Password Tokens Restrict

Is there a way to have users who can [only] see passwords with the tokens the user is assigned?

Most passwords don't have tokens. We are working on correcting that, but a new hire only needs a token for a specific group.

I don't see a way to make it so this new hire can only see passwords with the tokens they have been assigned.

Thank you for posting this.

Tokens are used to secure specific Passwords (or Accounts).
Granting the token for the user means that they will be able to access all Passwords that are NOT protected with any token (at Password or Account level) AND also the Passwords that are protected with the token assigned to the user.

In other words, in order to limit the user to access only specific passwords, you should first protect all other Passwords with token/s.
You can set the security settings for Account and this will affect all Passwords of this Account.

For example:
- All Accounts Passwords will be protected with token 'Tier 1'
- The user will be granted with the token 'Tier 2'
- In order to allow the user to access some Passwords, the security settings of the Passwords should be customized and include the token 'Tier 2' .

More information about using the Security Tokens can be found in this article.

Hope this helps.

Since there are many passwords without tokens, I would like to create a Tier I token and apply it to all passwords without a token. How can I avoid hours of work doing this?

Is there a batch "apply token" feature?

Is there a bulk apply token to account feature?

Furthermore, how can I ensure all new passwords are created with tokens?

Is there a report showing passwords without tokens?

The Password record, by default, inherits the security settings (aka tokens) from the Account. It means that setting the token 'Tier1' for the Account, will automatically affect all existing Passwords under the Account.

Tokens are managed individually per Account and because how sensitive all this is - there isn't a batch update option here. This is managed under the Passwords tab of the Account.

At this time there is no report available with password tokens.

Hope this helps.

That is a lot of work to go back and add tokens to everything.

May be helpful for new CommitCRM users to know they should use tokens from the start because adding them later is a PIA.

Can we make it so any new password requires a token?

Once the token is added for an Account, all passwords, including newly created ones, will automatically require the user to have a token.

You do not have to apply tokens for individual passwords. Having it at the Account level should be sufficient in most cases.

Hope this helps.

We are not using tokens at the account level. We are using them per password. We dont have individual tech per account. We have tech levels T1, T2, T3, etc.


Can we make it so any new password requires a token?

Using tokens at the account is usually very efficient.

In any case, there is no option to set a default token for individual new passwords.

You may consider the following:

In order to protect all passwords for all Accounts, you can use some token e.g. Tier0.
Each tech will have two tokens - Tier0 and Tier1
or Tier0 and Tier2
or Tier0 and Tier3

This way tech that have a token Tier0 will have access to all passwords of all Accounts, unless the specific passwords will be protected with another, 'higher level' token.

Hope this makes sense and helps.

How does one secure passwords at the account level? A customer could have a password for a printer that any new hire can access. That same customer also has a password for their enterprise admin which only high level techs have access to.

I don't understand how a token at the account level keeps low level techs out of sensitive passwords.

If i assigned a T0 token to all accounts, then I have to change every password to require "all" of the necessary tokens correct?

That sounds like months of modifying every password.

Using Tokens is entirely optional.

With Tokens you can control which members of your staff can access which passwords.

You can use tokens to control staff access to passwords. Only members of your team with the relevant tokens will be able to access such passwords.

The number of combinations and scenarios this supports is very high. Depending on your specific requirements it may be a matter of setting a single token to a specific account - on one end, or control tokens at the per-password record level, all based on your requirements. You can also mix and match - not use any tokens for some accounts, use ones for others, use password level ones in specific cases, etc.

So back to our discussion here, setting 'Tier0' token for all Accounts will allow you, for example, to have an employee on your team that will not have this token, as a result they won't be able to access any of the Account passwords (side note - if someone does not need to use the Password Manager at all, there are better ways to handle it).

The above should provide you with the answer to your original question of "...to have users who can [only] see passwords with the tokens the user is assigned?..."

Any employee with access to the Password Manager that knows the passphrase you set would be able to access Account Passwords of Accounts without a token set to them. However, if a token is set to the Account - the employee must have it in order to get access.

Regardless of the benefits tokens at the account level offer, in order to protect individual Password records, you will need to define a token at the Password level.

Hope this helps and makes sense.

Using Tokens is entirely optional.

With Tokens you can control which members of your staff can access which passwords.

You can use tokens to control staff access to passwords. Only members of your team with the relevant tokens will be able to access such passwords.

The number of combinations and scenarios this supports is very high. Depending on your specific requirements it may be a matter of setting a single token to a specific account - on one end, or control tokens at the per-password record level, all based on your requirements. You can also mix and match - not use any tokens for some accounts, use ones for others, use password level ones in specific cases, etc.

So back to our discussion here, setting 'Tier0' token for all Accounts will allow you, for example, to have an employee on your team that will not have this token, as a result they won't be able to access any of the Account passwords (side note - if someone does not need to use the Password Manager at all, there are better ways to handle it).

The above should provide you with the answer to your original question of "...to have users who can [only] see passwords with the tokens the user is assigned?..."

Any employee with access to the Password Manager that knows the passphrase you set would be able to access Account Passwords of Accounts without a token set to them. However, if a token is set to the Account - the employee must have it in order to get access.

Regardless of the benefits tokens at the account level offer, in order to protect individual Password records, you will need to define a token at the Password level.

Hope this helps and makes sense.

is there a way to quickly/batch add the T0 token to every account?

Nope, security token/s should carefully be set manually for each Account, there's no batch-action for this action.