Onboarding and Succession
Tip
Read the full paper below or download the PDF.
Password Management to fit your Business
Getting new employees up and running quickly drives productivity. Likewise, saying farewell properly drives assurance in the security of your business’s systems and accounts. Whether your business leans towards consolidation and centralization, or prefers a flexible and dynamic environment, PassageWay fits your needs.
This guide covers the PassageWay approach to onboarding and succession planning for users in your Organization, starting with our approach to the relationship between users and Organizations, then covering the simplest use-cases for Onboarding and Offboarding, and finally and moving on to the levers and options at your disposal to fit PassageWay to your needs.
Tip
For PassageWay, different plans and options are connected and complementary, all originating in our vision of a hack-free world. Empowering everyone at work and at home with password management gets us one step closer to that goal.
A key aspect of PassageWay is that, unlike many software applications, everything in every a Vault is end-to-end encrypted. To maintain this security model, every person using PassageWay must have a unique account with a unique Master Password. Master Passwords should be strong and memorable.
Each user is in charge of their Master Password. PassageWay is a Zero-knowledge encryption solution, meaning that the team at PassageWay, as well as PassageWay systems themselves, have no knowledge of, way to retrieve, or way to reset any Master Password.
Tip
PassageWay is planning a feature in mid-2021 to enable Enterprises to reset their Organization user passwords. This will not impact individual personal accounts that are not connected to an Enterprise organization with this upcoming feature enabled.
Use PassageWay Anywhere
Security everywhere means security anywhere, so the best password managers provide access across all your devices. PassageWay supports a range of client applications, any of which can be connected to your self-hosted DrawBridge server.
Users’ Personal Vaults
Anyone who creates a PassageWay account will have their own Personal Vault. Accessible from any client application, Personal Vaults are unique to each user and only that user holds the key to access it, using a combination of their Email Address and Master Password. Personal accounts, and the personal Vault items stored therein, are the account owners responsibility. Organization Owners, Admins, and Managers cannot see any other user’s Personal Vault by design, guaranteeing someone’s personal data remains their own.
Families, Teams, and Enterprise Organizations automatically provide members individually with features like Emergency Access and encrypted Attachment storage, which they can choose to use. A Personal Vault is just that, Personal, but Personal Vaults do not enable sharing, Organization do.
Tip
Why provide Personal Vaults by default?
Personal Vaults are an instrumental component of the PassageWay approach. Employees use a range of credentials every day, personally and professionally, and habits formed in one area typically become habits in the other. In our view, employees that use proper security practices in their personal lives will carry over that good behavior to their professional lives, protecting your business in the process.
Using the same tool in both areas helps that habit form faster and easier. Enterprise Organizations have the option to configure policies, including to disable Personal Vaults.
PassageWay Organizations
PassageWay Organizations add a layer of collaboration and sharing to password management for your team or enterprise, allowing you to securely share common information like office wifi passwords, online credentials, or shared company credit cards. Secure sharing through Organizations is safe and easy.
Anyone can start an Organization directly from the Web Vault:
Once created, you’ll land in your Organization Vault, which is the central hub for all things sharing and Organization administration. Whoever launches the Organization will be the Owner, giving them full control to oversee the Vault, to Manage users, Collections, Groups, and Policies, to use a suite of PassageWay Tools, and to configure the Organization’s Settings:
Collections
PassageWay Organizations manage users and data in a scalable and secure fashion. Managing users and data on an individual basis is inefficient for large businesses and can leave room for error. To solve this, Organizations provide Collections and Groups.
Collections gather together Logins, Notes, Cards, and Identities for secure sharing within an Organization:
Onboarding Users
Once your Organization is established and Collections are setup to store your data, Owners and Administrators should invite new members. To ensure the security of your Organization, PassageWay applies a 3-step process for onboarding new members, Invite → Accept → Confirm.
Users can be onboarded directly from the Web Vault or using the Directory Connector application to sync individual users and Groups.
Adding Users
In the simplest cases, users can be added to your Organization directly from the Web Vault. When adding users, you can designate which Collection to grant them access to, which role to give them, and more.
Learn step-by-step how to add users to your Organization.
