[Feature Request] Sharing passwords grouped by tags/folders with multiple users/groups.

[ediazcomellas]

Feature request

User type: Logged-in
User level: Beginners

Description

Being able to share a list of passwords with a group of users would be very convenient for teams.

Several feature requests have been opened in the past to enhance sharing a group of passwords: #272, #340 and #243, to name a few. The use case is clear: having shared passwords with group of users. Some people like the way LastPass does it (you create "directories" of passwords and then share the directory).

I understand that sharing passwords with a nextcloud group of users seems non doable, because the way Passman is storing vaults and passwords. My proposal is to create a separated vault for each group of passwords that have to be shared, and to share the master key with users and groups. As groups don't have a public/private key pair for sharing, sharing with a group involves tracking which users are in a group and launch actions in the group membership changes.

New behaviour:

• after installing/activating Passman, all users must be forced to create a personal vault. This has to be done as a post-login hook. Without this, sharing to groups can be a real nightmare.

They way I see this group sharing is:

• a user creates a shared group of passwords and gives it a name. This makes Passman create a new vault ("shared vault", or SV), encrypted with a random password (SVP).
• the random password (SVP) is stored in the owner's vault, with a referece to the SV it opens.
• Passman must hide the fact that the SV is a different vault, showing it as a folder or an special tag to the user. This has to be replicated in all the interfaces.
• When the owner shares the vault, either to a user or a group, the vault master password is shared, and access to the vault itself is allowed too.
• Sharing to a group makes Passman generate a share notification for each member of the group.
• In the case a user gets a share notification but has no vault, he gets a request to create his personal vault. Once this is done, the SV owner gets a request to re-share the SV
• When a new user is added to a group that shares an SV, the SV owner gets a notification and must re-share the SV to get all users updated.
• When a user is deleted from a group, the master key for the SV must be regenerated and sent to all the members of the group, to make sure the excluded user is not able to open the SV again. A notification is sent to the SV owner to do so. This must be as automatic as possible.
• Passman must keep track of which users/group should access what SVs, and hide SVs from users when needed and launch the appropriated notifications/requests to the users.

Benefit / value

Being able to use vaults shared with a group of users will greatly enhance team's workflow

Risk / caveats

It requires significant work, not only in the server side but also in plugins and mobile interfaces.

Sponsorship

I will set a bounty if this feature request is accepted.

Are you a developer willing to implement this feature?: no

Can you sponsor the development of this feature or do you know someone who can?: yes

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[newhinton]

Sharing multiple Passwords, however they are grouped (by tag, folder or vault or whatever esotheric structure you choose) is currently very hard to implement.

You are suggesting to force a user to create a vault, that is simply not happening. I don't think nextcloud itself has the ability to force a user to do anything, so this is out of the question. (also it is very bad style to force a user to do anything ;) )

However, since sharing is a widely requested feature, we should think about how to implement this.

Your last sentence gave me an idea_

Being able to use vaults shared with a group of users will greatly enhance team's workflow

It should be not that hard to implement exactly this: showing a single vault to multiple users, even read/write permissions shouldn't be that hard.

But, this takes further consideration before we can start implementing such thing. But thank you for your input!

@brantje @animalillo

[ediazcomellas]

Thanks for considering the Feature Request. Please let me know if you think a bounty would help.

[skewty]

I may be willing to help with this as my family and coworkers could benefit from it. If all existing security issues were resolved and closed this may be viable in my workplace. This would allow me to devote some work time to this as well.

DISCLAIMER: I am not much of a Javascript developer although I have written some sizeable code in TypeScript.

[C-Duv]

So, if we want to share password with multiple users identified by a group name (or a label or anything) this issue is the place to work from?

[WaaromZoMoeilijk]

I guess so, I'm able to help. Just like to know if there's any work done on the matter, yet?

[binsky08]

@WaaromZoMoeilijk
no work from me for this issue yet
feel free to open a pr :)

[animalillo]

@WaaromZoMoeilijk feel free to pm me on telegram if you have any questions on how to approach the problem if you still wan to take a look into it :)

PD: i'm way more responsive over there