Granular permission for a single KeePass database

Question

Let's say we have a single KeePass database file database.kdbx in a shared folder among multiple persons.

In KeePass, how to make different user permissions for access to each password? Example:

                                    Me      Bob     Alice   Eve
Company .com registrar account      X

Account on website ABC              X       X
Account on website DEF              X               X       X
Account on website GHI              X       X       X
Bob's webmail                               X
Alice's webmail                                     X
Eve's webmail                                               X

Do we need multiple "master passwords"?

Or is there a more general solution for this situation?

Notes:

• we would like to keep a standalone .exe solution, and no browser-based / cloud solution

• related question (but maybe obsolete, 2015)

• I would like to avoid having to deal with many different .kdbx databases like admin.kdbx, admin+bob.kdbx, admin+alice+eve.kdbx, admin+bob+alice.kdbx, etc., because this is not very flexible

Answer 1

There are only two solutions to your question :

1. Use an enterprise password product (costly)
2. Use multiple separate password databases (rigorous requirements).

For the first solution, there exist multiple products, some of which are:

• KeePass Pro for Microsoft Teams
• Delinea Enterprise Password Management
• Pleasant Password Server
• Password State
• And so on.

There are no miracle solutions. If an enterprise password product is too costly to go this way, you have to go in the direction of do-it-yourself.

Below is one description of such a solution:

Our strategy at the agency I worked for was one file for each team, and one file for each user:

Each team has a DB file on a network location, secured through network permissions for that team's AD group, and only the team members know the passphrase of the DB. This provides two levels of security. Any passwords needed by the entire team go here. For us this was test/verification service accounts. (If at all possible we would avoid having these types of shared credentials, and issue credentials to each team member, but some things that were typically backend services didn't lend themselves to per use authentication, and we needed credentials for troubleshooting/testing shared by the team.)

Each individual has their own DB file in their personal network share accessible only by them. Again the network share permissions. Of course the put credentials here for any accounts issued by them that don't need to be shared.

Keypass makes this easy since you can have both your own and the team DB file open in two tabs. You can also put the team passphrase in your personal DB so that you only really need to memorize your personal DB passphrase.

It's important that team members are stressed the importance of a strong passphrase, and never copy the DB locally. I might even consider requiring higher iterations per org policy.

You can always create a DB on the fly for a one off password share. If you have OneDrive then it's easy for someone to create a DB, share it to a specific user in the enterprise, call them and give them the passphrase for the DB over the phone. Then once they confirm they've copied the entry into their personal DB then you delete the shared DB. Might seem nonsensical to tell them a DB passphrase when you could just give them the password you're trying to share, but often times with something like a system/service password it's very long and there will be a delay before the recipient can get it into their system in a way they can verifiy the credential which might result in followup calls/double checking. So it's alot easier to give them a relatively simpler but still strong passphrase for the DB over the phone, let them open the DB file while on the phone to verify they are able to get it, then they can copy the service/credential password without worrying about making an error.