Grant permissions on sub-entries without requiring read access on parent folders

Grant permissions on sub-entries without requiring read access on parent folders

4 votes

avatar

Summary Currently it appears that you cannot explicitly grant "Connect/View" permissions on a sub-entry without also granting "View" permission on the parent folder containing that entry. I'd like to be able to permission an individual entry directly, so a user can see and connect to only that specific entry, without being granted read access to the parent folder (and by extension visibility of the folder's other contents).
Example


Folder: SERVER
Entry: SVC-1
Entry: SVC-2
Entry: SVC-3
The user should be able to view and connect to SVC-2 only — not SVC-1, not SVC-3, and ideally without needing broad read access on the SERVER folder itself.
Current behavior To grant "Connect/View" on a sub-entry, the user must also be given "View" on the parent folder, which exposes the folder structure and potentially other entries.
Proposed behavior Allow assigning "Connect/View" permissions directly on an individual entry, independent of the parent folder's permissions. The folder would surface only as the minimal path needed to reach the permitted entry, without granting visibility into its other contents.
Benefit Enables true least-privilege access at the entry level, avoiding over-provisioning of folder-level read access just to expose a single entry.

All Comments (3)

avatar

Hello,

Thanks for your request.

At the moment, our permission model is built around hierarchy: to access a sub-entry, a user needs at least read/view access on its parent. That parent visibility is currently a structural requirement of how access is resolved, so granting "Connect/View" on a single entry while keeping the parent folder fully hidden isn't something the platform supports today.

We've taken note of your request and will keep an eye on this thread.

Best regards,

François Dubois

avatar

Hi all,
I guess it would be sufficient if the parent folders are visible but nothing else.
That is the same logic as we are used to in Pleasant Password Server.
Best wishes

avatar

Hello,

Thanks for the feedback.

Supporting this would be a significant change on our side, because of the way our permission model is built today: an entry is only visible if its parent is visible, and that parent in turn is only visible if its own parent is visible. Visibility cascades down the hierarchy, so granting access to a single sub-entry without exposing the parent folder isn't something the current model allows out of the box.

The feedback is noted and appreciated.

Best regards,

François Dubois