[Feature Request] ACL Support

[agowa]

Hello,

would it be possible to implement ACLs for the entries?
So that one can delegate specific passwords to specific group memberships or users on the backend (ldap).
Also support for NTLM hashes and Kerberos tickets would be nice.
Keepass4web is the only KeePass variant, that runs server-side, so it's the only one that can implement a group based delegation system without adding additional cryptographic layers and complexity to the database.
Currently there is no free and open password manager that allows assigning permissions to separate entries. So I would be happy to see it implemented some day in an open source software.

[lixmal]

Hi,

this sounds interesting. Any ideas how/where to store the ACLs? I want to keep the KeePass databases as clean as possible (not putting additional info there).
NTLM support should be possible, I'll look into it.

I'd like to do some adjustments on the user interface before I approach these features, so it will take some time.

[agowa]

If you don't want to store it in the KeePass database, you could use the UUID and store the ACLs in you're own database with these attributes (UUID, ACLs), where ACLs is a referencte to an object (or table, it depends) containing these attributes (SID, Permissions). And Permissions is a custom type, with these possible bits of information: "read", "write", "delete", "change permissions" (and maybe for every property read and write bits) with these ways of assignment: inherited, directly assigned where the later one overwrites the first one. And the possibility of setting it to allow or deny (or unset)