Fine-Grained Controls

Administrators are often required to allow or restrict certain features across an organization and selectively exempt users when needed. You may need to prevent a group of users from storing personal secrets in the Vault, for example. Zoho Vault provides fine-grained access controls so that admins/super admins can tweak user access at any time. Vault also provides an audit trail of these changes to help troubleshoot access issues that may arise. Access these controls by selecting Fine-Grained Controls under the Admin tab.

Features configurable by both admins and super admins

  • Restrict users from storing personal secrets:
    With this option enabled, no users in the organization, including admins/super admins, will be allowed to store personal passwords. This feature comes in handy when you want to control users from storing their personal information on your business network.
  • Restrict users from exporting secrets:
    Enterprises often incorporate policies that prevent employees from downloading company-specific information. Enabling this option will restrict all users in the organization, including admins/ super admins, from exporting secrets.
  • Restrict offline access to secret:
    Zoho Vault provides a feature to export passwords as encrypted HTML for offline access. Enable this option to prevent users in the organization, including the admins/super admins, from exporting secrets for offline access.
  • Restrict access to secrets through mobile apps:
    Enterprises often want  to selectively restrict users from accessing company secrets outside the network. Selecting this option prevents  all users in the organization, including admins/super admins, from accessing secrets through mobile apps.
  • Restrict users from sharing secrets with outsiders
    Zoho Vault provides an option to share passwords with trusted third parties for granting temporary access. With this option enabled, no users in the organization, including admins and super admins, will be allowed to share passwords with outsiders.
  • Allow users to paste passphrase 
    For security reasons, Zoho Vault does not recommend storing or writing down the Zoho Vault passphrase anywhere. However, for convenience, super admins can allow users to copy their passphrase to the clipboard and paste it when logging in to Zoho Vault. Enabling this option will allow all users in the organization to copy and paste the passphrase.
  • Hide user-defined secret types from global view
    When you enforce this option, custom secret types will be visible only to the respective users who created them. They will not be visible to others, including admins/super admins.
  • Restrict users from adding new secrets
    Enable this option to restrict all the users in your organization, including admins/super admins, from storing any new secrets.
  • Restrict users from sharing secrets
    Sometimes administrators need to restrict users from sharing secrets. When this option is enforced, none of the users of your organization(including admins/super admins) will be allowed to share secrets. 
  • Allow users to store multiple URLs to a secret
    When you enable this option, all the users in your organization (including admins/super admins) will be able to add multiple URLs to a secret.

Features configurable only by super admins

Restrict users from receiving backup data when they forget passphrase and reset it

This option applies to users who forget their passphrase and then reset it. When you enable this option, no users in your organization—except super admins—will receive secrets as backup data (in an encrypted HTML file) through email after resetting their passphrase. You can allow exceptions to this so that certain users receive backup data.

Allow users to export the secrets owned by them and the ones shared with them

When you enforce this option, all the users of your organization, including  admins/super admins, will be allowed to export owned and shared secrets. You can allow exceptions to this and restrict only some users from exporting shared secrets.

Enable IP Restriction

For enhanced security, Zoho Vault provides an option that requires users to access the application only from a specific IP range. When you enable this option, IP restrictions will be imposed for all the users in the organization, including admins,but not super admins.

Disable IP Restriction for Mobile Apps

When you enforce this option, IP restrictions (as defined in Admin >IP Restriction) will be not imposed for mobile apps. You can allow exceptions to this and selectively add restrictions for specific users.

How do I  exempt specific users from restrictions?

Zoho Vault allows  admins/super admins to exempt certain users from the access restrictions mentioned above. Only  admins/super admins can add exemptions. 

  1. Click Exempt specific users/ Modify exemption under  any option in the Fine-Grained Controls page to change the permissions for specific users .
  2. From the list of users on the left, select the users who are to be exempted and add them to the right by clicking on the right arrow button. If the list of users is long, you can find specific users using the search function.
  3. Click Save. You can modify the list of exempted users for a feature at any time by clicking Exempt specific users/ Modify exemption and making the required adjustments. All information modified is captured in an audit trail so you can track changes.