settings.
This role was created to have some kind of restricted admin. That is, users that can manage the software but that don't have access to all the passwords and projects.
Apart from this restriction, IT users have these other restrictions:
- They can't create or manage Admin users. Only other Admin users can create/manage Admin users. IT users can only see information about them.
- Import passwords to projects that they don't have access to.
- Export passwords that they don't have access to.
- They can only manage (edit/delete) groups that they belong to (assigned to them by admins).
- They can create groups and they're automatically assigned to them.
- They cannot delete themselves from any group.
- They can only add/delete other users from groups that they belong to.
In addition, IT users can upgrade the software.
Only read
Users with role "Only read" can only read passwords (basic data and download files) in Team Password Manager, the passwords they have access to.
This is a very restricted role that was created to give access to passwords to people external to the organization: clients, partners, and so on. Of course you can also create users with "Normal user" role for external people, but there are some cases that this read only role is needed.