Contents

First steps and user settings

First login

To log into SecureAnyBox5, your account must be created and a password set. If there are multiple domains, you must also enter the domain name.

Only one domain is specified. You only need to enter your username and password to sign in to SecureAnyBox5.

More than one domain is specified. You must also enter a domain name to log into SecureAnyBox5.

After entering your login details, you’ll be prompted to set an Access Code. This code is used to decrypt secure information (like passwords and certificates) and to confirm changes.
As you type, you can see how strong your Access Code is and how many required characters you have used.

Actual/required length of the Access Code

Actual/required number of lowercase letters

Actual/required number of uppercase letters

Actual/required number of numbers

Pointer how secure the Access Code is

Button for displaying the Access Code

Time to crack the Access Code online

Actual/required entropy of the Access Code (the higher, the better)

Requirements to characters of the Access Code can be changed in the Configuration for users in all domains or in the domain details for users in that domain.

Once you set the Access Code, you will be redirected to the main Safe Boxes page.

User interface – controls

Change Access Code

If you know your Access Code and want to change it (for security or if you shared it), click the menu icon (next to your username) in the top right corner (). In the menu, select Change Access Code ().

After clicking the button, a form appears. Enter your current Access Code in the first field, and your new Access Code in the next two fields. As you type, you can see the strength and required characters of your new Access Code.

Click the OK button to confirm. After setting the new Access Code, a success message will appear.

Forgotten Access Code

If you forget your Access Code, you can reset it. Resetting will remove your access to all Safe Boxes, and any Safe Boxes that only you could access will be deleted.

Depending on the server/domain settings, it is possible that the user’s private key is backed up in a White Envelope, and there is no need to reset the passcode. The Access Code can be recovered with the help of Security Officers from the White Envelope. There can be no data loss when recovering the Access Code (unlike a reset).

Before reset of the Access Code, please consult your administrator about losses.

To reset your Access Code, click the menu icon (next to your username) in the top right (). In the menu, select Reset Access Code ().

You need to confirm the warning only if you have access to some Safe Box. Otherwise, you will be asked to enter a new Access Code immediately.

In the Reset Access Code form, confirm the warning that you will lose access to all Safe Boxes. You can also see which Safe Boxes will be deleted because no one will have access after the reset.

After confirming the warning, a form to enter a new Access Code appears. As you type, you can check the strength and required characters. Click OK to confirm.

After resetting, you’ll see a success message. Use your new Access Code to confirm changes. If you had inherited permissions, another user can share them with you. Your White Envelope can be reactivated, but permissions must be reassigned manually.

Change Login Password

LDAP/Azure AD synchronized users are not allowed to changing their password in the SecureAnyBox5 because the password does not change in LDAP/Azure AD. If you are not sure whether you are syncing from LDAP/Azure AD, contact your administrator and consult the password change.

To change your login password, click the menu icon (next to your username) in the top right corner (). In the menu, select Change Login Password ().

After clicking the button, a form appears. Enter your current password in the first field, and your new password in the next field. As you type, you can see the length, character types, and strength of your new password.

Click the OK button to confirm. After changing your password, a success message will appear.

Two-Factor Authentication

To improve security, you can enable Two-Factor Authentication (2FA) in SecureAnyBox5. The second factor is a 6-digit code from an Authenticator app, paired with SecureAnyBox5 using a secret key.

Enable Two-Factor Authentication

You can enable two-factor authentication for your account. If enabled, you must enter a verification code from your Authenticator app every time you log in.

To enable a Two-Factor Authentication, it is necessary to have the Authenticator app installed on a mobile phone.

To enable Two-Factor Authentication, click the menu icon (next to your username) in the top right (). In the menu, select Two-Factor Authentication settings ().

After clicking the button, a setup wizard appears. Follow the steps to pair your Authenticator app with SecureAnyBox5.

Once enabled, you must enter the second factor every time you log in. You can disable 2FA in the settings, or a User Manager can do it in your user details.

Pair another Authenticator

After setting up Two-Factor Authentication, you can pair another Authenticator app if needed.

To pair another Authenticator, click the menu icon (next to your username) in the top right (). In the menu, select Two-Factor Authentication settings ().

In the wizard, select PAIR ANOTHER AUTHENTICATOR and follow the steps. All paired Authenticators should generate the same 6-digit code.

Disable second factor

If you no longer want to use 2FA, you can disable it in the settings. If 2FA is mandatory, you will be required to set it up again. Disabling 2FA removes all your settings and paired Authenticators.

To disable 2FA, click the menu icon (next to your username) in the top right (). In the menu, select Two-Factor Authentication settings ().

In the wizard, select Disable second factor and enter the 6-digit code to confirm.

Reset Two-Factor Authentication settings

A User Manager can reset Two-Factor Authentication for another user by clicking Reset Two-Factor Authentication at the bottom of the user details form.

To confirm the reset, the Access Code is required. Use this if the user lost access to their Authenticator app.

Change language

You can change the language of the web interface. Supported languages are English, Czech, German, and French. To change the language, click the menu icon (next to your username) in the top right (). In the menu, select Change Language ().

After clicking the button, a form appears. Select your preferred language and click OK. The page will reload in the chosen language.

User Preferences

You can change your personal preferences. To do this, click the menu icon (next to your username) in the top right (). In the menu, select Change preferences ().

After clicking Change Preferences, the User Preferences form appears.

The Remember Access Code field () is shown only if Access Code remembering is enabled on the server.
Fields in the Notification settings section () appear if email notifications are enabled.
The Notification of user initialization field () is visible only to users with the User Manager role.

In the User preferences form, it is possible to set remembering the last location, the default password pattern for Safe Box Groups, Safe Boxes, and Accounts that the user will create and enabling/disabling mail notifications of changes in Safe Boxes. All preferences are applied only for the currently logged-in user. Changing preferences for all users is possible in the SecureAnyBox configuration.

Start page setting

You can set a start page to be redirected to after logging in.
To set your start page, click the menu icon (next to your username) in the top right (). In the menu, select Start page setting ().

After clicking Start page setting, window for start page setting displays.

First setting of a start page

If this is your first time setting a start page, a window will appear for you to confirm the selection.

Start page is set to the current page

If the current page is already set as your start page, a window will appear allowing you to remove this setting.

Start page is set to different page

If your start page is set to a different page, you can check the setting by clicking the link. You can also override or remove your start page settings.

Switch to Administration

Starting with version 5.0, the Administration section is in a separate interface. To switch to Administration, click the menu icon (next to your username) in the top right (). In the menu, select Switch to Administration () to be redirected.

Safe Boxes

Safe Boxes and Safe Box Groups are used to store sensitive data, such as accounts used to log in, certificates, credit cards, and other files. Safe Boxes can be divided into three types:

• Safe Box – inside the Safe Box are stored records (login accounts, files…) For example, inside one Safe Box can be stored all records related to one server, customer, or one department of a company.
• Safe Box Group – associate Safe Boxes into larger units. For example, the Safe Box Group can associate all Safe Boxes related to some project, server, and so on.
• White Envelope – store important information that should not be lost. Users who created the envelope and security officers have access to the White Envelope.

Safe Boxes and Safe Box Groups can be shared with other users. On shared Safe Boxes and Safe Box Groups will apply dynamic inheritance of permissions. For private Safe Boxes and SafeBox Groups, all permissions to other users have to be set manually.

Each Safe Box or Safe Box Group name must be unique within its parent group or at the root. However, you can create a private Safe Box or Group with the same name as another, because the private name includes the owner’s name.
If you own a private Safe Box, you won’t see your own name in its title.

As you can see in the image above, Private Safe Box’s name is displayed differently to the owner of private Safe Box and to other users who have permissions to this private Safe Box.

Menu

Filtering of Safe Boxes and Safe Box Groups

At the root level, you can filter Safe Boxes and Groups by name or description using the filter field (). You can also filter by user tag or user using the special field ().

Filtering by user tag shows Safe Boxes and Groups with permission templates for that tag.
Filtering by user shows Safe Boxes and Groups where the selected user has permissions.

Pinned Safe Boxes and Safe Box Groups

You can pin Safe Boxes and Groups to the top of the list for quick access.
To pin, click the pin icon () next to the item and confirm.

Pinned items appear at the top of the list with a pin icon.

To manage the order of pinned items, click Edit pinned order. Drag items to rearrange.

To unpin, click the pin icon again and confirm. The item will return to its normal position.

Sharing & Permissions

You can manage access rights for each Safe Box or Group. For non-private items, access rights are inherited dynamically. Private items block inheritance, but you can assign permissions manually.
You can also manage access rights at the root level.
To manage access, click Sharing & Permissions.

The Sharing & Permissions button is displayed only to users with permission Access Control

The Sharing & Permissions page shows a table of users with permissions for that level (root, group, or box) and all its records.

Permissions overview

The table only shows permissions that can be set on the Sharing & Permissions page.

Sharing Safe Box or Safe Box Group

You can share a Safe Box or Group by assigning access rights.
To assign permissions, click Add User. A list of users you can share with appears. You cannot share with users who have not set an Access Code.
If a user is from a different domain, their domain name appears after their username.

Select one or more users to share with, then click OK. You must confirm by entering the Access Code. Forgot your Access Code?
New users are added with READ permission. You can assign more permissions by checking the boxes.
All changes must be confirmed by entering the Access Code.

Assigned rights

You can manage assigned rights for each Safe Box or Group. If a user has inherited rights, click the blue gear icon () to assign rights directly.
Assigned rights override inherited rights.
If a user has no inherited rights, you can assign rights by checking the boxes.
To remove assigned rights, click the cross icon () and confirm. If the user only had assigned rights, they would be removed from the table.

Dynamic inheritance

Dynamic inheritance applies only to shared Safe Boxes or Groups. To use it, assign the Inherited permission at the root or group level.
If a user has Inherited at the root, all their other permissions at the root are inherited by all shared Safe Boxes and Groups.
Suppose Inherited is set only at a group. In that case, all other permissions in that group are inherited by all shared Safe Boxes in that group.

When you change the Inherited permission, a warning dialogue appears. To proceed, type the confirmation code (three bold letters) and confirm.

Permissions for the root level

Default Safe Box Permissions set root-level permissions, but can be changed directly. To manage root permissions, you need Access Control for the root and the User Manager or Administrator role. Otherwise, the Sharing & Permissions button will not appear.

Share inherited permissions

Suppose a user resets their Access Code or is assigned Inherited permission at the root. In that case, you must share inherited permissions with them.
If this happens, a warning appears when you load the root page. Click OK and enter the Access Code to share permissions.

Permission templates

Permission templates can be managed only by users with permission Access Control

Permission templates help you assign permissions to users. Templates can be set for the root, any group, or any box, and are assigned to user tags. You can create one template per level per tag. Tags can be from your domain or other visible domains.

To create a template, select a user tag and assign permissions. The template applies to all users with that tag.

If the permission template set from the parent level, it is possible to modify it by clicking the blue gear icon ().

To view or manage permission template(s) for parent level, click the Up button.
After permission templates set, users with the permission Apply templates can apply them.

Apply permission templates

Only users with Apply templates permission can perform this action.

Templates can be applied to groups or boxes. Permissions are computed based on templates in the listed groups and boxes for each user tag. If computed permissions are missing some effective permissions, a red arrow () appears.

Please review permissions in the table below.
Permissions were computed based on Permission Templates in listed Safe Boxes and Safe Box Groups depending on User tags assigned to listed users.
You can either Approve permissions, Skip permission assignment this time or Reject permission assignment. When you Reject permission assignment, SecureAnyBox5 will remember this choice. Next time Permission Templates are processed, permission record will show as rejected by default.
To completely remove a user from the permission assignment processing, you can change the user’s user tag assignment.

Watching…

You can set up watching for changes and/or access to encrypted information for Safe Box Groups, Safe Boxes, and records. Watching can be set at each level except the root.

When a user is watching changes for some level, and e-mail notifications are enabled in the server configuration, SecureAnyBox5 sends e-mails with a summary of changes at that level. Whether the changes are watched in all fields, or encrypted ones only, it depends on the server configuration of notifications.
If the user is watching accesses to encrypted information and e-mail notifications are enabled in the server configuration, SecureAnyBox5 sends e-mails with a summary of accesses at that level.
To access encrypted information is necessary to enter the Access Code in a record. If the Access Code is temporarily remembered, user accesses all records without entering the Access Code..
Watching of accesses and/or changes is inheritable – if user watches changes in Safe Box Group, all Safe Boxes, and records within the Safe Box Group will inherit watching of changes/accesses from the parent level.

From the root level, you can edit watching for all currently accessible Safe Box Groups, Safe Boxes, and records by clicking the Watching… button.

Watching of changes/accesses for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

In the Watching report, it is possible to check what the currently logged user is watching.

Start watching changes to everything

Changes in all Safe Box Groups, Safe Boxes, and records you currently have access to will be watched.

Start watching accesses to everything

Access to encrypted information in all Safe Boxes and Safe Box Groups you currently have access to will be watched.

Stop watching changes to everything

Changes in all Safe Box Groups, Safe Boxes, and records you currently have access to will no longer be watched.

Stop watching accesses to everything

Access to encrypted information in all Safe Box Groups, Safe Boxes, and records you currently have access to will no longer be watched.

Stop watching all

After clicking Stop watching all button, the watching of changes and accesses will be deactivated for all currently accessible Safe Box Groups and Safe Boxes, and records.

Safe Box Group

Create Edit Watching… Delete

Create New Safe Box Group

To create a Safe Box Group, the user needs to have assigned the Create permission for the root level.

To create a Safe Box Group, click New Safe Box Group. Set a name, password pattern, and type (private or shared). You can create new Safe Boxes in the group or move existing ones into it.

If the group is private, all Safe Boxes in it are also private.

Edit Safe Box Group

To be able to edit the Safe Box Group, a user must have permission to Modify.

You can change the name, description, password pattern, external files path, and type for each Safe Box Group.
If you change the external files’ path, new files will be stored at the new location. However, existing files remain at their original location.

Watching…

For each Safe Box Group, you can enable watching for changes and/or access to encrypted information. If someone changes or accesses a watched item, an email notification is sent (if configured).

To access encrypted information is necessary to enter the Access Code in a record. If the Access Code is temporarily remembered, user accesses all records without entering the Access Code.

The user can customize the notification settings in user preferences.

Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

To set watching for the Safe Box Group, click the Watching… button, watching menu will display.

In the Watching report, you can see what you are currently watching in the group.
The current status is shown next to the Watching… button.

	Watching of changes and accesses to encrypted data is set explicitly for the Safe Box Group.
	Watching of changes is set for the Safe Box Group. Watching of accesses to encrypted data not set.
	Watching of changes not set. Watching of accesses to encrypted data is set explicitly for the Safe Box Group.

Safe Box Groups can have watching of accesses and/or changes set explicitly only.

By checking Watching Changes or Watching Accesses, you set explicit watching for the group. All Safe Boxes and records in the group inherit this setting.

Start watching changes within this Safe Box Group

All Safe Boxes currently in this group will have explicit watching for changes, even if moved to another group where changes are not watched.

Start watching accesses within this Safe Box Group

All Safe Boxes currently in this group will have explicit watching for accesses, even if moved to another group where accesses are not watched.

Stop watching changes within this Safe Box Group

The group, including all Safe Boxes and their records, will no longer be watched for changes.

Stop watching accesses within this Safe Box Group

The group, including all Safe Boxes and their records, will no longer be watched for access to encrypted data.

Delete Safe Box Group

You can delete a Safe Box Group from the root level if you have Delete permission. The cross icon () appears at the end of the row if you have permission.
Click the cross icon and confirm to delete. The group will be removed from the list.
You can immediately restore a deleted group by clicking Undo in the message.

Safe Box

Create Edit Move Import records Watching… Connect from Safe Box Delete

Safe Boxes are used to store records of different types, such as accounts, secret accounts, files, certificates, and credit cards. For easier understanding, you can imagine the Safe Box as a folder and the records as individual files.
You can manage access rights for each Safe Box individually. For Safe Boxes that are not private, access rights are inherited dynamically. This inheritance permission can be set at the root level or for a Safe Box Group. If a user has this permission, all new shared Safe Boxes will inherit their permissions from the parent level.
When a Safe Box is private, access rights inheritance is disabled. However, you can still manually assign access rights to the private Safe Box.

