Scorpion Software Blog

Scope Management in AuthAnvil Password Server

by Cody Marbach

Today, I'd like to talk about Scopes, and how they can be used to easily group and manage your vaults, while also enhancing access control.

For starters, a scope is simply a grouping of vaults, which you can manage from the Settings page. As scopes are used for security decisions for both users and sync agents, they currently cannot be renamed or altered, only created and deleted. When you create a vault, you always place it in exactly one scope.

Now, this is a great first step for organization. If you manage passwords for clients, you can create one or more scopes for each client you manage, allowing you to find their vaults quickly. Even better, you can use these scopes to limit access and visibility to your users. Users gain access to scopes via roles - a collection of users like Windows User Groups, used for setting permissions on a larger scale. Users can only see and belong to vaults that they share a scope with. If a client user account is only in their own client scope, they will only be able to see their own vaults, and not vaults belonging to other clients or to your own company. You can even use multiple scopes in your own company, to keep technicians from ever seeing financial or HR Vaults, or to create separate groups for technicians operating in different regions.

If you use general roles for your own staff, like Technician or Auditor, you can easily add new scopes, allowing you to manage your users without having to edit them individually. This allows technicians to operate across many scopes, managing client vaults as needed.

Finally, Sync Agents can be given access to one or more scopes when you approve them. If a Sync Agent doesn't have permissions to a particular scope, no vaults in that scope can make use of it. This way, an agent on your internal network won't be visible inside client vaults, and likewise, you won't have a huge list of client Sync Agents inside your own company's vaults.

We recommend using at least one scope for each client, and one or more Scopes for your internal Vaults. Always practice least privilege, and don't expose your Sync Agents or internal vaults to any more users than is necessary. If you have any questions about this or other AuthAnvil Password Server topics, please post in the comments below!

Cody Marbach is one of Scorpion Software's developers who works on the AuthAnvil Password Server.