Best Practices for Setting User Permissions in PD Server to Restrict Access to Authorized Objects Only
In Password Depot Enterprise Server, proper configuration of user permissions is essential to ensure data security. It guarantees that users can only access, modify, or interact with the objects for which they are explicitly authorized.
This guide outlines a recommended approach to organizing shared and exclusive access within a database. In this way, private folders, shared areas, and controlled visibility can be set up—without unnecessary exposure of data.
A common mistake occurs when administrators try to organize shared and exclusive access for multiple users within a single database:
They first grant User1 full access to the entire database and then use the “Deny” flag in the “Entries and Folders” section to exclude certain objects from access—as shown in the following images:
Another variant of this mistake is to activate Read access for all databases globally in the server policies (Manage → Server Policies) for all users:
This approach is incorrect because it allows full read access by default. A restricted user (e.g., User1) would automatically receive read access to all newly created objects in the root folder—whether created intentionally or accidentally.
It is also recommended not to use the “Deny” flag for routine permission assignments due to its specific behavior. In most cases, standard requirements can be implemented cleanly without using “Deny.”
Example: In a single database, the users User1 and User2 should each have private folders for exclusive access as well as a shared folder for team access.
On the database level, grant User1 and User2 only the right “Access to the database”—but not Read/Modify/Add/Delete:
Then assign folder permissions specifically:
User1 gets full access to “Folder for User1” and the “Shared Folder.”
User2 gets full access to “Folder for User2” and the “Shared Folder.”
Instead of User1 and User2, you can also use group objects. All group members will then only have access to their own or shared folders, but no access to other newly created entries or folders in the same database. If new folders or entries for User1 or User2 are created later, the administrator can grant access to them individually under “Entries and Folders.” This ensures at all times that users or groups can only see what they have been explicitly granted access to.