Create Safe Box

To be able to create a Safe Box, a user must have permissions to Create for the root level or a Safe Box Group in which the Safe Box will be created.

You can create a new Safe Box at the root or inside a group by clicking New Safe Box. Set a name, password pattern, and type (private or shared). Private Safe Boxes can only be created at the root.
When creating a Safe Box in a group, the type is set by the group.

Edit Safe Box

To be able to edit the Safe Box, a user must have permission to Modify.

You can change the name, description, password pattern, external files path, and type for each Safe Box.
If you change the external files’ path, new files will be stored at the new location. However, existing files remain at their original location.
If the Safe Box is not in a group, you can also change its type.

Move Safe Box

To be able to move the Safe Box, a user must have permission to Delete. When moving, the Safe Box is effectively deleted from an original location and created at a target location.

To move a Safe Box, click Move Safe Box and wait for the list of possible destinations.

Click a row in the list to select the destination, then confirm by entering the Access Code. Forgot your Access Code?

By moving the Safe Box, you may change permissions of other users for the Safe Box.

Import records into Safe Box

You can import records from other applications into a Safe Box. First, create the target Safe Box. On its page, click Import… and select SecureAnyBox5 Importer from the menu.

Import utilities can be downloaded from Downloads page too.

After clicking, a dialogue with a download link appears. Download and extract the files from the zip archive, then run the provided utility.

In SecureAnyBox5 Importer, enter the SecureAnyBox5 address in the appropriate field. You can copy the address by clicking Copy SecureAnyBox5 address in the menu that appears after clicking Import….

Watching

For each Safe Box, you can enable watching for changes and/or access to encrypted information. If someone changes or accesses a watched record, an email notification is sent (if configured).
If a Safe Box is watched, all its records are also watched. You can customize notification settings in user preferences.

Watching of changes for Safe Box Groups, Safe Boxes, and records that you create or to which you obtain access in the future depends on the user’s settings of automatic watching.

In the Watching report, you can see what you are currently watching in the Safe Box.
The current status is shown next to the Watching… button.

	Watching of changes is set explicitly for the Safe Box. Accesses are not watched.
	Watching of changes is inherited from the parent level. Accesses are not watched.
	Watching of accesses to encrypted data is set explicitly for the Safe Box. Changes are not watched.
	Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
	Watching of changes and accesses to encrypted data is set explicitly for the Safe Box.
	Watching of changes is set explicitly for the Safe Box. Watching of accesses to encrypted data is inherited from the parent level.
	Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for the Safe Box.
	Watching of changes and accesses to encrypted data is inherited from the parent level.

By checking Watching Changes or Watching Accesses, you set explicit watching for the Safe Box. All records in the box inherit this setting.

Start watching changes within this Safe Box

All records currently in this Safe Box will have explicit watching for changes, even if moved to another box where changes are not watched.

Start watching accesses within this Safe Box

All records currently in this Safe Box will have explicit watching for accesses, even if moved to another box where accesses are not watched.

Stop watching changes within this Safe Box

Changes in this Safe Box and all its records will no longer be watched.

Stop watching accesses within this Safe Box

Access to encrypted information in this Safe Box and all its records will no longer be watched.

Connect

Suppose any account or secret account in a Safe Box has a connection type defined. In that case, you can open the connection by clicking Connect. You must have SecureAnyBox5 Launcher installed on your computer.

If the record contains a username and password, you will be connected automatically to the target (server, station, etc.).

Delete Safe Box

To be able to delete the Safe Box, a user must have permission to Delete. If a user has this permission, a cross icon () is displayed at the end of a row.

You can delete a Safe Box from the group page or root page. Click the cross icon at the end of the row, then confirm deletion. The Safe Box will be removed from the list.

You can immediately restore a deleted Safe Box by clicking Undo in the message.

Records

Create Edit Change password Password History Copy as… Watching… Connect Move Move to White Envelope Delete

Records are stored in Safe Boxes and are used to keep important information. You must select a record type based on the information to store. All record types and their fields are listed in the table below.

Record type

Field

Name

Description

Tags

Note

Password settings

Password preset

Password pattern

Address

Login Site

Login

Connection Type

Connection Options

Secret Note

Password

File

Alias

Certificate

Certificate password

Number

Expiration Date

CVV

PIN

Compliance profile

Issuer

Account

Secret Key

TOTP Authenticator

Account

Secret Account

TOTP Authenticator

File

Certificate

Credit Card

	Information can be stored in this record type. Access to this information is not audited.
	Information can be stored for this type of record. This information will be encrypted when the record is saved. You need to enter an Access Code to access it. Access to this information is audited.
	Information cannot be stored in this record type.

Create record

     

To be able to create a record, the user must have permission to Create for the Safe Box, into which the record will create.

To create a record, go to the Safe Box page and click Add…. In the menu, select the record type. A form will appear for creating the record.
Set a name for the record. Other fields are optional and can be changed later.

Account Secret Account TOTP Authenticator File Certificate Credit Card

Identification

Name

The account name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The account name can be modified later.

Maximum length: 255 characters

Address

Address, link or description where the information is stored in the account used.
When the address is stored in a correct format (e.g., "https://192.168.1.231"), it will appear as a link. For a location in a local network, you can use an IP address (e.g. "http://172.22.60.30"); for other websites, e-shops, etc., you can use a URL address (e.g., "http://www.ebay.com").
Addresses can also be stored in other formats like an SSH (e.g., "ssh://[email protected]"), FTP (e.g., "ftp://myserver.com") and so on.
In the address field, it is possible to store a hostname, an IP address, and it is even possible to store a port. The port has to be separated from the host by a colon. (e.g. "172.22.88.75:8876" or "test.tdp.cz:887").
The address is an optional value.

Maximum length: 1000 characters

e.g., URL, hostname or IP address of the server where you use the stored password.

Login Site

The login site is used for better specification, where the stored account can be used. The value of this field is used especially in the browser extension to edit the visibility of an account.
For example, the stored account will be used to log in to Gmail. If the Address field is set to URL "https://accounts.google.com", and the Login Site field is set to "google.com", then the account will be visible in the browser extension for all Google login forms, even if the actual URL will differ from "https://accounts.google.com."

Maximum length: 1000 characters

Login

The username that you use to log in.

Maximum length: 255 characters

Description

The description should more specifically characterize an account.
In the description, only one line of text can be stored. A longer description can be stored as a note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize stored data. Each record should have specified tags for more efficient searching.
\r\nTags must first be entered into SecureAnyBox before they can be assigned to individual records. Users with the Security Policy Administrator role manage tags on the Record Tags management page in the administration interface.
\r\nYou can then select and assign multiple tags to each record.

Password Settings

Select the password settings that will be applied when generating a password:

• Inherited – settings will be inherited from a domain, parent level (Safe Box Group or Safe Box) or assigned record tag


• Password preset – the selected password preset will apply when generating a password. The password preset has to be specified first in the Administration interface.


• Password pattern – when generating a password, the entered password pattern will apply

Password preset

A password preset will be used to generate a password. The preset specifies requirements like uppercase letters, included/excluded characters, minimum entropy, etc. Presets must be defined in the Administration interface.

Password Pattern

This is the default password pattern for Accounts when no specific pattern is set.
Each letter in the pattern represents a character in the generated password.
See password pattern examples
Allowed characters and their meanings:
v – lowercase vowel (a, e, i, o, u, y)
V – mixed case vowel (A, E, I, O, U, Y, a, e, i, o, u, y)
Z – uppercase vowel
c – lowercase consonant (b, c, d, f, g, h, j, k, l, m, n, p, q, r, s, t, v, w, ×, z)
C – mixed case consonant
z – uppercase consonant
l – any lowercase letter
A – any letter, mixed case
u – uppercase letter
d – digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ – escape character (next character is used as is, e.g. pattern ‘\-’ outputs ‘-’ in the password)
* – any allowed character
Default pattern: CVCVdddCVCCVdC (e.g., wEHe063heFme4p)
Example: pattern ‘\p\a\s\sddddddd’ might generate ‘pass1762885′ or ‘pass5687412′.

Maximum length: 255 characters

Note

The note field is intended for multiline information about the account. For example, the note can include a description of the account, a list of steps on how to successfully log in, a description of the configuration and so on.

Maximum length: 4000 characters

Connection Type

Please select connection type. If the SecureAnyBox Launcher is installed, you can open a connection directly from the account page. To create a connection, SecureAnyBox Launcher needs to download from a secret account the values of Address and Login fields and the stored password.
In the address field, it is possible to store a hostname, an IP address, and it is even possible to store a port. The port has to be separated from the host by a colon. (e.g. "172.22.88.75:8876" or "test.tdp.cz:887").

Compliance Profile

A compliance profile specifies password security requirements that passwords should meet. Checking whether passwords meet security requirements can be done in the Compliance report.

Secure

Connection Options

You can enter additional connection parameters in the Connection options field. These will be transmitted to the running application via the SecureAnyBox5 Launcher along with the address, username, and password. Some parameters can also be set globally directly in the SecureAnyBox5 Launcher configuration. Parameters set for a record are always used in preference to the values from the global setting.
Remote Desktop connections support the following parameters:
/admin – If your RDS servers are grouped into a collection (farm) and you need to log in directly to one specific server you must use the /admin parameter. The parameter can also be written in the format /admin:true, or /admin:false (e.g. to disable global settings at the SecureAnyBox5 Launcher level)
/gateway: – remote desktop gateway address
/gatewayusername: – username for connecting to the remote desktop gateway
/gatewaypassword: – password to connect to the remote desktop gateway.
For example: /gateway:rdg.tdp.cz /gatewayusername:gatekeeper /gatewaypassword:somestrongpassword
/gatewaybypassforlocal: – disables the use of the remote desktop gateway when connecting from the local network. The parameter can also be written in the format /gatewaybypassforlocal:true, or /gatewaybypassforlocal:false (e.g. to disable global settings at the SecureAnyBox5 Launcher level)
For other connection types SCP, SSH, Telnet, and so on, you can specify any parameters that the application supports when started from the command line. For a detailed description, see the application’s help.

Maximum length: 2000 characters

New password

The password you use to log in.
Into this field can be stored a password which you already have, or you might generate a new one. The password can be generated by clicking on the Generate password button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favourite actor or nickname).
Generated passwords are formatted by the current password pattern. Generated passwords can be edited.
While editing the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols your password contains and how secure your password is.
After saving an account record, the password will be encrypted. The password can be decrypted after entering the access code only.

Maximum length: 255 characters

number of characters

number of lowercase letters

number of uppercase letters

number of digits

number of special characters

pointer how secure the password is

button for displaying the password

time to crack password offline

password entropy (the higher the better)

Identification

Name

Secret account name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The secret account name can be modified later.

Maximum length: 255 characters

Login Site

The login site is used for better specification, where the stored account can be used. The value of this field is used especially in the browser extension to edit the visibility of an account.
For example, the stored account will be used to log in to Gmail. If the Address field is set to URL "https://accounts.google.com", and the Login Site field is set to "google.com", then the account will be visible in the browser extension for all Google login forms, even if the actual URL will differ from "https://accounts.google.com."

Maximum length: 1000 characters

Description

The description should more specifically characterize a secret account.
In the description, only one line of text can be stored. A longer description can be stored as a note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize stored data. Each record should have specified tags for more efficient searching.
\r\nTags must first be entered into SecureAnyBox before they can be assigned to individual records. Users with the Security Policy Administrator role manage tags on the Record Tags management page in the administration interface.
\r\nYou can then select and assign multiple tags to each record.

Maximum length of one tag: 32 characters

Password Settings

Select the password settings that will be applied when generating a password:

• Inherited – settings will be inherited from a domain, parent level (Safe Box Group or Safe Box) or assigned record tag


• Password preset – the selected password preset will apply when generating a password. The password preset has to be specified first in the Administration interface.


• Password pattern – when generating a password, the entered password pattern will apply

Password preset

A password preset will be used to generate a password. The preset specifies requirements like uppercase letters, included/excluded characters, minimum entropy, etc. Presets must be defined in the Administration interface.

Password Pattern

This pattern is used when generating a password for a secret account.
Each letter in the pattern represents a character in the generated password.
See password pattern examples
Allowed characters and their meanings:
v – lowercase vowel (a, e, i, o, u, y)
V – mixed case vowel (A, E, I, O, U, Y, a, e, i, o, u, y)
Z – uppercase vowel
c – lowercase consonant (b, c, d, f, g, h, j, k, l, m, n, p, q, r, s, t, v, w, ×, z)
C – mixed case consonant
z – uppercase consonant
l – any lowercase letter
A – any letter, mixed case
u – uppercase letter
d – digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ – escape character (next character is used as is, e.g. pattern ‘\-’ outputs ‘-’ in the password)
* – any allowed character
Default pattern: CVCVdddCVCCVdC (e.g., wEHe063heFme4p)
Example: pattern ‘\p\a\s\sddddddd’ might generate ‘pass1762885′ or ‘pass5687412′.

Maximum length: 255 characters

Note

This field is intended for multiline information about the secret account. For example, the note can include a description of the secret account, a list of steps on how to successfully log in, a description of the configuration and so on.

Maximum length: 4000 characters

Connection Type

Please select connection type. If the SecureAnyBox Launcher is installed, you can open a connection directly from the account page.
To create a connection, SecureAnyBox Launcher needs to download from a secret account the values of the Address and Login fields and the stored password.
In the address field, it is possible to store a hostname or an IP address. It is even possible to store a port. The port has to be separated from the host by a colon. (e.g. 172.22.88.75:8876 or test.tdp.cz:887).

Compliance Profile

A compliance profile specifies password security requirements that passwords should meet. Checking whether passwords meet security requirements can be done in the Compliance report.

Secure

Address

Address, link or description where the account is used.
When the address is stored in a correct format (e.g. "https://192.168.1.231"), it will appear as a link. For a location in a local network, you can use an IP address (e.g. "http://172.22.60.30"), for other webs, e-shops, etc. you can use a URL address (e.g. "http://www.ebay.com").
Addresses can be also stored in other formats like an SSH (e.g. "ssh://[email protected]"), FTP (e.g. "ftp://myserver.com") and so on.
The address is an optional value.
In the address field is possible to store a hostname, an IP address and is even possible to store a port. The port has to be separated from the host by a colon. (e.g. 172.22.88.75:8876 or test.tdp.cz:887).
Unlike in an account, the address in a secret account will be encrypted. The address can be decrypted after entering the access code only.

Maximum length: 1000 characters

Login

The username that you use to log in.
Unlike in an account, the login in a secret account will be encrypted. The login can be decrypted after entering the access code only.

Maximum length: 255 characters

Secret Note

The secret note field is intended for multiline information about the file. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the access code only.

Maximum length: 4000 characters

Connection Options

You can enter additional connection parameters in the Connection options field. These will be transmitted to the running application via the SecureAnyBox5 Launcher along with the address, username, and password. Some parameters can also be set globally directly in the SecureAnyBox5 Launcher configuration. Parameters set for a record are always used in preference to the values from the global setting.
Remote Desktop connections support the following parameters:
/admin – If your RDS servers are grouped into a collection (farm) and you need to log in directly to one specific server you must use the /admin parameter. The parameter can also be written in the format /admin:true, or /admin:false (e.g. to disable global settings at the SecureAnyBox5 Launcher level)
/gateway: – remote desktop gateway address
/gatewayusername: – username for connecting to the remote desktop gateway
/gatewaypassword: – password to connect to the remote desktop gateway.
For example: /gateway:rdg.tdp.cz /gatewayusername:gatekeeper /gatewaypassword:somestrongpassword
/gatewaybypassforlocal: – disables the use of the remote desktop gateway when connecting from the local network. The parameter can also be written in the format /gatewaybypassforlocal:true, or /gatewaybypassforlocal:false (e.g. to disable global settings at the SecureAnyBox5 Launcher level)
For other connection types SCP, SSH, Telnet, and so on, you can specify any parameters that the application supports when started from the command line. For a detailed description, see the application’s help.

Maximum length: 2000 characters

Password

The password you use to log in.
This field could contain a password which you already have, or you might generate a new one. The password can be generated by clicking on the Generate password button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favourite actor or nickname).
Generated passwords are formatted by the current password settings. Generated passwords can be edited.
While editing the password, you can see how long your password is, how many lowercase letters, uppercase letters, numbers or other symbols your password contains and how secure your password is.

