In the AuthAnvil Password Vault, scopes are a method of organizing users and vaults within the same organization. Each user is assigned as a member of one or more scopes, each vault is assigned to one scope, and users can only see vaults that are assigned to scopes that they are a member of. This is perfect if you have vaults that some users should never see, and that you don’t want them to be able to request access to. Organization administrators are allowed to manage scopes, and can change users’ scope membership.
Scopes are controlled from the settings page, under the “Scopes” panel. Here, administrators can add new scopes or remove existing scopes. Scopes can only be removed if they meet the following conditions:
- The scope does not have any vaults assigned to it.
- The scope does not have any users assigned exclusively to it. (As long as any users are assigned to at least one other scope, it’s fine.)
To add a new scope, we simply give it a name and a description. The user that created the scope will be added to it automatically.
We can then create other users and add them to the scope. For the purposes of this demonstration, we’ll create one user who has access to both scopes, and another who only has access to one scope.
We can then create a vault for each scope. When you create a vault, you have the option to choose what scope it belongs to when you create it. Choose carefully though. This cannot be changed after the vault has been created.
Now, if we log on as the user who has access to both scopes, we can see both vaults in the list. (Although the user still needs to be a member in order to actually access them).
If we log on as the user who only has access to one scope, we can only see the vault that belongs to that scope in the list.
And there we go. As you can see, Scopes provide another level of access control, allowing you to be as granular as you need to be with your permissions, so that they make sense for your organization.
This article originally appeared in the Scorpion Software Blog.