Two notes when reading this document:
- Unless otherwise explicited, when referring to projects in this document we're also referring to subprojects.
- You may also want to read this related document regarding permissions in Team Password Manager: Permissions in passwords and projects
A user can only have one role, which is assigned when creating the user, but it can be changed whenever is required.
There are 5 possible roles:
- Admin: can do anything.
- Normal user: work with passwords and projects, but not create/delete projects.
- Project manager: like normal users and also create/delete projects.
- IT: like a project manager plus access to users/groups, log and settings.
- Only read: only read passwords on assigned projects.
Note that all the users can manage their account ("My Account" option in the top menu) and use the "My Passwords" feature to manage their personal passwords. "My Passwords" is not available for "Only read" users.
Here's some more detail about them:
Admin users can do anything in Team Password Manager. They have absolute control of anything (passwords, projects, users/groups, log, settings) and have access to any password or project without any restriction.
There are only two things that an Admin user cannot do:
- Delete herself/himself. When installing the software, an Admin user is created. Team Password Manager requires that there's always one Admin user. So, any Admin user can delete other Admin users but cannot delete herself/himself.
- Access the personal passwords of other users.
Normal users can:
- Create passwords in the projects they have been granted the following permissions: "Read/Create passwords", "Read/Edit passwords data", "Read/Manage passwords" and "Manage".
- Read data of the projects they have been granted the following permissions: "Read", "Read/Create passwords", "Read/Edit passwords data" and "Read/Manage passwords".
- Read passwords of the projects they have been granted the following permissions: "Read" and "Read/Create passwords".
- Edit the data of passwords of projects they have been granted permission "Read/Edit passwords data".
- Manage passwords of projects they have been granted permission "Read/Manage passwords".
- Manage projects they have been granted permission "Manage" or that have been assigned the project manager ("Managed by" in the project security screen). Note that Normal users cannot delete a project even if they can manage it.
- See the name of projects they have been granted permission "Traverse".
- Read passwords they have been granted permission "Read".
- Edit data of passwords they have been granted permission "Edit data".
- Manage passwords they have been granted permission "Manage".
To manage a password means having complete control over the password. To manage a project means having complete control over the project and its passwords, but not its subprojects. Note that Normal users, though, cannot delete projects.
Permission on a project/password be granted directly to a user or indirectly via a group the user belongs to.
Normal users cannot:
- Create projects.
- Delete projects.
- Access users/groups, the general log and settings.
Project managers are like normal users and in addition they can:
- Create projects. Since v. 7.93.204 there's an option to prevent them to create projects in the root of the projects tree.
- Delete a project if they're the project manager of if they have the "Manage" permission on the project, and if the project is a leaf project. Note: a leaf project is a project that has no subprojects.
- Create subprojects of a project if they have access to the project (permission "Traverse" to "Manage").
To manage a project means having complete control over the project and its passwords, but not its subprojects.
IT users are project managers with access to users/groups, the general log and settings.
This role was created to have some kind of restricted admin. That is, users that can manage the software but that don't have access to all the passwords and projects.
Apart from this restriction, IT users have these other restrictions:
- They can't create or manage Admin users. Only other Admin users can create/manage Admin users. IT users can only see information about them.
- Import passwords to projects that they don't have access to.
- Export passwords that they don't have access to.
- They can only manage (edit/delete) groups that they belong to (assigned to them by admins).
- They can create groups and they're automatically assigned to them.
- They cannot delete themselves from any group.
- They can only add/delete other users from groups that they belong to.
In addition, IT users can upgrade the software.
Users with role "Only read" can only read passwords (basic data and download files) in Team Password Manager, the passwords they have access to.
This is a very restricted role that was created to give access to passwords to people external to the organization: clients, partners, and so on. Of course you can also create users with "Normal user" role for external people, but there are some cases that this read only role is needed.