Maximum length: 255 characters

number of characters

number of lowercase letters

number of uppercase letters

number of digits

number of special characters

pointer how secure the password is

button for displaying the password

time to crack password offline

password entropy (the higher the better)

Identification

Name

TOTP record name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The TOTP record name can be modified later.

Maximum length: 255 characters

Login Site

The login site field is used to specify where the stored TOTP code can be used. The value of this field is significant for the browser extension to determine when to display this TOTP record for autofill or copy actions.
For example, if the TOTP code is intended for logging in to Gmail, you can set the Address field to "https://accounts.google.com" and the Login Site field to "google.com". That ensures that the TOTP code will be available in the browser extension for any Google login forms, regardless of the exact URL, providing you with convenient access to your authentication codes wherever they are needed across Google services.

Description

The description should more specifically characterize a TOTP record.
In the description, only one line of text can be stored. A longer description can be stored as a note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize stored data. Each record should have specified tags for more efficient searching.
\r\nTags must first be entered into SecureAnyBox before they can be assigned to individual records. Users with the Security Policy Administrator role manage tags on the Record Tags management page in the administration interface.
\r\nYou can then select and assign multiple tags to each record.

Maximum tag length: 32 characters

Note

This field is intended for multiline information about the TOTP record. For example, the note can include a description of the TOTP record, a list of steps to successfully log in, a description of the configuration, and so on.

Maximum length: 4000 characters

Secure

Issuer

A label indicating the provider or service this TOTP record’s account is associated with.

Account

User account name associated with this TOTP authenticator record.

Secret Key

Secret key used to generate time based authentication codes.

Secret Note

The secret note field is intended for multiline information about the record. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the access code only.

Maximum length: 4000 characters

Identification

Name

The file name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The file name can be modified later.

Maximum length: 255 characters

Description

The description should more specifically characterize a file.
In the description, only one line of text can be stored. A longer description should be stored as a note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize stored data. Each record should have specified tags for more efficient searching.
\r\nTags must first be entered into SecureAnyBox before they can be assigned to individual records. Users with the Security Policy Administrator role manage tags on the Record Tags management page in the administration interface.
\r\nYou can then select and assign multiple tags to each record.

Maximum length of one tag: 32 characters

Note

This field is intended for multiline information about the file. For example, the note can include a description of the file, a list of steps on how to use it, and so on.

Maximum length: 4000 characters

Secure

File

In this field, a file can be selected, which will be stored in this file record. Select the file from your computer or server by clicking on the Select… button.
After saving the record, the stored file will be encrypted. The file can be decrypted after entering the access code only. After the file is decrypted, it will be possible to download or change the file.

Secret Note

The secret note field is intended for multiline information about the file. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the access code only.

Maximum length: 4000 characters

Identification

Name

Certificate name should characterize the purpose of stored data to work more effectively and conveniently.
Each name must be unique inside a single Safe Box.
The certificate name can be modified later.

Maximum length: 255 characters

Description

The description should more specifically characterize a certificate.
In the description, only one line of text can be stored. A longer description should be stored as a note.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize stored data. Each record should have specified tags for more efficient searching.
\r\nTags must first be entered into SecureAnyBox before they can be assigned to individual records. Users with the Security Policy Administrator role manage tags on the Record Tags management page in the administration interface.
\r\nYou can then select and assign multiple tags to each record.

Maximum length of one tag: 32 characters

Note

The note field is intended for multiline information about the certificate. For example, like the note, it is possible to store a description of the certificate, a list of steps on how to use the certificate and so on.

Maximum length: 4000 characters

Secure

Alias

The alias is used as the name under which the certificate file is stored in the repository. After saving a certificate, the alias will be encrypted. The alias will be decrypted after entering the access code only.

Maximum length: 255 characters

Certificate

Into this field can be selected a keystore file (a certificate, a public or a private key), which will be stored in this record. Select the file from your computer or server by clicking on the "Select…" button.
After saving the record, the stored file will encrypt. The file can only be decrypted after entering the access code. After decrypting the file, it will be possible to download or change the file..

Certificate Password

The password that is used with the certificate. The password can be generated by clicking on the Generate password button. Generated passwords are safer and don’t have any link to a person who made them (like a pet’s name, favourite actor or nickname).
Generated passwords are formatted by the current password pattern. Generated passwords can also be edited.
After saving a certificate record, the password will be encrypted. The password can be decrypted after entering the access code only.

Maximum length: 255 characters

Secret Note

The secret note field is intended for multiline information about the certificate. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the access code only.

Maximum length: 4000 characters

Identification

Name

The name should characterize the credit card to work more effectively and conveniently. For example, as the name of the card can be used a name of the bank, the name of a person or company which is the owner of a card, etc.
Each name must be unique inside a single Safe Box.
The credit card name can be modified later.

Maximum length: 255 characters

Description

The description should more specifically characterize a credit card.
In the description, only one line of text can be stored. A longer description should be stored in the note field.

Maximum length: 2000 characters

Tags

Tags are keywords that help describe and categorize stored data. Each record should have specified tags for more efficient searching.
\r\nTags must first be entered into SecureAnyBox before they can be assigned to individual records. Users with the Security Policy Administrator role manage tags on the Record Tags management page in the administration interface.
\r\nYou can then select and assign multiple tags to each record.

Maximum length of one tag: 32 characters

Note

The note field is intended for multiline information about the credit card. For example, the note can store a description of the credit card, the currency of the card, for which payments the card should be used, and so on.

Maximum length: 4000 characters

Secure

Number

Credit card number. After saving a record, the number will be encrypted. The number can be decrypted after entering the access code only.

Maximum length: 64 characters

Expiration Date

Credit card expiration date in MM/YYYY format. After saving the record, the expiration date will be encrypted. The expiration date can only be decrypted after entering the access code.

CVV

CVV code is usually listed on the back of your card.
The code used when paying online with a credit card.
After saving a record, the CVV code will be encrypted. The CVV code can only be decrypted after entering the access code.
Storing the CVV code is optional.

Maximum length: 64 characters

PIN

PIN code of the credit card.
After saving a record, the PIN code will encrypt. The PIN code can only be decrypted after entering the access code.
Storing the PIN code is optional.

Maximum length: 64 characters

Secret Note

The secret note field is intended for multiline information about the file. Unlike a note, the secret note will be encrypted. The secret note can be decrypted after entering the access code only.

Maximum length: 4000 characters

Edit record

     

To be able to edit the record, a user must have a Modify permission for a Safe Box in which the record is stored.

To edit a record, click Edit on the record’s page. A form appears where you can change any value. To edit values in the Secured section, you must enter the Access Code. Passwords in the account and secret account records are edited differently.

To edit account’s and secret account’s password, click the Change password button on a record’s page.

Change password

 

To be able to change the record’s password, a user must have a Modify permission for a Safe Box, in which the record is stored.

To change a record’s password, click Change password on the record’s page. A form appears for entering a new password.
You can enter a new password or generate one. Generated passwords follow the current pattern and can be edited.
You must confirm the password change by entering the Access Code (unless it is cached). Forgot your Access Code?

By clicking the Change password button, you can change passwords in an account and secret account type of record only. Certificate password can be changed in the edit form of certificate.

Password history

 

Each account and secret account keeps a password history. Click Password History on the record’s page to view all password changes in a table.

Click a row in the table and enter the Access Code to view the password, which was valid after that change. Forgot your Access Code?

Copy as…

     

You can copy a record as the same or a different type. Click Copy as … and select the record type.

When copying, field values are copied to the new record if allowed. The copy is created in the same Safe Box, so you may need to edit its name.

After saving the copy, the original record is displayed. You can access the new record by clicking its name in the message.

Watching…

     

For each record, you can enable watching for changes and/or access to encrypted information. If someone changes or accesses a watched record, an email notification is sent (if configured).
You can customize notification settings in user preferences.

Watching settings are inheritable. If you watch changes in a group, you also watch changes in all Safe Boxes and records in that group.
Whether watching is explicit or inherited is shown by the icon color next to Watching….

	Watching of changes is set explicitly for the record. Accesses are not watched.
	Watching of changes is inherited from the parent level. Accesses are not watched.
	Watching of accesses to encrypted data is set explicitly for the record. Changes are not watched.
	Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
	Watching of changes and accesses to encrypted data is set explicitly for the record.
	Watching of changes is set explicitly for the record. Watching of accesses to encrypted data is inherited from the parent level.
	Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for the record.
	Watching of changes and accesses to encrypted data is inherited from the parent level.

By checking Watching Changes or Watching Accesses, you set explicit watching for the record.

Connect

 

If an account or secret account record has a connection type, you can open the connection by clicking Connect. You must have SecureAnyBox5 Launcher installed on your computer.

If the record contains a username and password, you will be connected automatically to the target (server, station, etc.).

Move record

    

To be able to move the record, a user must have a Delete permission for the Safe Box in which the record stored and Create permission for the Safe Box into which the record will move. When moving, the record will be effectively deleted from the original Safe Box and created in the target Safe Box.

To move a record, click Move record. A list of possible destinations will appear.

In the list, Safe Box Group names are blue. Click a group to see its Safe Boxes. To move from a group to the root, click the first line with two dots.
Safe Box names are black. Click a Safe Box to select it as the destination. Confirm the move by entering the Access Code. Forgot your Access Code?

All record permissions are determined by the Safe Box permissions in which the record stored. By moving the record, you may change even yours permissions, and you will not be able to return the record to the original Safe Box.

All record tags are specified for a domain in which the parent Safe Box is stored. By moving the record into Safe Box stored in another domain, all record tags will be deleted..

Move to White Envelope

    

This option is available only if currently logged user has activated White Envelope. More about White Envelopes…

To be able to move the record into a White Envelope, a user must have a Delete permissions for Safe Box in which the record stored. When moving, the record will be effectively deleted from the original Safe Box and created in the White Envelope.

To move a record into a White Envelope, click the appropriate button.
Before moving, you must confirm by entering the Access Code. Forgot your Access Code?

Moving the record into a White Envelope cannot be taken back.

Delete record

     

To be able to delete the record, a user must have a Delete permissions for Safe Box in which the record stored. If the user has this permission, a cross icon () is displayed at the specific record (at the end of the row).

You can delete a record from the Safe Box page. Click the cross icon at the end of the row, then confirm deletion. The record will be removed from the list.

You can immediately restore a deleted record by clicking Undo in the message.

Pinned records

You can pin records to the top of the list for quick access.
To pin, click the pin icon () next to the record and confirm.

Pinned records appear at the top of the list with a pin icon.

To manage the order of pinned records, click Edit pinned order and drag records to rearrange.

To unpin a record, click the pin icon again and confirm. The record will return to its normal position.

Search page

On the Search page, you can search for records (Safe Boxes, Groups, Accounts, etc.) by name or by a specified tag or field value. You cannot search by encrypted field values.
To search, start typing in the search field.
You can use regular expressions for searching.

White Envelopes

Activate White Envelope Security Officers page Open White Envelope Close White Envelope Editing Mode of White Envelopes Recover White Envelope Reactivate White Envelope Initialize Security Officers Possible situations

White Envelope is a specialized type of Safe Box designed to store vital information for which access should never be lost. If the user who stored the data in the White Envelope forgets their access code or is unavailable, a designated quorum of Security Officers can convene and enter their respective access codes to retrieve this information.

• The White Envelope can store the same records as any other Safe Box – accounts, files, etc.
• There are two ways to add records to White Envelopes – by creating new records in the White Envelope or by moving existing records from other Safe Boxes.
• Users can change stored records, but cannot delete them or move them.
• Security Officers can delete White Envelopes and the records in them, by enabling editing mode.

To utilize the White Envelopes, a minimum number of Security Officers must be designated.

The Security Officer is a special user role. To assign Security Officers, please go to the User Management page in the Administration interface and add the role in the user details form.

Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.

After Security Officers are set, you can activate the White Envelope.

Activate White Envelope

Only if a minimum count of Security Officers is set, it is possible to activate the White Envelope. To activate the White Envelope, please open a context menu by clicking on the arrow next to the user’s name in the top right corner of the page and click on the Activate White Envelope button.

Security Officers page

For each White Envelope, you can see which Security Officers have access. Click the Security Officers button on the White Envelope page.

On the Security Officers page, you can see which officers have access and their email addresses. The number of officers needed to work with White Envelopes is shown above the table.
You can filter officers by entering part of their name in the filter field.

Open White Envelope

Only users with a role Security Officer can open White Envelopes of other users.

To view encrypted values in another user’s White Envelope, open the envelope. At least two Security Officers (by default) must enter their Access Code.

Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.

In an open White Envelope, Security Officers can view encrypted values such as passwords, files, and secret notes.

Close White Envelope

When Security Officers finish working with records in an open White Envelope, they should close it. White Envelopes can be opened and closed repeatedly.

Editing mode of White Envelopes

Security Officers can enable editing mode to delete White Envelopes or records. To enable editing mode, two officers must enter their Access Code.

Minimum count of Security Officers depends on settings in the SecureAnyBox5 configuration and settings in a domain. Please check how many Security Officers are needed.

In editing mode, tables of White Envelopes or records have a first column with checkboxes. Officers select which items to delete, then click Delete selected.

Deleted White Envelopes and records from them cannot be restored.

When finished editing, disable editing mode by clicking the appropriate button.

Recover White Envelope

If a user with an active White Envelope resets their Access Code, the envelope must be recovered. Until then, the user cannot view or change stored records or move records into the envelope.
The required number of Security Officers can restore a White Envelope.

Reactivate White Envelope

Suppose the number of Security Officers falls below the minimum, and new officers are added. In that case, owners must reactivate their White Envelopes.
To reactivate, go to the White Envelope page, confirm the warning, and enter the Access Code. After entering the code, the envelope is reactivated.

Recover Access Code

If a user’s private key is backed up in a White Envelope, their Access Code can be restored. First, open the White Envelope. Once open and the backup is stored, the Recover Access Code button appears in the menu.

After clicking the button, the Security Officer must confirm they want to recover the owner’s Access Code.

After confirming, the logged-in user is prompted to enter their Access Code. Then a new Access Code can be set for the envelope owner.

Initialize Security Officers

There are two reasons to initialise Security Officers: a user becomes a new officer, or a current officer resets their Access Code.
Only two other officers can initialise a Security Officer. Click Initialize Security Officers, then two officers must enter their Access Code.

After successful initialisation, the officer has access to other users’ White Envelopes and can perform all operations (open, close, recover, and initialise).

Possible situations

Count of Security Officers is not sufficient

If a Security Officer is deleted and the count falls below the threshold, new officers must be added. After adding, current officers must initialise the new ones to share the White Envelope key parts.

Count of Security Officers is below the minimum

If the count of Security Officers is below the minimum, new officers must be set.
All White Envelopes are reset. Reactivation is required.

Deleted Security Officer has been re-added

If a Security Officer is deleted and then re-added, they must be set as a Security Officer again. After the role is set, they can be initialised.

Downloads

On the Downloads page, you can download SecureAnyBox5 Importer, SecureAnyBox5 Launcher, browser extensions, SecureAnyBox5 Manager plugins for FAR and Total Commander, and a trial version of the CBT client.

SecureAnyBox5 Importer

SecureAnyBox5 Importer is a tool for importing records from CSV files and KeePass. You can import from KeePass kdb, kdbx, and xml files.

When importing from CSV, you must map account fields to CSV columns. After selecting the file, the field map appears. Once mapping is complete, you can save the map for future use.

When importing from KeePass, you can choose the record type and view record values by double-clicking a row in the import preview.

After clicking Import, log in to SecureAnyBox5 (and enter 2FA if required), enter the Access Code, and select the Safe Box for import. After import, a report is displayed.

SecureAnyBox5 Launcher

SecureAnyBox5 Launcher is a Windows application. In Safe Boxes, it is used to connect from (secret) accounts and for communication between browser extensions and the SecureAnyBox5 server.

SecureAnyBox5 Launcher is a Windows application (.NET Framework 4.5.2 or higher required) delivered as an msi package. After installation, it runs in the system tray and registers the sab:// URI scheme for SecureAnyBox5 web links.
In an account or secret account, you can set the connection type (RDP/SSH/SCP/SFTP/TELNET/WINBOX/RASDIAL). After clicking Connect on the account page, the browser passes the sab:// URI to the launcher.
The launcher selects the appropriate plugin (PuTTY for SSH, WinSCP for SCP/SFTP, MikroTik Winbox for WINBOX, Remote Desktop for RDP), downloads account data using a one-time token, and starts the plugin.
To connect, the launcher downloads the Address, Login, and password fields from the account.
The address can be a hostname, IP, or include a port (e.g., "172.22.88.75:8876" or "test.tdp.cz:887").
The location of WinSCP, MikroTik Winbox, and PuTTY is detected automatically, but can be set manually in the launcher settings. To open settings, left-click the launcher icon in the system tray and select Settings.