Once users are fully onboarded to your Organization, you can assign access to your Organization’s Vault data by assigning them to Collections. Teams and Enterprise Organizations can assign users to Groups for scalable permissions assignment, and construct Group-Collection associations instead of assigning access on the individual level.
Tip
For large Organizations, Directory Connector is the best way to onboard and offboard users at scale.
Groups
Groups relate together individual users, and provide a scaleable way to assign permissions including access to Collections and other access controls. When onboarding new users, add them to a Group to have them automatically inherit that Groups’s configured permissions:
Comprehensive Role-based Access Controls
PassageWay takes an enterprise-friendly approach to sharing at scale. Users can be added to the Organization with a number of different roles, belong to different Groups, and have those Groups assigned to various Collections to regulate access. Among the available roles is a Custom Role for granular configuration of administrative permissions.
Offboarding Users
At PassageWay, we see sharing of credentials as a vital aspect to getting work done efficiently and securely. We also recognize that once a credential is shared, it is technically possible for the recipient to keep it. For that reason, secure onboarding using appropriate role-based access controls and implementing policies plays an important role in facilitating secure offboarding.
Offboarding users from PassageWay involves removing users from your Organization, and like onboarding can be done directly from the Web Vault or in automated fashion using the Directory Connector.
Sample Offboarding
Alice is a Manager in your Organization, which is hosted on the PassageWay Cloud and uses company email addresses (e.g. first-last@company.com). Currently, this is how Jane uses PassageWay:
| Client Applications | Uses PassageWay on Mobile and a Browser Extension personally and professionally, and the Web Vault for occasional Organization-related work. |
| Email & Master Password | Logs in to PassageWay using alice@company.com and p@ssw0rD. |
| Personal Items | Stores assorted personal items, including Logins and Credit Cards, in her Personal Vault. |
| Permissions in the Organization | As a Manager, Jane can manage many aspects of Collections. |
| Two-step Login | Uses Organization-wide Duo 2FA. |
| Created Collections | Created a Collection for her team, “Jane’s Team Collection”. |
| Shared Items | Created and shared several Vault items that are owned by by the Organization and reside in her team’s Collection. |
Once Offboarded
When Jane is removed from your Organization:
| Client Applications | Can continue to use any PassageWay application to access her Personal Vault, however all will immediately lose access to the Organization Vault, all Collections, and all shared items. |
| Email & Master Password | Can continue to log in using alice@company.com and p@ssw0rD, however since she won’t have access to her @company.com inbox, she should be advised to change the email associated with her PassageWay account. |
| Personal Items | Will still be able to use her Personal Vault and access the items stored therein. |
| Permissions in the Organization | Will immediately lose all permissions over and access to anything related to the Organization. |
| Created Collections | Ownership of Collections and shared items belongs to the Organization, so Jane will lose access to “Jane’s Team Collection” despite having created it. |
| Shared Items | Ownership of Collections and shared items belongs to the Organization, so Jane will lose access to all these items despite having created them. |
Tip
Offline devices cache a read-only copy of Vault data, including Organizational Vault data. If your anticipate malicious exploitation of this, credentials the employee had access to should be updated upon separation.
Designing your Organization for your Business
At PassageWay, we often say that password management is people management, and we can fit the workflows suited to your Organization. By offering a wide range of options, shared via our open source approach, customers can rest assured that they can meet their own individual needs.
Directory Connector
For companies with large user-bases that operate using directory services (LDAP, AD, Okta, and others), Directory Connector can synchronize users and groups from the directory to the PassageWay Organization. Directory Connector is a stand-alone application that can be run anywhere with access to your directories and to PassageWay.
Many PassageWay Teams and Enterprise Organizations focus their onboarding efforts on the Directory Connector and use the Organization Vault administration areas to manage Group-Collection relationships.
Directory Connector will:
- Sync LDAP-based directory groups with PassageWay Groups
- Sync users within each Group
- Invite new users to join the Organization
- Remove deleted users from the Organization
Login with SSO
PassageWay Enterprise Organizations can integrate with your existing Identity Provider (IdP) using SAML 2.0 or OIDC to allow members of your Organization to login to PassageWay using SSO. Login with SSO separates user authentication from Vault decryption:
Authentication is completed to your chosen IdP and retains any two-factor authentication processes connected to that IdP. Decryption of Vault data requires the user’s individual key, through the Master Password. Using Login with SSO, new PassageWay users can authenticate into their PassageWay Vault using their regular SSO credentials and perform decryption of this Vault with their newly created master password. Users that removed from your IdP will no longer be able to authenticate with that path.
