In contrast to , which places the main focus on security, Masterkey mode provides the maximum level of convenience. It not only imports users, organisational units and roles but also their links and affiliations. It can be synchronized to update the information and affiliations. In this scenario, Active Directory is used as a leading system.
The following options are required to add new profiles.
- Can add new Active Directory profiles
- Display organisational structure module
- Display role module
The following information must be provided in the profile:
- Profile name
- An optional description
- Masterkey mode is selected for the encryption
- The domain field is used to define which domain is to be read. The value entered here will also be used for authentication if no alternative spellings have been saved under Other domain names.
- A local user (for example, the administrator) or an already imported user must be specified. The data will be imported under that user’s name.
- A user is required to access the AD. The user should be formatted as follows: Domain\User. It must have access to the AD.
- Corresponding user password (domain password) for the user.
- Direct search is recommended for very large domain trees. The tree structure is omitted, elements can then only be found and selected via the search.
- By activating the checkbox Restrict user import to role members only, a simplified mode is activated. In this mode, only AD users who are members of at least one role are imported. As soon as they are no longer a member of at least one role, they are deleted from Password Safe.
- By activating the checkbox Force update on next synchronisation, ALL records will be updated on the next synchronisation, regardless of whether the record has changed in the Active Directory or not. (This checkbox is automatically activated when you have edited the other responsible users and is deactivated again after the next synchronisation).
- The LDAP filter can be used to directly specify an AD path as an entry point via an LDAP query.
- Various security options – so-called AuthenticationTypes Enumeration (Flags) – can be selected for the connection of the AD to Password Safe.
- Other responsible users or roles can be used to define who is permitted to carry out the synchronisation with the AD.
- The option Other domain names can be used to save alternative spellings of the login domain. These must correspond to the spelling entered in the login window. For example, if a connection is being established to the domain jupiter.local or an IP address, the login can only be carried out with jupiter\user if jupiter has been saved here.
You can start the import directly in the ribbon. A wizard guides the user through the entire operation.
First, an organisational unit is selected for the import. If there are no organisational units in the database yet, as in this example, the data is imported into the main organisational unit.
Active Directory objects
In the next step, select the profile you will use to import the data. Then, select organisational units and/or users for the import. A search is available for this purpose.
As you can see, the organisational units Jupiter and Contoso contain items to be imported. The organisational units themselves will not be imported. The group 1099 Contractor is imported including all sub-elements. The check next to the group Accounting indicates that the group itself will be imported along with some of its sub-elements. The ticks in the last column ensure that the elements are observed in future synchronisation sequences.
There are different symbols which indicate the elements to be imported.
The element itself and all possible sub-elements will be imported
The element itself and some of its sub-elements will be imported
The element will not be imported; however, it contains elements that will be imported
Right-clicking in the list will launch a context menu. It provides helpful functions for the selection of the individual elements.
In the lower area you can specify whether the users just selected for import should be created as Light” or *Full users.
The last page summarises which objects will be edited and in what form. It specifies the names of the elements along with their descriptions. The Status column specifies whether the object is added, updated, or disabled. The last column specifies the organisational unit into which the element is imported. The number of objects can be seen at the bottom.
The server imports data in the background. The individual elements then appear in the list one by one. This may take some time, depending on the amount of import data. If the import was terminated, this is symbolized by a hint.
Imported users and organisational units
The users and organisational units imported in Masterkey mode cannot be edited in Password Safe. Therefore, any changes must be made in AD and synchronized. AD thus becomes the leading system. Affiliations to roles are also synchronized and must be set in the AD. In organisational units or roles created in Password Safe, the users can be included directly in Password Safe.
The rights will be issued as follows during the import or synchronisation.
|Are rights inherited from the OU?||If no preset has been saved||If no preset has been saved||No|
|Are rights applied from a preset?||If a preset has been saved||If a preset has been saved||No|
|Is the “add” right issued?||No||Yes||No|
|Who receives the rights key?||Imported users and all with the “authorize” right||All||All with the “authorize” right|
|Are rights inherited from the OU?||If no preset has been saved||No||No|
|Are rights applied from a preset?||If a preset has been saved||No||No|
|Is the “add” right issued?||No||No||No|
|Who receives the rights key?||All with the “authorize” right||None||All with the “authorize” right|
Logging into Password Safe
Users who are imported using this mode can log in with the domain password. Please note that no domain needs to be specified when logging in. Of course, the login process can also be supplemented with multifactor authentication.
Permissions to imported objects
The rights to be issued to imported users are explained in the following example:
1. In Master Key mode, all users will be issued with the read right.
2. The responsible user will be issued with all rights and the key. This ensures that he can also synchronise or change the user in the future
3. Other responsible users are issued with the same rights as the responsible user
4. The Master Key for the Active Directory profile will also be issued with all rights and keys as it will be used for the synchronisation
5. Finally, users will be issued with the rights for themselves
During synchronization, all relevant information for users, organisational units and roles (names, email, etc.) is updated. Changed affiliations for roles are adjusted. Likewise, users are activated or deactivated according to the settings in the AD. If the membership of organizational units is to be changed, this can be done by Drag & Drop. New users and correspondingly defined roles are imported.
The synchronization can be started manually at any time via the corresponding button in the ribbon.
Select the required profile and start the synchronization. As is the case with the initial import, the synchronization runs in the background. A hint indicates that the process has been completed.
Synchronization via system tasks
Deleting or removing users
If a user is deleted in Active Directory, it is also deleted in Password Safe during the next synchronisation. For this purpose, it is necessary for the user to be imported as a synchronisable user.
If the user is only deleted from Password Safe but retained in Active Directory, a synchronisation needs to be carried out to delete it from the database. For this purpose, the wizard is called up via import. The first step is to select an organisational unit. This has no effect when simply deleting a user. The second step is to search for the user. Both ticks are removed.
After checking the summary, the process is concluded. The synchronisation is completed and the user is deleted from the database.