In the launcher settings, you can edit web extension settings, change the location of WinSCP, MikroTik WinBox, and PuTTY, set the Remote Desktop window size, and adjust clipboard or printer settings.

Approval of exceptions for SSL Certificates

Suppose the SecureAnyBox5 server uses an SSL certificate not trusted by Windows. In that case, the launcher will display a warning when connecting, which may be due to a non-trusted authority or a self-signed certificate.

Check with your administrator to verify the certificate. If valid, accept it by clicking I have verified that this is a valid certificate and then Accept. To avoid future warnings, select Accept this certificate permanently.

If this warning suddenly appears, and you have used Launcher before, it is very likely a security incident. In this case, do not approve the exception and contact your administrator!

Previously accepted exceptions can be reset in the Launcher settings in the Web Extension section, by clicking the Reset certificate exceptions button. It will remove only exceptions accepted in SecureAnyBox5 Launcher. Other exceptions for certificates that you may have approved on your system or browsers will remain.

Launcher configuration enforced by Windows registry

Some launcher settings can be enforced via the Windows registry (HKLM).
When starting, settings are loaded from the launcher and then from the registry; the last loaded value is used.
You can store all web extension settings and the RDP gateway in the registry.
Launcher settings are in HKEY_LOCAL_MACHINE\SOFTWARE\TDP\SecureAnyBox Launcher. For a list of keys and recommended values, download the README file.
 Download Launcher registry README
You can also download and edit a registry example file, then run it.
 Download registry example file

SecureAnyBox5 browser extensions for Mozilla Firefox and Google Chrome

SecureAnyBox5 browser extensions make it easy to log in to websites using stored accounts.
If the extension recognises login fields, it offers to fill in credentials from SecureAnyBox5. You can also create accounts directly from the website.
The extension communicates with the launcher, which talks to the SecureAnyBox5 server. You must have SecureAnyBox5 Launcher (v2.0.0.x or higher) installed.

Installation of browser extension

Mozilla Firefox

Download Firefox extension to your computer and drag and drop it to Firefox window.

Confirm installation of the extension by clicking the Add button.

SecureAnyBox5 extension for Firefox is sucessfully installed.

Google Chrome

On the Downloads page, click Chrome Extension for SecureAnyBox5 and install it from the Chrome Web Store.

Work with SecureAnyBox5 browser extensions

When you visit a login page, the SecureAnyBox5 vault icon () appears in the password field (e.g., at paypal.com).

Click the vault icon to open a login window and log in to SecureAnyBox5. The launcher remembers your login until you restart, log out, or the session times out.

Note: When you use the extension for the first time, you may first see the SecureAnyBox5Server Address window. Use the same address you use to access the SecureAnyBox5 web interface.

If KeyShield SSO is configured and you are logged in, authentication is automatic.

If you have two-factor authentication, you will be prompted for the second factor after login.

After logging in, a window appears with a menu of records that you can use to log in to the website. All relevant accounts from all accessible Safe Boxes are shown.

Accounts are ranked by relevance based on SecureAnyBox5 data. The default search uses URLs in the Address and Login Site fields. If an account lacks a URL, you can search manually by entering a term (e.g., name, description) in the Find field.
After selecting an account (double-click, press Enter, or select and click OK), you are prompted for the Access Code.
The launcher can temporarily cache the Access Code, so you may not need to enter it repeatedly.

After entering a valid Access Code, the launcher fills in the selected credentials in the login fields.

Context menu

If login is multi-step (e.g., Google) or the password field is non-standard, use the context menu instead of the icon. To show the context menu, right-click in the username or password field to open the menu.

Under the SecureAnyBox5 section, the Fill username, Fill password options are available (in both cases, the record selection dialog will be displayed). If an entry has already been used on this page, additional options are available: “Enter username for…” and “Enter password for…”

Add account

You can create a new account from the website using the context menu, without using the SecureAnyBox5 web interface.
Click Add account in the menu to open a form with pre-filled Name, Address, and Login Site.

In Create in Safe Box, select the Safe Box for the new account by clicking the button with three dots.
Enter the username in Username.
Enter the password in Password and Repeat password. You can generate a password.
Choose from two preset modes: Very strong (all characters) or Strong (no special/easily interchangeable characters).
To meet specific requirements (length, numbers, special characters), create a custom rule by clicking the gear button () next to Generate.

When all values are set, save the account by clicking OK. Depending on Access Code settings, you may need to enter it again.

SecureAnyBox5 Manager plugin for Total Commander

The SecureAnyBox5 Manager plugin lets you work with Safe Box data in Total Commander.

Installation

Open the zip file in Total Commander (64-bit). Total Commander detects the plugin and guides you through installation. Confirm all dialogues (Yes/OK).

Configuration

After installing the plugin, SecureAnyBox5 appears as a Network Neighbourhood place. To open it for the first time, enter the SecureAnyBox5 server address and login info. Next time, you only need the password.

Select "Network Neighborhood" as a disk drive

The SecureAnyBox5 directory is now available as Network Neighborhood place.

Each time you access the plugin directory, is created new directory named SecureAnyBox5-hh.mm.ss (where hh.mm.ss is the current time).

In this directory, you have to create a connection to the SecureAnyBox5 server using the F7 key.
As a first step enter a connection name.

In the next step, enter the SecureAnybox URL address. (Address can be obtained from any Safe Box detail from the menu Import… > Copy SecureAnyBox5 address).

Next, enter the user name of the user who will connect to the SecureAnyBox5

and domain name. If you are using only one domain (the default System domain), you do not have to enter its name.

The newly created connection is displayed as a folder.

You can view the saved connection details by pressing Alt + Enter.

The connection to the server is made by entering the connection folder (a password will be requested). After entering the password, a list of safeboxes is displayed.

Shortcut Keys

Enter – Copies a password to the clipboard from your account, secret account, and credit card.

The plugin allows you to edit file or certificate in the appropriate program associated with the specific file type. After saving the modified file, it creates a new version of the file.

Alt+Enter – Displays properties of account, secret account etc.

F3 View – Displays the file if the record is File or Certificate.

F4 Edit – Edits a file if the record is File or Certificate.

F5 Copy – Copies the file (s) or certificate (s) from / to SecureAnyBox5. Only file and certificate records can be copied.

F6 Move – Move is not supported.

F7 New Folder – Only in connection overview. Creates a new connection and writes data (connection name, URL, domain and username) to the registry.
The plugin does not create new records.

F8 Delete – Deleting records is not supported.

Deleted records

On the Deleted Records page, you can manage deleted records (Safe Boxes, Groups, Accounts, etc.).
You can permanently remove or restore deleted records.

To permanently remove multiple records, select them and click Remove selected. The button appears only if records are selected. Confirm removal.
To restore, select records and click Restore selected. The button appears only if records are selected.
You can also restore a record to its original location by clicking the restore icon () at the end of the row. Confirm restoration.

Audit log

The Audit Log page shows a log of user actions in Safe Boxes, Groups, White Envelopes, and all records. Depending on your role, you may see only your actions or all users’ actions.

Reports

Access to Records

The Access to Records report lists all records where the selected user has entered the Access Code to view encrypted values. To run the report, select a user.

In report results, records into which currently logged user don’t have access, won’t be displayed even though the selected user accessed them. To view all records which selected user accessed, use the report with the same name in Audit part.

In the results, click a record name to open its page in a new tab, where you can view or change encrypted values. If the password has changed, the record is no longer shown for the selected user. Click Refresh to update results.

Access to Safe Box

The Access to Safe Box report lists all records in a selected Safe Box where users have entered the Access Code to view encrypted values.

In this report, Safe Boxes into which currently logged user does not have access, cannot be selected. To see results for any Safe Box (even the private one) within a currently logged user’s domain, use the report with the same name in Audit part.

In the results, click a record name to open its page in a new tab, where you can view or change encrypted values. If the password has changed, users who accessed the record are no longer shown. Click Refresh to update results.

Watching report

The Watching report shows Safe Box Groups, Safe Boxes, and records you are watching at the selected level.

• To see all watched items, click Select Safe Box Group and select Root level.
  
• To see watched items in a specific group, click Select Safe Box Group and select the group.
  
• To see watched records in a specific Safe Box, click Select Safe Box and select the box.
  

Icons indicate whether watching is set explicitly or inherited from a parent level.

	Watching of changes is set explicitly for that level. Accesses are not watched.
	Watching of changes is inherited from the parent level. Accesses are not watched.
	Watching of accesses to encrypted data is set explicitly for that level. Changes are not watched.
	Watching of accesses to encrypted data is inherited from the parent level. Changes are not watched.
	Watching of changes and accesses to encrypted data is set explicitly for that level.
	Watching of changes is set explicitly for that level. Watching of accesses to encrypted data is inherited from the parent level.
	Watching of changes is inherited from the parent level. Watching of accesses to encrypted data is set explicitly for that level.
	Watching of changes and accesses to encrypted data is inherited from the parent level.

If a Safe Box inherits watching from a group, the group will also appear in the report results for that box.

Permissions

The Permissions report shows the selected user’s permissions for all Safe Boxes, Groups, and the domain root. Results are filtered by your permissions, so you only see items you have access to.
To display results, click Select user and choose a user from the list.

Icons indicate the level for which permissions are set.

– Root level of domain
– Shared (non-private) Safe Box Group
– Private Safe Box Group
– Shared (non-private) Safe Box
– Private Safe Box

To manage permissions for a level, click its name in the results. The Sharing & Permissions page for that level opens in a new tab, where you can manage permissions.

Permission Templates Assignment

The Permission Templates Assignment report shows all permission templates set for the selected user tag. Results are filtered by your permissions, so you only see templates for items you have access to.
To display results, click Select user tag and choose a tag from the list.

Icons indicate the level for which permission templates are set.

– Root level of domain
– Shared (non-private) Safe Box Group
– Private Safe Box Group
– Shared (non-private) Safe Box
– Private Safe Box

Passwords Audit

The Passwords Audit report lists all records you can access, calculates password entropy, time to crack, and alerts for duplicate passwords.
To run the report, select a level:

• For all records, click Select Safe Box Group and select Root level.
  
• For a specific group, click Select Safe Box Group and select the group.
  
• For a specific box, click Select Safe Box and select the box.
  After selecting, enter the Access Code. Forgot your Access Code?
  After entering the code, SecureAnyBox5 decrypts all accessible records, retrieves passwords, and generates the report.

To calculate passwords entropy and other values, SecureAnyBox5 uses password strength estimator nbvcxz. The password strength estimator inspires by password crackers.
Strength estimation accomplishes by running a password through different algorithms and looking for matches in any part of the password on word lists (with fuzzy matching), common dates, common years, spatial patterns, repeating characters, repeating sets of characters, and alphabetic sequences.
Each of these represents a way, how an attacker may try to crack a password.

More information
Dictionaries used to calculate entropy

Results show Safe Box Groups and Boxes at the root. Click the plus icon () to see more details for each group or box.
Results for a group or box show the lowest password entropy and the number of duplicate passwords.
You can collapse details for better organization.
Click a record name to open its page and change the password if needed.
Click Run Report to refresh results.

Password entropy

Password entropy measures how unpredictable a password is. Higher values are better. SecureAnyBox5 recognizes four security levels based on entropy.

Password security		min.	max.	Description
really bad		0	20	password should be changed immediately
unsatisfactory		20	35	password does not meet security standards, should be changed
satisfactory		35	50	password meets security standards, but it can be better
really good		50		password is really secure

Time to crack online/offline

SecureAnyBox5 estimates how long it would take to crack your password online and offline. Longer, more unpredictable passwords are better.

Duplicity

SecureAnyBox5 checks for duplicate passwords. If duplicates exist, the number is shown. For security, change duplicate passwords to unique ones.
If there are five or fewer duplicates, a warning icon () appears. If more than 6, an error icon () appears.
Click the button () to see records with the same password.

Last password change

Shows the date and time when the password was last changed.

Time since change

Shows how long it has been since the last password change. If it has been two years or more, a warning icon () appears.

Search for password

The Search for password report lets you find records with a specific password. Enter the password in the search field, then click the search button () or press Enter. Click the eye button () to view the entered password.

After entering the Access Code, SecureAnyBox5 decrypts all accessible passwords, compares them to the search term, and displays matching records. Password entropy is shown next to the search field. More about entropy…

Compliance

The Compliance report checks if stored passwords meet security requirements.
To run the report, create or open a scope. After opening, enter the Access Code. SecureAnyBox5 runs the report. You can filter results in the table header.

You can save the scope for later. From the report, you can generate PDF protocols or get raw data in xlsx format.

Audit

The audit is part of SecureAnyBox5, available only to users with the Auditor role. Auditors have access to three reports and the audit log. Each auditor can audit within their domain, except System domain auditors, who can audit all domains.

Access to Records

The Access to Records report lists all records where the selected user has entered the Access Code to view encrypted values. To run the report, select a user.

In the results, the records you can access are blue. Click to open the record page in a new tab. If the name is black, you don’t have access. If crossed out, the record is deleted but can be restored.
If the password has changed, the record is no longer shown for the selected user. Click Refresh to update results.

Access to Safe Box

The Access to Safe Box report lists all records in a selected Safe Box where users have entered the Access Code to view encrypted values.

In the results, the records you can access are blue. Click to open the record page in a new tab. If the name is black, you don’t have access. If crossed out, the record is deleted but can be restored.
If the password has changed, the record is no longer shown for the selected user. Click Refresh to update results.

Permissions

The Permissions report shows the selected user’s permissions for all Safe Boxes, Groups, and the domain root. Unlike the regular report, results are not filtered by your permissions. You see all permissions, even for items you can’t access.
To display results, click Select user and choose a user from the list.

The following icons are used to distinguish the level for which permissions set:

– Root level of domain
– Shared (non-private) Safe Box Group
– Private Safe Box Group
– Shared (non-private) Safe Box
– Private Safe Box

To manage permissions for a level, click its name in the search results. The Sharing & Permissions page for that level opens in a new tab, where you can manage permissions for other users.

Permission Templates Assignment

The Permission Templates Assignment report shows all permission templates set for the selected user tag. Unlike the regular report, results are not filtered by your permissions. You see all templates, even for items you can’t access.
To display results, click Select user tag and choose a tag from the list.

Icons indicate the level for which permissions are set.

– Root level of domain
– Shared (non-private) Safe Box Group
– Private Safe Box Group
– Shared (non-private) Safe Box
– Private Safe Box

Audit Log

The Audit Log page shows a log of user actions in Safe Boxes and the SecureAnyBox application. Results are filtered by your domain, except for System domain auditors, who see all domains.

You can filter actions in the Audit Log by clicking SecureAnyBox logs, Authentication logs, User Management logs, or Safe Boxes logs. Click All logs to remove the filter.

If enabled, auditors can archive the audit log by clicking Archive log records and confirming.

All audit log events are specified in an Overview of Audited Events

SecureAnyBox

Stations

The Stations page lets you manage registered stations. After loading, you see a table of stations for the selected Agent Configuration.

To change the Agent Configuration, click Select Config and choose a configuration. The list updates to show stations for the selected configuration.
You can sort stations by any column. Click a column header to sort. You can also add more columns (IP address, Timezone, Default User, Station Registration) via the Agent Configuration page.

Registered stations can be filtered by the date of registration and last access. User with role SecureAnyBox Administrator from System domain can also see (and delete) inaccessible stations. Stations are inaccessible if the Agent Configuration with which the stations are registered is deleted.

As the IP address of the station displayed the address which station had during the last registration. IP addresses are not unique.

Register station

Stations have to be registered to get passwords for them. Once the station is registered, it is possible to get the password by clicking on a row in a table of stations. After clicking on a row with the registered station, the Get Password page will load with prefilled values according to the values specified in the registered station.

Stations can be registered by the SecureAnyBox5 Agent or manually. After installing and configuring the Agent, it checks if the configuration matches the server. If so, the station registers automatically (may take 10 minutes). If the station can’t access the server, register it manually.
To register manually, click Register station and wait for the form.
If the station name changes, reconfigure the Agent. The new name will be registered, and the old registration can be deleted manually.