This approach ensures that you can:
- Leverage your existing Identity Provider
- Protect the end-to-end encryption of your data
- Provision users automatically
- Configure access with or without SSO
- Decrypt Vault data wile offline
Enterprise Policies
Enterprise Organizations can implement a variety of Policies designed to lay a secure foundation for any business. Policies include:
- Two-step Login: Require users to set up two-step login on their personal accounts.
- Master Password: Set minimum requirements for master password strength.
- Password Generator: Set minimum requirements for password generator configuration.
- Single Organization: Restrict users from being able to join any other organizations.
- Personal Ownership: Require users to save vault items to an organization by removing the personal ownership option.
Tip
The Personal Ownership policy, for example, fits into earlier discussion regarding the interplay between Personal Vaults and Organization Vaults. Some companies may desire the assurance of have all credentials retained in the Organization Vault. A possible implementation could involve allowing each individual user to have their own Collection, which unlike Personal Vaults could be overseen by Organization Owners and Admins.
Event Logs
PassageWay Organizations include access to Event Logs, which can be viewed directly from the Web Vault or exported to be analyzed within security information and event management (SIEM) systems like Splunk. Event Logs include information about:
- User-Item interactions
- Changes made to Vault items
- Onboarding Events
- Organization Configuration Changes
- Much, much more
Tip
In addition to these benefits, customers appreciate the ability to tightly integrate PassageWay into their existing systems. PassageWay offers a robust public API and a fully-featured command line interface (CLI) for further integration into existing Organization workflows.
Self-hosting
In keeping with the PassageWay approach to offer password management anywhere and everywhere, PassageWay provides an option to self-host to address an even wider range of use cases for Enterprises. There are many reasons for a company to choose to self-host. Specifically when it comes to onboarding, offboarding, and enhanced features, here are some of the reasons companies choose to do so:
- Immediate deletion of user accounts: Because you control the server, users can be deleted entirely (including their Personal Vaults).
- Network access control: Organization Owners can determine which network access employees must use to access their PassageWay server.
- Advanced proxy settings: Administrators can choose to enable or disable certain types of devices from accessing the PassageWay Server.
- Use an existing database cluster: Connect to an existing Microsoft SQL Server database. Additional databases will be supported in the future.
- Increase storage for file attachments and PassageWay Send: File attachments for PassageWay items or PassageWay Send are retained on user-provided storage.
Put the Pieces Together
Directory Connector, Login with SSO, Enterprise Policies, and your Vault work well individually or in harmony to optimize your onboarding, offboarding, and Organization management experience. The following table details how that it might look to string together these pieces into one smooth process:
| Step | Description |
|---|---|
| Synchronize | Use Directory Connector to sync groups and users to PassageWay from your existing directory service. |
| Invite | Directory Connector will automatically issue invitations to synced users. |
| Authenticate | Pair your Login with SSO implementation with the SSO Policy to require users to sign up with SSO when they accept their invitations. |
| Administer | Use the Web Vault interface to promote some users to different roles and to ensure Group-Collection relationships are configured to grant the right access to the right users. |
| Re-synchronize | Periodically re-run Directory Connector to remove users from PassageWay that are no longer active in your directory service and to start onboarding for new hires. |
FAQs
Q: If an employee already has a PassageWay account, can we attach it to the Organization so they don’t need another PassageWay account?
A: Yes! You can. Some customers recommend that prior to attaching users to the Organization, that those users have a PassageWay Vault attached to their company email. This choice is company-specific and either approach works.
Q: When an employee leaves, can we detach their account from the Organization so that they don’t have access to company credentials anymore and they do not lose their personal credentials?
A: Yes! That’s exactly what offboarding entails.
Q: Can we prevent employees from duplicating credentials from the company Organization to their Personal Vault
A: Yes! Using our comprehensive suite of role-based access controls you can make credentials Read Only to prevent duplication.