Edit station

Only users with the role SecureAnyBox Admin can edit stations.

To edit a station, click the edit icon () at the end of the row. Edit the timezone and IP address as needed.

Delete station

Only users with the role SecureAnyBox Admin can delete stations.

To delete a station, click the cross icon () at the end of the row. Confirm deletion.

It is also possible to delete multiple stations at the same time. To select a station to delete, check the checkbox in the first column. After the selection is complete, click the Delete selected button.

Get Password

On the Get Password page, you can obtain a password for a registered station. SecureAnyBox5 Agent must be installed on the station. More about SecureAnyBox5 Agents…

To obtain the station’s password, please follow these steps:

If you click on a registered station for which you want to get a password on the Stations page, all values will be automatically prefilled.

Select the Agent Configuration which is the same as the configuration of SecureAnyBox5 Agent installed on the station.

Select an operating system of the station. Settings of the Agent Configuration limit selection of operating systems.

Please check and eventually correct the local date. The time automatically sets according to server time.

Enter the station’s name. The name has to be in a format specified in the Agent Configuration.
NETBIOS = use NETBIOS station name.
Fully Qualified DN = use full Active Directory station name with the domain (e.g.,STATION1.domain.local).
SID = use station unique SID (e.g.,S-1-5-21-3623811015-3361044348-30300820-1013).

To obtain a password, the station has to be registered. If a station with entered name is not registered, the user will be prompted to register the station before obtaining a password.

Check the User for whom the password will work. The user is pre-filled according to settings in the Agent Configuration.

Check and eventually correct a timezone set on the station. Depending on the previously set Local Date and Time and selected timezone, the Station Date and Time set.

Click on the Show password button.

After clicking on the Show password button, the Station password page loaded.

After 60 seconds you will be redirected back to the Get Password page.

Downloads

On the Downloads page, you can download SecureAnyBox5 Agent, its configuration, and SecureAnyBox5 Launcher.

SecureAnyBox5 Launcher

SecureAnyBox5 Launcher is a Windows application (.NET Framework 4.5.2 or higher required) delivered as an msi package. After installation, it runs in the system tray and registers the sab:// URI scheme for SecureAnyBox5 web links.
After the Agent registers the station, its IP address is also registered. Click the station IP on the Stations page to launch Remote Desktop and connect.
The launcher is also used in Safe Boxes. More information…

SecureAnyBox5 Agent

SecureAnyBox5 Agent is a system service/daemon that enables login to the station using a password from SecureAnyBox5. The password can be obtained from the Get Password page or a Ticket. The Agent works autonomously, even without a server connection. If connected, it registers the station automatically.

If the SecureAnyBox5 Agent sets a password for the default user of the station and has an online configuration, the SecureAnyBox5 Agent must first register the station on the server and only then set the password of the default user in the registry.

Tickets

Tickets are intended for sharing access to retrieve passwords for stations. Once a ticket is created, it can be shared with anyone (even people without access to SecureAnyBox). Tickets can obtain passwords only for registered stations in SecureAnyBox.
Sharing a ticket is a convenient way to grant access to registered station passwords for a limited time. For example, tickets can be shared with external technicians. Shared access to passwords can be limited according to the ticket’s settings.
If only the Agent Configuration is selected, the ticket can be used to get passwords for all registered stations with the same Agent Configuration. If the Agent OS is also selected, the ticket can be used to get passwords for all registered stations that match both the selected Agent Configuration and operating system. If a station name is specified as well, the ticket grants access to that single station only.
The ticket’s validity is time-bound: the recipient can retrieve passwords only between the dates and times specified in fields Valid from and Valid until.
You can further restrict access with Valid Time Intervals, which define specific daily windows when the ticket is usable. These intervals apply within the overall Valid from/Valid until range.
It is possible to restrict the usage of tickets by setting subnets. When a ticket has one or more subnets set, a password can be obtained from the ticket only if the device’s subnet matches one of those set in the ticket.

Create ticket

To create a ticket, click New Ticket. Fill in the form and click OK to confirm.

When saving, a unique ticket identifier is generated and displayed.

Create/edit valid time interval

Edit ticket

To edit a ticket, click its row in the table. An edit form appears.

All values except Agent Configuration can be changed. After editing, click OK to confirm.

Share ticket

To share a ticket, click the blue arrow icon () at the end of the row. A share form appears.

Tickets can be shared by URL or QR code. The special ticket page is accessible without authentication, so you can share it with people who don’t have SecureAnyBox5 accounts.

To get a password from a ticket, fill in all required fields. If all is set, the password is displayed automatically.

Audit log

The Audit Log page displays an audit protocol for obtaining passwords for stations and using tickets. Depending on your role, you may see only your actions or all users’ actions.

Agent Configuration

On the Agent Configuration page, you can set general settings for SecureAnyBox5, such as columns on the Stations page or Registration interface, Agent Configuration, and LDAP Agent. You can also change the configuration password and download the configuration file.

Only users with a role SecureAnyBox Manager or Administrator have access on this page.

General

You can configure which columns display at the Stations page and an alternative interface, which is only intended for registration of stations. If the alternative interface is enabled and set, the registration interface hostname and HTTPS port are exported into the SecureAnyBox Agent configuration.

We recommend to enable and set registration interface because the registration of SecureAnyBox5 Agents will not be affected by any changes (e.g., of hostname, address, port) in the configuration of SecureAnyBox5 server.

Agent Configuration

To generate passwords for stations, each station must have SecureAnyBox Agent installed with a proper configuration. In the Agent configuration, you can configure for which platforms can be used, a password pattern, a password seed base, for which user or user group the password will be generated.
After each modification of Agent Configuration, the SecureAnyBox Agent (respectively Agent Configuration) installed on stations must be updated or generated passwords might not work.

Managing and Using Agent Configurations

For each Agent Configuration, you can set which users can manage or use it in SecureAnyBox5.

Agent Configuration Management

Users who can manage an Agent Configuration can view, edit, or delete it on the Agent Configuration page.
In the form, you can check Manageable by all SecureAnyBox Admins. If unchecked, only SecureAnyBox Admins from the assigned domain can manage it.
When created, an Agent Configuration is assigned to the current user’s domain. You can change the assignment in the domain form in the admin interface.

Using Agent Configurations

Users who can use an Agent Configuration can get passwords and use tickets for stations with that configuration. SecureAnyBox Admins can also create tickets for it.
By default, all users in the assigned domain can use the configuration.
You can expand or limit usage by setting permitted users. If any are set, only they can use the configuration.

Add Agent Configuration

To add a new configuration, click add Configuration and wait for the form. After setting values, click OK. To use the new configuration, SecureAnyBox5 must be restarted.

Edit configuration

To edit an Agent Configuration, click its name in the list. The details will display.

With any change, it is advisable to note that changes in agent configuration can have severe consequences on the functionality of SecureAnyBox5 agents on registered stations.

To open the edit form, click Edit. You can change all values except the name.
After editing, click OK to confirm. To apply changes, you must update the SecureAnyBox5 configuration.

Copy configuration

To create a similar Agent Configuration, click its name in the list. When details display, click Copy.
Enter a new name, change values as needed, and click OK to confirm.

Due to security reasons, we strongly recommend changing the Password Seed Base.

To use the new configuration, you must apply changes to the Configuration.

Remove configuration

To remove an Agent Configuration, click its name in the list. When details display, click Remove.
You must confirm removal by applying changes to the SecureAnyBox5 configuration.

LDAP Agent

LDAP Agent holds LDAP server connection settings used for user password changes. Without the LDAP Agent, it is not possible to get passwords for LDAP users.

Add LDAP Agent

To add a new LDAP Agent configuration, click add LDAP Agent and wait for the form. After setting values, click OK. To use the new LDAP Agent, restart SecureAnyBox5.

Edit LDAP Agent

To edit an LDAP Agent, click its name in the list. The details will display.

To open the edit form, click Edit. You can change all values except the name.
After editing, click OK to confirm. To apply changes, update the SecureAnyBox5 configuration.

Copy LDAP Agent

To create a similar LDAP Agent, click its name in the list. When details display, click Copy.
Enter a new Agent ID, change values as needed, and click OK to confirm.
To use the new LDAP Agent, apply changes in the Configuration.

Remove LDAP Agent

To remove an LDAP Agent, click its name in the list. When details display, click Remove.
You must confirm removal by applying changes in the SecureAnyBox5 configuration.

Execute LDAP Agent

Executing an LDAP Agent changes passwords. Which passwords are changed depends on the Agent Configuration.

If any of users to whom should be changed password is set as SecureAnyBox5 mgr for any LDAP connector or LDAP Agent, then the password of that user will not be changed.

To execute the LDAP Agent, click its name in the Agent Configurations list. When details display, click Execute.

Administration interface

Configuration

Summary General/Web interface Logging SIEM Syslog Audit log archiving Users & Security Backup

Connectors KeyShield SSO Integration Safe Boxes Enhanced Client Encryption Access Code Policy Mail and Notification External files

The SecureAnyBox5 configuration is divided into sections. Each can be edited independently. To change a section, click edit at the top.

After clicking edit, the section’s form displays. At the bottom are three buttons: Test, OK, and Cancel.

After making changes, you can test values by clicking Test. If the test is successful, click OK to confirm.
Changed sections are marked with a blue checkmark.

To apply configuration changes, restart the application by clicking Apply. To discard changes, click Revert.

Summary

Click the Configuration button in the menu to open the Summary page. Here, you see configured LDAP connectors and server messages.
Each LDAP connector shows its status (whether communication is working). Click a connector’s name to view its settings.

On the Summary page, you can also download the configuration.

General/Web interface

General SecureAnyBox server configuration and Web interface/API configuration.

Web Address

SecureAnyBox web (HTTP) interface address. At this address is the SecureAnyBox web interface accessible from the local network.

Web Port

SecureAnyBox web interface HTTP port.

HTTP Mode

Web interface HTTP (plaintext) mode. Possible values: enabled (default), disabled, API (only JSON/XML API is accessible). When HTTP mode is disabled, it is possible to redirect to HTTPS mode.

HTTPS Port

SecureAnyBox web interface HTTPS port.

HTTPS Keystore

PKCS #12 file with the private key and corresponding certificates used for HTTPS web interface. You can create a self-signed certificate file by clicking on the Create self-signed SSL certificate button in the bottom left corner of this form.

Alias

The certificate alias is used as an alias inside a keystore and as a filename for a stored encrypted PKCS12 file.

Common Name

The common name of the certificate represents the hostname protected by the SSL certificate. The certificate is valid only if the hostname is the same as the common certificate name.
Use the domain name of your server as the common name of the certificate. If the server is available on the Internet using the "https://secureanybox.domain.com:8996" URL, use "secureanybox.domain.com" as a common name.

Validity

Enter the certificate validity in years (1-10).

RSA Key Size

The RSA key size indicates the length of the encryption key of the corresponding encryption algorithm. The RSA key size is given in bits. The minimum recommended RSA key size is 2048 bits.

Organizational Unit

Organization unit name used in certificate subject – leave empty if not needed.

Organization

Organization name used in certificate subject – leave empty if not needed.

Country Code

Country code used in certificate subject – leave empty if not needed.

Alternative Subject

Alternative Subject Names – additional domain names or IP addresses used to access SecureAnyBox SSL interface

HTTPS Keystore Password

HTTPS keystore password. It is used to read HTTPS keys and certificates.

Hostnames

SecureAnyBox web (HTTP) interface hostnames. Setting multiple hostnames is possible. All hostnames specified in the hosts files on stations must be specified here. Otherwise, the user with an unknown hostname cannot access SecureAnyBox.

App Path

Base application URL. For example, if you set the app path to ‘/sab’, SecureAnyBox will be accessible at http://server:port/sab/. The new app path will apply after restarting the SecureAnyBox.

App URL

App URL. At this address is the SecureAnyBox web interface accessible for users. The application URL must be set for proper functionality of SecureAnyBox Launcher and SecureAnyBox Agent.

Remember Last Location

Remembering of the last visited location (page) can be set for user or combination of user and station. If not turned off, after user logs in SecureAnyBox5, the last visited page automatically loaded.
Available options:

• Off – Don’t remember the last page
• Remember for user – Remember last visited page or Safe Box for given user
• Remember for user and station key – Remember last visited page or Safe Box for given user and station key

Trusted Proxy Servers

When SecureAnyBox is behind a reverse proxy server, it is necessary to enter the trusted proxy IP address (or multiple addresses) to enable KeyShield SSO integration.

Disable CSP For Login.Page

The server will not send the Content-Security-Policy header for the login page. This feature can be used, for example, to allow third-party SSO solutions (like NetIQ NAS) to use a custom login page or insert inline scripts.

HTTPS Public Key API Mode

The HTTPS public key API mode settings. This API is used in the Firefox extension to check that the web browser’s connection to the SecureAnyBox5 server is not eavesdropped on by an intermediate proxy server (Man In The Middle attack). * Disabled – API does not return the public HTTPS key, can not use Firefox extension for checking Man In The Middle attacks. * SecureAnyBox5 server key – Users access the SecureAnyBox5 server’s HTTPS interface directly, and the API will return the SecureAnyBoxServer public HTTPS key. * Reverse Proxy Key – Users access the SecureAnyBox5 server through the HTTPS interface of the reverse proxy server. The API will return the public HTTPS key of the reverse proxy server. In this case, you still need to upload the Reverse Proxy HTTPS keystore and enter the password for that file.

Reverse Proxy HTTPS Keystore

PKCS # 12 file that contains the private key and corresponding certificate for the HTTPS reverse proxy server interface. This file must be uploaded if users access the SecureAnyBox server through the HTTPS interface of a reverse proxy server and want to use the public HTTPS key API.

Proxy Server’S HTTPS Keystore Password

Reverse proxy server HTTPS key store password. Used to read the public key of the reverse proxy server. The public key is available through the HTTPS public key API.

User interface

Language

Please select the default language of the SecureAnyBox web interface. This language will be automatically preset for all users. Each user can change the language in the User Preferences.

User Help Mode

This setting allows limiting visibility of documentation link and help tours. These settings apply to all users (Administrator and User Manager excluded).
Options:

• Visible – help tours and link to the documentation are visible to all users
• Disable help tours autorun – disable autorun of help tours for users (Administrator and User Manager excluded)
• Hide help tours – hide button for starting the help tour
• Hidden – help tours and link to the documentation are hidden to all users

Logging

Diagnostic log configuration. You can set the log level for specific parts of SecureAnyBox or a count of lines loaded into the browser into the current log view.
It is also possible to configure audit log archiving. Archived audit log records will be stored in separate files on the server. Once records are archived, they cannot be viewed in SecureAnyBox.

Default Log Level

Default log level. If the log level for a specific part is not set, the default log level is used.

Core Log Level

Core engine log level

Services Log Level

Internal SecureAnyBox services and database log level

API Log Level

API calls log level

Authentication Log Level

Authentication and authorization log level

KeyShield SSO Log Level

KeyShield SSO authentication and WebSockets log level

Log Browser Line Limit

Limits the number of lines loaded into the browser in the current log view.

SIEM Syslog

Configure settings of the connection between SecureAnyBox and Syslog server. You can also set syslog facility, event source and log level of records sent to the syslog server. You can establish multiple syslog connections — for each syslog server, one for audit log and a second for diagnostic log and so on.

If you send audit messages to the SIEM syslog server, you can choose from two formats in which to send the messages:

AuditFormatExamples

ID

Please enter the unique ID of the connection with a Syslog server

Enabled

Enable/disable this connection.

Server Address

Syslog server address. The server address can be entered as an IP address (e.g., "172.22.13.1") or as a domain name (e.g., "syslog.tdp.cz")

Port

Syslog server port.

Syslog Facility

Desired facility value for log messages sent to syslog. A facility code is used to specify the type of program that is logging the message. Messages with different facilities may be handled differently.

Event Source

Select which records sent to the syslog target.
Options:

• Audit log
• Diagnostic log

Audit Record Format

Please, select an audit record format (CSV or CEF) sent to the syslog target.
Records in CSV (Comma-separated values) contains the same information as records in the Audit log of application.
Records in CEF (Common Event Format) contains the most relevant event information, making it easy for event consumers to parse and use them. CEF format of records can be more detailed.
Examples of audit log in both formats are in the documentation.

Please, select an audit record format (CSV or CEF) sent to the syslog target.
Records in CSV (Comma-separated values) contains the same information as records in the Audit log of application.
Records in CEF (Common Event Format) contains the most relevant event information, making it easy for event consumers to parse and use them. CEF format of records can be more detailed.

Examples:

• CSV format
  

Aug 7 10:27:43 172.22.78.100 [SecureAnyBox-audit] "SWB","172.22.100.105","System\\admin","GET PASSWORD",TDPPRG,kiosek,DomAgent
Aug 7 10:27:58 172.22.78.100 [SecureAnyBox-audit] "SAFE","172.22.100.105","System\\admin","GET PASSWORD",Firm,"Cisco ASR 1006 Router"
Aug 7 10:28:12 172.22.78.100 [SecureAnyBox-audit] "SAFE","172.22.100.105","System\\admin","VIEW ACCOUNT",Firm,"Bank Certificate"

• CEF format
  

Aug 7 10:29:34 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SWB.GET_PASSWORD|get password|3|src=172.22.100.105 suser=System\\admin act=GET_PASSWORD station=TDPPRG user=kiosek config=DomAgent
Aug 7 10:29:47 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SAFE.GET_PASSWORD|get password|3|src=172.22.100.105 suser=System\\admin act=GET_PASSWORD safe=Firm rec=Cisco ASR 1006 Router
Aug 7 10:29:58 172.22.78.100 [SecureAnyBox-audit] CEF:0|TDP|SecureAnyBox|4.3.0|SAFE.VIEW_ACCOUNT|view account|3|src=172.22.100.105 suser=System\\admin act=VIEW_ACCOUNT safe=Firm rec=Bank Certificate

Level

This field is visible if the Diagnostic log is selected as the Event source.

Send messages with this or higher log level to syslog. It is possible to set different log levels for messages sent to the syslog and for messages sent to the application log. For records sent to the syslog server, it is not possible to set multiple logging levels for each part of the application, as in the SecureAnyBox diagnostic log. The selected logging level applies to all parts of the application.
To configure the log level of messages sent to the application log, please go to the Logging part of the SecureAnyBox configuration.

Log level	Value	Log level of sent messages
TRACE	0	TRACE,DEBUG,INFO,WARN,ERROR
DEBUG	1	DEBUG,INFO,WARN,ERROR
INFO	2	INFO,WARN,ERROR
WARN	3	WARN,ERROR
ERROR	4	ERROR

Log All Audit Log Sources

This field is visible if the Audit log is selected as the Event source.

When enabled, all audit log events will be recorded. When disabled, you can specify particular sources for logging.

Audit log sources

This fieldset is visible if the Audit log is selected as the Event source and Log all audit log sources is disabled.

SecureAnybox

Audit log events with the event source (category) SWB will be logged to SIEM

Tickets

Audit-Log-Ereignisse mit der Ereignisquelle (Kategorie) TICKET werden im SIEM protokolliert

Safe Boxes

Audit log events with the event source (category) SAFE will be logged to SIEM

Authentication

Audit log events with the event source (category) AUTH will be logged to SIEM.

User Management

Audit log events with the event source (category) USER_MANAGEMENT will be logged to SIEM

Audit log archiving

Settings of audit log archiving

Users & Security

In the Users and Security tab of Configuration, you can set user and security parameters, such as max login attempts, login ban duration, and password policy.

Displaying full names of users

Backup

Backup of SecureAnyBox server is done at midnight (if the server runs) or at the earliest possible opportunity. It is possible to set a configuration for backup and verify that the backup has run.

View how to restore SecureAnyBox5 data from a backup

To edit the Backup configuration, click edit and wait for the form to appear.

Table with information about backups displays below the backup configuration details.

Connectors

The LDAP connector holds LDAP server connection settings used for communication with the LDAP server to synchronize users from LDAP to the SecureAnyBox, and vice versa. Three types of Directory services are supported – eDirectory, Active Directory, and generic LDAP.
For each connector, it is possible to set more than one LDAP server for backup or load balancing purposes. All servers set to one connector need to be the same type (eDirectory, Active Directory, or generic LDAP).

Click sync to start manual synchronization with the connector server. You are redirected to the Connector synchronization log page to see results.
Click view to go to the Connector Viewer page, where you can see which users can be synchronized from LDAP/Azure AD after filtering.

LDAP Connector

For each connector, you can set multiple LDAP servers for backup or load balancing. All servers for a connector must be the same type (eDirectory, Active Directory, or generic LDAP).

To create a new LDAP connector, click add LDAP Connector and wait for the form.

Connector ID

Unique connector identifier. Connector ID must start with a letter and contain only letters, numbers and underscores.

Enabled

Uncheck (false) to disable this connector.

LDAP settings

Directory Service

LDAP server type.

LDAP Server(s)

LDAP server address or addresses of multiple LDAP servers with the same directory replica/mirror (for failover).

To add an LDAP server, click the plus button and wait for the form to appear.

In the form, enter the Server address and Port. The address can be an IP (e.g., "172.22.13.1") or a domain (e.g., "ldapsrv.tdp.cz"). Port defaults to 636 with SSL.
We recommend using SSL for communication between SecureAnyBox5 and LDAP
To add the server, click OK.

Server address

Please enter LDAP server address. Server address can be entered as an IP address (e.g. "172.22.13.1") or as a domain name (e.g. "ldapsrv.tdp.cz")

Port

Port on which SecureAnyBox5 communicates with LDAP server. For connection with SSL protocol is used port 636 and for connection without SSL protocol is used port 389.

SSL

Enable/disable SSL protocol during communication between SecureAnyBox5 and LDAP server. We strongly recommend using SSL protocol.

Load Balancing

When enabled, LDAP requests will be distributed among available LDAP servers (for load balancing). When not enabled, SecureAnyBox will connect to the first server available. Servers are tried in the order in which they are defined.

SecureAnyBox Mgr Account

LDAP User DN used by SecureAnyBox to access LDAP directory, lookup users, change passwords, etc.
Minimum access rights:
entry/object rights – browse
cn – read, compare
objectClass – read, compare
UseCreate SecureAnyBox objectsbutton to create manager user automatically when using NetIQ (Novell) eDirectory. If you are connecting to a directory service from another vendor, please create a manager user using your directory service management console. LDAP interface on some directory services (e.g., Active Directory) doesn’t provide access rights/permissions modification…

e.g.,cn=secureanyboxmgr,o=org or cn=secureanyboxmgr,cn=Users,dc=DOMAIN,dc=local

LDAP Search Base

LDAP container used as a search base for the LDAP synchronization search query. When the search base is not set, the search starts at the root of the LDAP tree.

e.g.,o=org or leave empty to search from the root of the tree

Search Subtree

Uncheck to search only the immediate subordinates of the specified search base.

Dereference Aliases

An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.
There are four modes of dereferencing aliases:
Never
Dereference while finding the object – aliases are dereferenced when searching subordinates of the base object but not when locating the base object.
Dereference while retrieving objects according to search scope – aliases are dereferenced when locating the base object but not when searching for the subordinates of the base object
Always
More…

An alias is an entry which points to another object in the namespace – by containing its dn. Searching the entry that an alias entry points to is known as dereferencing an alias.
There are four modes of dereferencing aliases:

• Never
• Dereference while finding the base object – aliases are dereferenced when searching subordinates of the base object but not when locating the base object.
• Dereference while retrieving objects according to search scope – aliases are dereferenced when locating the base object but not when searching for the subordinates of the base object
• Always
  More…

Search Page Size

When set to greater than zero, SecureAnyBox5 will use Simple Paged Result extended control to retrieve LDAP search results in pages of a given number of entries. Some LDAP servers have a default server-side limit for a number of entries returned in the single response. For example, Active Directory servers have a default limit of 1000 objects for a single search request. Setting Search Page Size to 1000 or lower will allow SecureAnyBox5 to retrieve more results (than the server limit) using multiple requests. When set to 0 no paging is used, and an only single request is used to retrieve all results. This setting is used when importing users and in Connector Viewer.
When using embedded LDAP from KeyShield SSO, this value must be set to 0.

Include

List of FDNs included in user synchronization.

Exclude

List of FDNs excluded from user synchronization.

LDAP Search Filter

LDAP search filter used during user synchronization
Default filters:

• AD – (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
• eDirectory – (&(objectClass=person)(!(loginDisabled=true)))
• generic LDAP – (objectClass=person)

Group membership filter examples:

• AD: (memberof:1.2.840.113556.1.4.1941:=cn=Group1, OU=groups,DC=domainname)
• eDirectory: (groupMembership=cn=group1,o=org)

e.g.,(objectClass=person)

LDAP Pool Size

A number of LDAP connections SecureAnyBox will keep alive to improve the performance of LDAP requests.

Attribute mapping

UUID Attribute

An attribute used as UUID (Universally unique identifier) attribute. This attribute value is used to uniquely identify the user object in connector and must be unique across domains and LDAP connector. Usually, GUID (eDirectory) or objectGUID (Active Directory) attributes are used and recommended, because they are generated to be unique globally.

First Name Attribute

Attribute used as a first name.

Middle Name Attribute

Attribute used as a middle name.

Last Name Attribute

Attribute used as a surname.

Display Name Mapping

Enable mapping to Display name

Display Name Attribute

Field is displayed only if the Display Name Mapping field is checked.

Attribute used as a display name.

Short Display Name Mapping

Enable mapping to Short display name

Short Display Name Attribute

Field is displayed only if the Short Display Name Mapping field is checked.

Attribute used as a short display name.

Custom Mail Attribute

You can set the source attribute for reading the user’s email address and an optional regex to pick the correct email address if the source attribute is multi-valued.

Fields below are displayed only if the Custom Mail Attribute field is checked.

Mail Attribute

Source attribute used to read the user’s email address.

Mapping Method

Mapping method used to read email value, for example, when the source attribute is multivalue. The default mapping method (First value) reads the first value of the attribute as returned by the server.

Match Regex

This field is displayed only if the Mapping method field is set as First match or First match or first value.

Regular expression used to find the value of the user’s email address. For example, use regex .*@yourdomain.com to match email addresses from yourdomain.com.

Synchronization

Target Domain

Synchronized user objects are created in this domain.

User tags

List of user tags which will be assigned to all users synchronized from this connector.

Group to User tag

Mapping of group FDN to user tags – all users with the specified group FDN will have the user tag assigned.
FDN of the group must be in the search scope.

Synchonize User ‘Enabled’ Status

Sets whether to synchronize the "enabled" status of a previously saved user.

• Only Enabled to Disabled – synchronize status from enabled to disabled, when disabled in LDAP
• Always – always synchronize the user’s status from LDAP
• Do not synchronize – do not synchronize user’s status from LDAP

Enable Synchronization

Enable periodic synchronization of users from the connector.

User Synchronization Interval

The delay between the synchronization of users from this connector.

To finish configuring the LDAP connector, click OK. The application must be restarted for the connector to work.

eDirectory installation

When configuring a new eDirectory LDAP connector, click Create SecureAnyBox objects to install directly from the web interface. After clicking, wait for the installation form to appear.

After setting all required values, click OK and wait for installation to finish. If successful, the form closes and a Success message appears in the connector form.

Azure AD Connector

To create a new Azure AD connector, click add Azure AD Connector and wait for the form.

KeyShield SSO Integration

In this part of the SecureAnyBox configuration, you can set integration with the KeyShield SSO. SecureAnyBox supports two types of Keyshield authentication – by IP address and by certificate using the Client API.

Safe Boxes

Configuration of the Default password pattern, which is used in Safe Boxes and Records, offering of previously entered labels, maximum file size, policy of the Access Code and applying of permission templates.

Enhanced Client Encryption

Enhanced Client Encryption

Configuration of enhanced client-side encryption of access code and record data. Enhanced encryption is additional encryption on top of the already encrypted and secure SSL/TLS connection.

Access Code Policy

Minimum Length

Minimum length of the access code.

Uppercase Letters

Minimum number of uppercase letters in Access Code.

Lowercase Letters

Minimum number of lowercase letters in Access Code.

Digits

Minimum number of digits in Access Code.

Special Characters

Minimum number of special characters in Access Code.

Minimum Entropy

Value of the minimum allowed entropy of the Access Code. The value of entropy shows how unpredictable and strong the Access Code is.

• 0 – 20 – Access Code is very weak
• 20 – 35 – Access Code is weak
• 35 – 40 – Access Code is good
• 40 – 50 – Access Code is strong
• 50 – 256 – Access Code is very strong

Access Code Timeout

By setting the Access Code Timeout, you will enable temporary remembering of the Access Code. The last entered Access Code will be temporarily stored in a cache for the specified amount of time, and the users will not have to enter the Access Code repeatedly.
To turn this feature off, set the Access Code Timeout to 0.

Max Access Code Attempts

User Access Code is temporarily disabled after this number of unsuccessful attempts. Set to 0 to turn this feature off.

Access Code Ban Minutes

User cannot use his/her access code for this number of minutes

Settings of the required characters in the Access Code

	Default value	Minimum value
Minimum length	8	5
Uppercase letters	1	0
Lowercase letters	1	0
Digits	3	0
Special characters	0	0
Minimum Entropy	20	0

Mail and Notification

Configuration of e-mail notifications. Notifications will be sent when some user makes changes in the records (Safe Boxes, Accounts and so on).

SMTP Server

Please enter the SMTP server address from which notification emails will be sent. The host address can be specified in various formats (e.g. 172.22.40.68, localhost, mail.tdp.cz), but cannot be specified along with the type of connection (e.g. smtp://127.0.0.1).

SMTP Port

Please enter the port of the SMTP server. Usual SMTP ports are 25, 465 (for SSL), and 587 or 2525 (for TLS). If the connection to the SMTP server fails while using port 25 with SSL/TLS, use the respective ports instead.

Username

Please enter a username of an SMTP account that the SecureAnyBox will be using to connect to the SMTP server.

Password

Please enter a password for the SMTP account SecureAnyBox will use to connect to the SMTP server.

From Address

Enter an email address from which the notification emails will be sent.

Notifications Of Watched Safe Boxes

By enabling the email notification, you will allow sending notification emails with a summary of changes in the records.
When the notifications are enabled, it is possible to set options for when and to whom the emails will be sent.

Only Encrypted Fields

If this field is checked or the value is "yes", notification emails will be sent only if some encrypted fields (in records) change.

Notify Only Watchers

If this field is checked or the value is "yes", notification emails will be sent only to watchers of the Safe Box in which the changed record is stored.

Notify Self

If this field is checked or the value is "yes", a notification email will be sent even to the user who made the changes.

Changes Aggregation [Minutes]

Set the time (in minutes), during which the SecureAnyBox will aggregate changes. After the set time, SecureAnyBox will send an email with the summary of all changes in the record.

External files

Configuration of external files. External files are encrypted by SecureAnyBox5 and stored on another server. In this part of the Configuration, it is possible to set default external files path.

User management

Domains Users Client logins

Security Officer’s Status User tags

Connector Viewer Audit log

Domains

Create domain Edit domain Disable domain Delete domain Show Domain Users

The page intended to manage domains. Only users with a role User Manager or Administrator have access on this page.

Domains can be used to divide a SecureAnyBox into several parts. Each domain has its user management, and it is possible to create a hierarchical structure of domains.
The structure of domains can copy the structure of your company, and it is possible to create a hierarchy by setting the visibility of one domain for other domains, which are on a higher spot in a company structure.
For example, two domains can be created, named "Management" and "Technical support". Because users of the domain "Management" have a higher position in the structure of the company, the domain "Technical Support" will be set as a visible for users of the domain "Management".
This setting allows the domain users "Management" to grant access to Safe Boxes to users of both domains, but users of the domain "Technical support" can grant access to Safe Boxes only to users of their domain.
Domains can also copy the structure of containers in LDAP. When setting up an LDAP container, it is required to select the domain from which users will be imported from that connector. Each LDAP connector must have a unique domain.

Create domain

Only users with a role Administrator from System domain can create a domain. Users with a role User Manager can only edit their domain.

To create a domain, click New Domain on the Domain page. The domain form will appear.

All fields are going to display after entering a domain name.

Enabled

When enabled, users from this domain can log in.

Name

The name should characterize the domain. Each domain name must be unique.
If more than one domain is specified, it will be required to fill in the domain name at the login page.
By clicking on the Login page link button, it is possible to get a link to the login page, where the domain name will be prefilled.

Description

The description should more specifically characterize the domain.

Attributes

Maximum Number Of Initialized Users

If this limit is reached, non-initialized users will not be able to set the access code.

Default Language

Select a language which users of this domain will have set by default. The language can be changed anytime.

Agent Configurations

Agent Configurations assigned to this domain.
When an Agent Configuration is assigned, by default, users with a role SecureAnyBox Admin can modify or remove the Agent Configuration. Management of the Agent Configuration can be enabled for SecureAnyBox Admins from all domains in the Agent Configuration settings.
SecureAnyBox Admins from other domains (if the Agent Configuration is visible for them) can copy the Agent Configuration only.
Assigned Agent Configuration can be used by users from this domain by default. The ability to use the Agent Configuration can be expanded/limited by setting permitted users in the Agent Configuration settings.
Agent Configuration can be assigned to one domain only.

Send invitation e-mail to new users

After manually creating a user without a password, send them an invitation e-mail with a link to set their password.

2FA (Two-Factor Authentication)

Use of a second factor (authenticator app) is either optional (enabled by the user) or mandatory.

Override Global Configuration Settings Whether The 2FA Will Be Required For Certificate Authentication

When enabled, it is possible to set whether the 2FA will be required for Certificate Authentication

Require 2FA For Certificate Authentication

Require 2FA if the user is authenticated with a KeyShield SSO certificate.

Allowed User Roles

List of roles that are enabled for users in this domain.

Visible Domains

List of domains visible for users of this domain.
Users of this domain can share their Safe Boxes and Safe Box Groups also with users of visible domains.

Safe Boxes settings

Customized Column Of Records In Safe Boxes

Selection of which data displays in the middle column of the list of records in the Safe Box – after the record name. The default value in server configuration is Description.
This value is set for the domain and can be overridden in the user preferences.

Default Safe Box Type

Choose a default Safe Box type for all new Safe Boxes and Safe Box Groups which will be created in this domain.

Shared – Access rights are inherited from parent level.

Private – Blocks access rights inheritance from parent level.

Enable Creating Tags From The Record

When using the API (/safe/boxes/{boxId}/records), it is possible to create new record tags directly when creating a record using the ‘forceCreateTags’ parameter. This setting determines who can use this parameter.
Note: This setting overrides global setting

Override Max. File Size

Check this box to override the maximum file size. The default value is 15 MB.

Maximum File Size

This value determines the maximum size of the internal file which is possible to store in a record (file or certificate type of record).

External Files Path

Enter an external files path that will be used as the default location to store external files within the Safe Boxes in this domain.
The path should be specified in MS Windows format (e.g. L:\SAB_DRIVE). If an external files path is changed, SecureAnyBox will store all new external files at the new location, but all previously stored files will remain at their original location.
Without SAB Launcher or SecureAnyBox plugin for Total Commander, it is not possible to add external files to SecureAnyBox or work with them.

Override Safe Box Delete Mode

When enabled, it is possible to set Safe Box Delete Mode for this domain.

Safe Box Delete Mode

Sets whether a user with delete permission for a Safe Box can delete the box or only its content.

Enable Sharing

Enables/ Disables sharing of permissions for Safe Boxes to other users

Forbid Remembering Access Code

Checking this box will override ‘Access Code Timeout’ settings, and for users of this domain, the access code will not be remembered.

Default settings for automatic watching

Automatically Watch Changes

For Safe Box Groups, Safe Boxes, and records users from this domain, who create or obtain access, will have the watching of changes automatically set by default.

Each user can change whether changes will be watched automatically in the user preferences form.
If sending notifications is enabled (in the server configuration), email notifications will be sent with a summary of changes to the watched ones.

Automatically Watch Accesses

For Safe Box Groups, Safe Boxes, and records users from this domain create or obtain access, the watching of accesses to encrypted information will be set to automatic by default.

Each user can change whether access to encrypted information will be watched automatically in the user preferences form.
If sending notifications is enabled (in the server configuration), email notifications will be sent with a summary of accesses to encrypted information to the watched ones.

User tags and Permission Templates

Permission templates will be offered for user tags from

Select which permission templates will be offered to apply permission templates:

• All domains – Permission Templates will be offered for user tags from all visible domains
• Only current domain – Permission Templates will be offered only for user tags from the domain of the currently logged user

User Tags Assigned To All Domain Users

List of user tags assigned to all users from this domain.

Security policy

Password Settings

Select the password setting that will be the default for users from this domain. Password settings are used when generating a password:

• Inherited – settings will be inherited from server configuration


• Password preset – the selected password preset will apply when generating a password. The password preset has to be specified first in the Administration interface.


• Password pattern – when generating a password, the entered password pattern will apply

Default Password Preset

Select a password preset that will be set as default for users from this domain when generating a password. Password requirements, such as a number of uppercase letters, characters to include/exclude, minimum entropy, etc., can be specified in the preset. The password preset has to be specified first in the Administration interface.

Default password pattern

The default password pattern for Safe Boxes and Records created in the domain, if no pattern is set.
Each letter in the pattern represents a character in the generated password.

See password pattern examples
Allowed characters and their meanings:
v – lowercase vowel (a, e, i, o, u, y)
V – mixed case vowel (A, E, I, O, U, Y, a, e, i, o, u, y)
Z – uppercase vowel
c – lowercase consonant (b, c, d, f, g, h, j, k, l, m, n, p, q, r, s, t, v, w, ×, z)
C – mixed case consonant
z – uppercase consonant
l – any lowercase letter
A – any letter, mixed case
u – uppercase letter
d – digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ – escape character (next character is used as is, e.g., pattern ‘\-’ outputs ‘-’ in the password)
* – any allowed character
Default pattern: CVCVdddCVCCVdC (e.g., wEHe063heFme4p)
Example: pattern ‘\p\a\s\sddddddd’ might generate ‘pass1762885′ or ‘pass5687412′.

Compliance Profile

A compliance profile specifies password security requirements that passwords should meet. Checking whether passwords meet security requirements can be done in the Compliance report.
Selected compliance profile would be the default for all users within this domain.

Login Password Policy

Override Password Policy

By overriding the Login password policy, you can set the policy only for this domain. If not overridden, the login password policy from the Configuration (if specified) will apply.

Fields below are displayed only if the Override Password Policy field is checked.

Minimum length

Minimum length of the login password.

Uppercase letters

Minimum number of uppercase letters in the login password.

Lowercase letters

Minimum number of lowercase letters in the login password.

Digits

Minimum number of digits in the login password.

Special characters

Minimum number of special characters in the login password.

Minimum Entropy

Value of the minimum allowed entropy of login password. The value of password entropy shows how unpredictable and strong the password is (the higher value the better.)

• 0 – 20 – password is very weak
• 20 – 35 – password is weak
• 35 – 40 – password is good
• 40 – 50 – password is strong
• 50 – 256 – password is very strong

Synchronized Users and KeyShield SSO login settings

LDAP Login Password Synchronization

SecureAnyBox offers several ways to manage user passwords with LDAP (a directory service for authentication):
1. Synchronize from LDAP to SecureAnyBox:
  - SecureAnyBox uses a locally saved copy of your password (cached password).
  - Your password will not update until you enter a new one that matches your LDAP password.
2. LDAP authentication only:
  - Each time you log in, your password is verified directly with the LDAP server (if accessible).
  - This keeps your password synchronized with LDAP.
3. SecureAnyBox authentication only:
  - Only the password stored in SecureAnyBox is used.
  - Your password is not synchronized with LDAP.
Choose the option that best fits your organization’s security and synchronization needs.

Password Enforcement Mode

By default, users who log in with KeyShield SSO do not have to set or enter a SecureAnybox password. However, you can choose to require these users to create and use a password for added security.
When this option is enabled:

• Users logging in with KeyShield SSO will also need to set and use a SecureAnybox password.
• You can set the password to be required only once, or you can have users enter it again after a certain number of days.

Benefits:

• Gives SSO users an extra layer of security.
• Allows you to choose how often passwords are needed.

This setting is not enabled by default and must be turned on by an administrator.

Number Of Days

This field is visible only if Password Enforce Mode is to Enforce password login after number of days.

The number of days after which a password login is required again.

Access Code Policy

Override Access Code Policy

By overriding the Access Code Policy, you can set the policy only for this domain. If not overridden, the Access Code Policy from the Configuration will apply.

Fields below are displayed only if the Override Access Code Policy field is checked.

Minimum length

Minimum length of the Access Code.

Uppercase letters

Minimum number of uppercase letters in the Access Code.

Lowercase letters

Minimum number of lowercase letters in the Access Code.

Digits

Minimum number of digits in the Access Code.

Special characters

Minimum number of special characters in the Access Code.

Minimum Entropy

Value of the minimum allowed entropy of the Access Code. The value of entropy shows how unpredictable and strong the Access Code is.

• 0 – 20 – Access Code is very weak
• 20 – 35 – Access Code is weak
• 35 – 40 – Access Code is good
• 40 – 50 – Access Code is strong
• 50 – 256 – Access Code is very strong

White Envelopes

White Envelope Mode

Select White Envelope mode. If the White Envelope is mandatory, a sufficient number of Security Officers must be set up.
If the private key is backed up in the White Envelope, a forgotten Access Code can be recovered with the help of Security Officers and does not need to be reset. When recovering the access code, unlike a reset, the user does not lose the keys to the Safe Boxes, and it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.

Access Code Reset Enabled

Enable resetting the Access Code even though the Access Code can be recovered with the help of Security Officers. When recovering the Access Code, unlike when resetting, the user does not lose the keys to the Safe Boxes. So, it cannot happen that the Safe Boxes to which no other user has keys are permanently deleted.

Security Officers Threshold

The number of Security Officers required to open White Envelope. The count of configured Security Officers has to be greater than this.

Minimum Security Officers Count

Minimum Security Officers count required to correct the function of White Envelope Sharing.

Desired Count Of Security Officers

Number of Security Officers appointed in your organization. SecureAnyBox will warn you if the Security Officer Count falls below this value.

Default Safe Box Permissions

These Default Safe Box permissions are used as the default when creating a new user in the domain.

Read

User has permission to view shared Safe Boxes, shared Safe Box Groups and records in them. User has permission to view shared Safe Boxes, shared Safe Box Groups and records

Create

User has permission to create new shared Safe Box, shared Safe Box Group or record in them. User has permission to create new shared Safe Box, Safe Box Group or record

Modify

User has permission to modify shared Safe Boxes, shared Safe Box Groups and records in them. User has permission to modify shared Safe Boxes, shared Safe Box Groups and records in them

Delete

User has permission to delete or move shared Safe Box, shared Safe Box Group or record in them. User has permission to delete or move shared Safe Box, shared Safe Box Group or record

Access Control

User has permission to manage permissions for shared Safe Box or shared Safe Box Group. User has permission to manage permissions for shared Safe Box or shared Safe Box Group.

Private Boxes

User has permission to create new Private Safe Box or Safe Box Group. User has permission to create new Private Safe Box or Safe Box Group.

Default Licensed Features for new users

By checking the fields below, new users created (not updated during LDAP synchronization) in this domain will be granted access to licensed features – CBT client (Custom Branded Trusted client), File manager plugin or Grit. The number of users with access to Licensed features cannot exceed the number of licenses.

CBT Client

CBT (Custom Branded Trusted) client is a native Windows application simplifying work with SecureAnyBox file records. For more information, please contact your distributor.

File Manager Plugin

File Manager plugin for Total Commander or FAR allows working with Safe Boxes and records in them from these applications.

Edit domain

To edit a domain, click its row in the list. The domain form will appear. You can change any value.
To apply changes, click OK.
To cancel, click Cancel.

Disable domain

Disabling a domain blocks login for all users in that domain. To disable, open the domain form by clicking its row in the list and uncheck Enabled. After saving, the domain is disabled.
A disabled domain can be enabled at any time.

Delete domain

You can delete a domain only if it has no users. To delete, click the cross icon () at the end of the domain’s row. Confirm the deletion.

Show domain users

To view users from a specific domain, click the people icon () in the domain table. A list of users for that domain will open in a new tab.

Users

Create user Edit user Disable user Enable user Unban user Export a list of users Delete user Invite user Send message Move user

The Users page is intended for the users management. Only users with a role User Manager have access to this page.

By default, users are filtered by domain. To change the filter, click Select domain and choose a domain. To show all users, select All Domains.

Users can be created manually or imported from LDAP.

Create User

Before creating a new user is important to select the domain into which a user will create.

To create a new user, click New User. The user form will appear.

The Security Officer () and Inherited () fields can be edited after the user sets an Access Code.

Atrributes

Domain

A domain in which the user belongs.
To change the domain into which a new user was created, you must select a different domain on the Users page.
Once the user is created, it is possible to move the user to a different domain.

Username

Username which the user will use to log in.
By clicking on the Login page link button, it is possible to get a link to the login page, where the domain name and the username will pre-fill.
Once the user is created, this value cannot be changed.

User Tags

User tags assigned to this user. Tags are used when applying permission templates set in Safe Boxes.

Domain User Tags

User tags assigned by domain membership. Tags are used when applying permission templates set in Safe Boxes.

Synchronize

When the field is checked (or a value of this field is "yes"), the user will be synchronized with LDAP.
Once the user is created, this value cannot be changed.

Set Password

Set a password. When the password is not set, the user cannot log in.

Password

User password.
While entering the password, it shows how long the password is, how many lowercase and uppercase letters, numbers, and other symbols it contains and how secure the password is.
The password will be displayed after clicking on the eye icon behind this field.

Repeat Password

Repeat the password

Settings

Enabled

Enables/disables user account login. If a user has already set their access code, it will still be included in the number of used user licences.

Language

Select a language that the user will use in the application. The language can be changed anytime.

Licensed Features

By checking the fields below, the user will be granted access to licensed features – CBT client (Custom Branded Trusted client), File manager plugin or Grit.

CBT client

CBT (Custom Branded Trusted) client is a Windows application for working with SecureAnyBox5 file records. For more information, contact your distributor.

File manager plugin

The File Manager plugin for Total Commander or FAR lets you work with Safe Boxes and records from those applications.

LDAP Synchronization

This part of the form is displayed if the user is synchronized with LDAP

GUID

User GUID (entryUUID or objectGUID) used to match user with LDAP object during LDAP synchronization (hexadecimal format in lowercase, e.g.,950aea900084d311aef800e029255247). Use Connector Viewer to get the user GUID in the correct format if you need to link an existing user record with LDAP.

LDAP Connector

Name of the LDAP connector with which the user is synchronized.

LDAP DN

LDAP user DN (distinguished name).

Synchronized User Tags

User tags assigned by LDAP synchronization. Tags are used when applying permission templates set in Safe Boxes.

Roles

Administrator

User administers SecureAnyBox5 server configuration – domains, URLs, LDAP, SSO, email, SIEM, diagnostic logs, etc.User administers SecureAnyBox5 server configuration – domains, URLs, LDAP, SSO, email, SIEM, diagnostic logs, etc.

Auditor

User is approved to access the complete audit log through a set of reporting tools. This doesn’t include any access to the encrypted data.User is approved to access the complete audit log through a set of reporting tools. This doesn’t include any access to the encrypted data.

SecureAnyBox User

User is generally allowed to get passwords managed by agents, can be limited by access rights. User is generally allowed to get passwords managed by agents, can be limited by access rights.

SecureAnyBox Admin

User is approved to administer configuration of agents. User is approved to administer configuration of agents.

User Manager

User is approved to manage domains, user accounts, assign roles and default rights.User is approved to manage domains, user accounts, assign roles and default rights.

Security Officer

User, only together with other Security Officers, can open White Envelopes within his/her domain.User, only together with other security officers, can open White Envelopes within his/her domain.

Safe Boxes User

User is allowed to use SafeBoxes (must have valid Access Code) User is allowed to use SafeBoxes (must have valid Access Code)

Safe Boxes Manager

The user has extended permissions to manage Safe Boxes within their domain.The user has extended permissions to manage Safe Boxes within their domain.

Security Policy Admin

The user can manage security policies (record tags, password presets and compliance profiles).The user can manage security policies (record tags, password presets and compliance profiles).

Default Safe Box Permissions

Inherited

Default or Safe Box Group permissions are added automatically to every created shared Safe Box or shared Safe Box Group created by another user in the user domain. Default or Safe Box Group permissions are added automatically to every created shared Safe Box or shared Safe Box Group created by another user in the user domain.

Assigning this permission is recommended only for users who manage/are responsible for all Safe Boxes/Safe Box Groups within a domain. Assigning other permissions for Safe Boxes/Safe Box Groups within a domain can be fully automated using Permission Templates.

Read

User has permission to view shared Safe Boxes, shared Safe Box Groups and records in these. User has permission to view shared Safe Boxes, shared Safe Box Groups and records

Create

User has permission to create new shared Safe Box, shared Safe Box Group or records in. User has permission to create new shared Safe Box, shared Safe Box Group or records

Modify

User has permission to modify shared Safe Boxes, shared Safe Box Groups and records. User has permission to modify shared Safe Boxes, shared Safe Box Groups and records

Delete

User has permission to delete or move shared Safe Box, shared Safe Box Group or records. User has permission to delete or move shared Safe Box, shared Safe Box Group or records

Access Control

User has permission to manage permissions for shared Safe Box or shared Safe Box Group. User has permission to manage permissions for shared Safe Box or shared Safe Box Group.

Private Boxes

User has permission to create new private Safe Box or private Safe Box Group. User has permission to create new private Safe Box or private Safe Box Group

User roles

User role	Description
Administrator	User administers SecureAnyBox5 server configuration – domains, URLs, LDAP, SSO, email, SIEM, diagnostic logs, etc.
Auditor	User is approved to access the complete audit log through a set of reporting tools. This doesn’t include any access to the encrypted data.
SecureAnyBox User	User is generally allowed to get passwords managed by agents, can be limited by access rights.
SecureAnyBox Admin	User is approved to administer configuration of agents.
User Manager	User is approved to manage domains, user accounts, assign roles and default rights.
Security Officer	User, only together with other Security Officers, can open White Envelopes within his/her domain
Safe Boxes User	User is allowed to use Safe Boxes (must have valid Access Code)
Safe Boxes Manager	The user has extended permissions to manage Safe Boxes within their domain
Security Policy Admin	The user can manage security policies (record tags, password presets and compliance profiles)

The user role determines which parts of SecureAnyBox5 the user can access and what actions they can perform. The table below shows what each role can do.

User role		SecureAnyBox	Safe Boxes	Reports	Audit	Administration
Administrator	Access	yes	yes	yes	no	yes
	Extra access	Access to Agent Configuration, Configuration. Only Administrator has access to them
Auditor	Access	no	no	no	yes	no
	Note	The auditor who belongs to System domain can do an audit over all domains
SecureAnyBox User	Access	yes	no	no	no	no
	Actions	View registered stations, obtain passwords for stations
SecureAnyBox Admin	Access	yes	no	no	no	no
	Actions	All actions with stations, tickets, passwords
User manager	Access	no	no	no	no	yes
	Actions	View and edit domains and all actions with users
Security Officer	Access	no	yes	yes	no	no
	Actions	Can open White Envelopes of other users (in co-op with other Security Officers)
Safe Box User	Access	no	yes	yes	no	no
	Actions	Can use Safe Boxes
Safe Box Manager	Access	no	yes	yes	no	yes
	Actions	Can force the creation of record tags when creating a record through API
Security Policy Admin	Access	no	yes	yes	no	yes
	Actions	Can access and set Security policies

Grouping of user roles

When you set a user role, other roles may be set automatically if included. For example, Administrator includes all features of SecureAnyBox User, SecureAnyBox Admin, and User Manager, plus extra features (like Configuration access and domain creation). So an Administrator also has SecureAnyBox User, SecureAnyBox Admin, Safe Box Manager, and User Manager roles.

Edit user

To edit a user, click their name in the list. The user details will appear.
If the user is imported from LDAP, different fields may be shown.

You can also edit a user from the action menu. Click the three dots () in the Actions column, then click Edit.

After making changes, click OK in the user details form. You may be asked to enter the Access Code. Forgot your Access Code?

Disable user

To prevent a user from logging in, disable their account. Disabled users cannot access SecureAnyBox5, but their records remain. Disabling a user can be undone at any time.
To disable, uncheck Enable in the user details form.

You can also enable a user from the action menu. Click the three dots () in the Actions column, then click Disable.

You can disable multiple users at once. Check the users to disable, then click Disable. All selected users will be disabled.

Enable user

To allow a user to log in, check Enabled in the user details form.

You can also enable a user from the action menu. Click the three dots () in the Actions column, then click Enable.

To enable multiple users at once, select them and click Enable. All selected users will be enabled.

Unban user

If a user enters the Access Code or password incorrectly too many times, they are temporarily banned. Banned users have a red lock icon in the list.

– Built-in administrator account, login is banned.
– Manually created user, login is banned.
– User is disabled, login is banned.
– Synchronized from LDAP connector, login is banned.
– Access code entry is temporarily banned because it was entered incorrectly several times.

The number of unsuccessful attempts of entering the Access Code or the login password, and how long the user is banned, is set in the Configuration.

To unban users, select them and click Unban.

Export a list of users

On the Users page, you can filter users by checking/unchecking filter fields (). To export the filtered list to CSV, click Export to CSV.

The exported file includes the displayed values (name, username, email, domain, LDAP connector, and roles).

Delete user

To delete a user, use the action menu. Click the three dots () in the Actions column, then click Delete.

If a user is the only one with permissions for a Safe Box, deleting the user will also delete the Safe Box. To avoid this, assign permissions for those Safe Boxes to another user.

Invite users

After creating users, you can send them an email invitation to SecureAnyBox5. The invitation contains a link to set their password. Once set, the user can log in and set their Access Code.

To send invitations, select the users (by checking them) and click Invite users.

To send the invitations, you have to configure mail server in the Configuration first.

You can also invite a user from the action menu. Click the three dots () in the Actions column, then click Invitation.

After clicking Invitation in the action menu, the Invitation dialog appears. If the user has an email address, you can create and send the invitation by email, or create it without sending.

If the invitation is created but not sent, the dialog shows a link you can copy to the clipboard.

Reset password

After creating users, you can send them an email invitation to SecureAnyBox5. The invitation contains a link to set their password. Once set, the user can log in and set their Access Code.

To send invitations, select the users (by checking them) and click Invite users.

To send the invitations, you have to configure mail server in the Configuration first.

You can also invite a user from the action menu. Click the three dots () in the Actions column, then click Invitation.

After clicking Invitation in the action menu, the Invitation dialog appears. If the user has an email address, you can create and send the invitation by email, or create it without sending.

If the invitation is created but not sent, the dialog shows a link you can copy to the clipboard.

Send message

If users have an email address, you can send them a message from SecureAnyBox5.
To send a message, select the users (by checking them) and click Send message.

To send the messages, you have to configure mail server in the Configuration first.

After clicking Send message, a window appears to enter your message. Click Ok to send.

Move user

Users can be moved between domains. To move users, select them and click Move.

Moved user lose all inherited permissions to Safe Boxes. All assigned permissions stay valid.

After clicking, a list of domains appears. Click a domain to move the users there.
You must confirm the move.

Client logins

Only users with a role User Manager have access to this page.

The Client Logins page shows which clients users log in from and whether they use up-to-date versions.
You can filter logins by domain (click Select domain ()), by client application ()), or by username (type in the filter field ()).
If a user logs in from an outdated client, a clock icon () appears next to the version.

Security Officer’s Status

Only users with a role User Manager have access to this page.

The Security Officer’s Status page indicates whether the officer has keys to White Envelopes in their domain (is initialised).

User tags

Only users with a role User Manager have access to this page.

User tags help manage users and their permissions. You can assign unlimited tags to each domain. Tags can only be added to users in the same domain.
A user tag can be assigned to:

• LDAP connector – user tag will be assigned to all users imported from the LDAP connector, and it is possible to assign tag to user group FDN also.
• domain – user tag will be assigned to all users in the domain
• user

User tag is used to create a Permission template for users who have the user tag assigned.

Connector Viewer

Only users with a role Administrator have access to this page.

Connector Viewer allows you to browse the LDAP tree / Entra ID (Azure AD) structure of any of the configured connectors.
When viewing the LDAP tree, Connector Viewer uses the "SecureAnyBox manager" account defined within the selected LDAP connector configuration. That means that LDAP objects and their attributes you see with the Connector Viewer correspond to what the selected authentication connector ‘sees’. If you don’t see what you expect (a specific user object or its attributes), then the access rights of the "SecureAnyBox manager" account for the particular LDAP tree are not sufficient. Please check the access rights assigned to the search base or root of the LDAP tree, as well as possible inheritance filters.

To use Connector Viewer, you must configure at least one LDAP/Azure AD connector. After opening the page, a list of connectors appears. Click a connector name to view objects in its search base.

Displayed objects are folders (containers) and users. Click a folder to view its contents. Click a username to view user details.

You can filter objects by entering a name in the search field above the table. To filter by LDAP search expression, click Lookup object(s) and use the filter field.

Audit log

The Audit Log page shows a log of user management actions.

AuditlogParagraph2

Security policy

Record Tags management Compliance profiles Password presets Dictionary configurations

Record Tags management

Only users with a role Security policy admin have access to this page.

Record tags help manage records in Safe Boxes. You can assign unlimited tags to each domain. Tags can only be added to records in the same domain.
Users with the Security policy admin role can manage tags for all visible domains. To switch domains, click Select domain and choose a domain.
The selected domain determines where new tags are created. If "All domains" is selected, new tags are created in your domain.
You can convert existing tags to others to reduce similar tags and simplify searches. To convert, open the action menu (three dots at the end of the row) and select Delete and convert to another tag in the records.
To remove a tag, click the three dots at the end of the row and select Delete tag.

To record tag can be assigned a Password preset and/or a Compliance profile, which will be default for all records where the record tag is used.

Compliance profiles

Only users with a role Security policy admin have access to this page.

The compliance profile sets password security requirements. The Compliance report checks if passwords meet these requirements.

To create a new compliance profile, click New compliance profile and set the requirements in the form.

Name

Name of the compliance profile

Description

Description of the compliance profile

Compliance requirements

Length

Minimum length of a password.

Entropy

Minimum entropy

Age (Days)

Maximum Age (days)

Enforce Password History

The number of password changes after which it is permissible to reuse a previously used password.

Complexity Rules

Select complexity rules which will be applied:

• Basic complexity rules – specified number of characters (uppercase, lowercase, digits and special)


• Microsoft complexity rules
  
  1. Passwords may not contain the user’s samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive
  
  
  2. The password must contain characters from three of the following categories:
     
     • Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters).
     
     
     • Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters).
     
     
     • Base 10 digits (0 through 9)
     
     
     • Non-alphanumeric characters, e.g. ‘-!"#$%&()*,./:;?@[]^_`{|}~+<=>
       
       Currency symbols such as the Euro or British Pound aren’t counted as special characters for this policy setting.
     
     
     • Any Unicode character that’s categorized as an alphabetic character but isn’t uppercase or lowercase. This group includes Unicode characters from Asian languages.

Character type requirements

This fieldset is displayed only if Basic complexity rules are selected

Uppercase

Minimum number of uppercase letters a password must contain.

Lowercase

Minimum number of lowercase letters a password must contain.

Digits

Minimum number of decimal digits (0-9) a password must contain.

Special

Minimum number of special characters a password must contain.

Password presets

Only users with a role Security policy admin have access to this page.

Password presets can be used when generating passwords for records. You can use a pattern or specify detailed requirements (character sets, included/excluded characters, minimum length, minimum entropy).

You can set a password preset’s priority (its position in the list). To change the priority, click Reorder password presets and drag the preset to the desired position.

Name

Name of the password preset

Description

Description of the password preset

Generate Password Using

Select whether the new password will be generated using a password pattern or the password requirements you set.

Password Pattern

This field is displayed if the Password pattern is selected in the Generate password using field.

Password pattern for Safe Boxes and Records where this preset is set (or inherited).
Each letter in the pattern represents a character in the generated password.

See password pattern examples
Allowed characters and their meanings:
v – lowercase vowel (a, e, i, o, u, y)
V – mixed case vowel (A, E, I, O, U, Y, a, e, i, o, u, y)
Z – uppercase vowel
c – lowercase consonant (b, c, d, f, g, h, j, k, l, m, n, p, q, r, s, t, v, w, ×, z)
C – mixed case consonant
z – uppercase consonant
l – any lowercase letter
A – any letter, mixed case
u – uppercase letter
d – digit (0-9)
s – special character (.,@,&,*,(,),<,>,_,],[,%,$,#,\,/,?,;,-,:)
n – digit or special character
\ – escape character (next character is used as is, e.g., pattern ‘\-’ outputs ‘-’ in the password)
* – any allowed character
Default pattern: CVCVdddCVCCVdC (e.g., wEHe063heFme4p)
Example: pattern ‘\p\a\s\sddddddd’ might generate ‘pass1762885′ or ‘pass5687412′.

Use character sets

This fieldset is displayed if the Password requirements are selected in the Generate password using field.

Lowercase (A-Z)

Minimum number of lowercase letters (a-z)

Uppercase (A-Z)

Minimum number of uppercase letters (A-Z)

Digits (0-9)

Minimum number of digits

Special (<>_-.(,)[]/:;@#$%&*)

Minimum number of special characters (<>_-.(,)[]/:;@#$%&*)

Must Also Include The Following Characters

Characters that must be omitted in the generated password.

Exclude Characters

Characters that must be omitted in the generated password.

Requirements

This fieldset is displayed if the Password requirements are selected in the Generate password using field.

Minimum Password Length

Minimum length of the generated password.

Minimum Entropy

Minimum entropy of the generated password

Dictionary configurations

SecureAnyBox5, uses a list of dictionaries for the estimation of password entropy. This list includes both default (built-in) dictionaries and custom dictionaries added by the administrator. These dictionaries contribute significantly to the process of calculating Password Entropy during a new password entry or for the Password Audit report and the Compliance Report generation.
The custom dictionaries are stored in two locations on the SecureAnyBox5 server – in ‘files/dictionaries/ranked’ and ‘files/dictionaries/unranked’ folders.

• Ranked dictionaries are the ones where entries are sorted based on their frequency of usage. In other words, common words/phrases are listed before less frequently used words in the dictionary. These can be used to estimate password entropy by analyzing how many of the top-ranked words a password contains or to check if a password contains common words/phrases.


• Unranked dictionaries, on the other hand, are dictionaries where the entries don’t have any order. They are just collections of words/phrases that can be used for password entropy verification. They add a layer to the password entropy estimation methodology, providing more robust security.

More information…

PasswordsAuditParagraph2

Dictionaries should contain commonly used words, names, and expressions, especially those specific to a country or company (e.g., football teams, company names). These help lower the score when evaluating password entropy, even if they appear as part of a longer password. Do not upload leaked password lists as custom dictionaries.

Every dictionary adds complexity to estimating entropy, and calculating entropy will take longer with each additional dictionary. We recommend considering that when configuring which dictionaries will be used.

Database diagnostic

When you start database diagnostics, all ‘file’ and ‘certificate’ records are checked for missing or extra uploaded files.
The full path (with domain) to the record and another user with permission is shown for each inconsistent record.
Diagnostics can be started at any time and should finish in a few minutes.

Logs

Only users with a role Administrator have access to this pages.

In the Logs section, you can view the diagnostic log or the Connector synchronization log. Different log levels are visually distinguished.

Log levels:

INFO

WARNING

DEBUG

ERROR

Diagnostic log

The Diagnostic Log page automatically displays the current log.

Refresh the current log manually by clicking Refresh or automatically by clicking Enable autorefresh. To stop auto-refresh, click Disable autorefresh.
To change log level or line limit, click Configure logging. After confirming changes, restart SecureAnyBox5 to apply them.
To download the current log, click Download and confirm.
To view older logs, click Logs to see a list of available logs.

The first table shows application logs for each day. Click a log file name to download it and confirm.

Connector sync log

On the Connector sync log page, is displayed a table with names of specified Connectors. Click on the connector name to view details of the last synchronization with connector.

The synchronization log can be refreshed manually (Refresh) or automatically (Enable autorefresh). To stop auto-refresh, click Disable autorefresh.
You can start user synchronization manually by clicking Synchronize.
You can change synchronization settings anytime by clicking Configure .
To download the last synchronization log, click Download and confirm.
To filter skipped users during LDAP sync, click Show only skipped users.