Everything in its Right Place | Browser Extension & API

Passbolt 5.8.0 introduces dynamic role management, allowing organizations to define additional roles that better align with internal policies, compliance requirements, and operational needs. This release also adds drag & drop user assignment to groups, simplifying day-to-day user and group management.

Warning: Ensure that all users have updated their browser extension to at least version 5.8 before assigning new roles. Otherwise, they will not be able to connect to Passbolt.

Dynamic role management

As was already the case with the default User role, Passbolt allows administrators to restrict what users can do by limiting access to specific capabilities. With version 5.8, this model is extended beyond the default Admin and User roles, making it possible to create additional roles and assign them to users for more granular control.

Dynamic roles also enable the delegation of administrative responsibilities. Rather than granting full administrative access, administrators can now assign selected capabilities to custom roles and distribute operational tasks across multiple users. Initial support covers group creation, as well as handling account recovery requests in Passbolt Pro.

At this stage, dynamic role management comes with a defined scope and set of constraints.

• The default Admin and User roles keep fixed names and cannot be renamed or deleted. 
• As before, the User role can be restricted, but it cannot be assigned delegated administrative responsibilities. 
• The Admin role, by contrast, always retains access to all capabilities and cannot be restricted. 
• Custom roles are currently limited to two per instance and support a first set of administrative capabilities. 

This scope will be expanded progressively as additional needs and use cases are identified by the community.

Drag & drop users to groups

Managing group membership often requires repetitive actions when working with large teams or frequently changing group structures. With Passbolt 5.8, administrators can now add users to a group by dragging them directly onto it from the Users & Groups workspace. This removes the need to open and edit each group individually and makes day-to-day group management faster and more fluid.

Miscellaneous improvements

As usual, this release includes fixes and smaller improvements intended to improve the overall experience. For the full list of changes, please refer to the changelog.

Many thanks to everyone who provided feedback and helped refine these features. 

API

Added

• PB-46972 As an administrator I can create a new custom role
• PB-46973 As an administrator I can update a custom role
• PB-46968 As an administrator I can soft delete custom roles
• PB-46971 As an administrator I can list roles including deleted ones via filter
• PB-47169 As a user I receive an email notification when my role is changed
• PB-47345 As an administrator I receive an email notification when a role is created or updated
• PB-46975 As an administrator I can list RBACs including Actions
• PB-46976 As an administrator I can update RBACs for Actions
• PB-47006 As a logged-in user my role is fetched on every request to reflect role changes immediately
• PB-47083 As a user with appropriate RBAC permissions I can create groups
• PB-47171 As a user with appropriate RBAC permissions I can manage account recovery requests (PRO)
• PB-47338 As a user with account recovery view permissions I can see pending requests in users.json (PRO)
• PB-47196 As an administrator I can run the healthcheck command in POSIX mode
• PB-47274 As an administrator I can run a command to populate created_by and modified_by fields in secrets
• PB-47275 As an administrator I can run a command to populate secret revisions for existing secrets

Fixed

• PB-46374 As first admin I should not receive emails regarding encrypted metadata enablement during the first setup
• PB-46613 Fix web installer not working in HTTP when not in secure context
• PB-46640 Fix warnings in mfa_user_settings_reset_self.php email template
• PB-46645 Optimize action logs purge command dry run query
• PB-46913 Fix MfaUserSettingsDisableCommand to support case sensitive username comparison
• PB-46935 Fix 500 error on /metadata/session-keys/{uuid}.json endpoint when the request is sent twice
•  PB-47236 Reduce the PHP memory load of the V570PopulateSecretRevisionsForExistingSecrets migration

Security

• PB-46890 Upgrade js-yaml dependency (Medium severity)

Maintenance

• PB-45979 Add CACHE_CAKETRANSLATIONS_CLASSNAME environment variable for _cake_translations_ cache config
• PB-46388 Fix PHPUnit 11 deprecations

Browser extension

Added

• PB-46646 Reduce accidental destructive actions by moving Delete user and Disable MFA into a More menu in Users and groups
• PB-28298 Add users to groups by dragging and dropping
• PB-47198 Add exception to allow users to autofill workbench.cisecurity.org
• PB-46997 DR - WP1.1 Update RbacsCollection to EntityV2Collection and add new methods
• PB-46999 DR - WP1.2 Update RoleEntity schema and add new methods
• PB-47000 DR - WP1.3 Update RolesCollection to EntityV2Collection and add new methods
• PB-47002 DR - WP2.1 Update of RoleService to a RoleApiService
• PB-47003 DR - WP2.2 Update of RoleModel to a RoleService
• PB-47003 DR - WP2.3 Update of RbacService to a RbacApiService
• PB-47014 DR - WP2.4 Update of RbacModel to a RbacService
• PB-47015 DR - WP3.1 Create the FindAllRolesController and update the event
• PB-47015 DR - WP3.1 Create the FindAllRolesController and update the event
• PB-47017 DR - WP3.2 Update the FindMeController into a FindMeRbacController
• PB-47088 DR - WP3.3 Create the FindAndUpdateRolesLocalStorageController
• PB-47018 DR - WP4.1 Create RoleServiceWorkerService to get the roles
• PB-47019 DR - WP4.2 Create RbacServiceWorkerService to get the RBAC permissions of a signed-in user
• PB-47021 DR - WP4.3 Add the method canRoleUseAction in CanUseService
• PB-47089 DR - WP4.4 Add a method to find and update roles in local storage
• PB-47022 DR - WP5.1 Add the method canIUseAction in RbacContext
• PB-47023 DR - WP5.2 Verify the signed-in user's RBAC privileges before allowing access to the FilterUsersByGroup functionality
• PB-47024 DR - WP5.3 Verify the signed-in user's RBAC privileges before allowing access to the DisplayUserWorkspaceMainActions functionality
• PB-47023 DR - WP5.4 Verify the signed-in user's RBAC privileges before allowing access to the DisplayUserWorkspaceActions functionality
• PB-47036 DR - WP5.5 Verify the signed-in user's RBAC privileges before allowing access to the DisplayUsersWorkspaceFilterBar functionality
• PB-47037 DR - WP5.6 Verify the signed-in user's RBAC privileges before allowing access to the DisplayUsers functionality
• PB-47039 DR - WP5.7 Update CreateUser to select role in a dropdown component
• PB-47042 DR - WP5.8 Update EditUser to select role in a dropdown component
• PB-47027 DR - WP5.9 Create the component CreateRoleDialog
• PB-47028 DR - WP5.10 Create the component EditRoleDialog
• PB-47029 DR - WP5.11 Create the component DeleteRoleDialog
• PB-47030 DR - WP5.12 Update the style of DisplayRbacAdministration to match current design
• PB-47031 DR - WP5.13 Add create role in DisplayRbacAdministration
• PB-47032 DR - WP5.14 Display all roles in DisplayRbacAdministration
• PB-47033 DR - WP5.15 Add menu item to update the name of new role
• PB-47016 DR - WP5.16 Add menu item to delete new role
• PB-47090 DR - WP5.17 Update ManageAccountRecoveryUserSettings to use roles from context
• PB-47091 DR - WP5.18 Update ReviewAccountRecoveryRequest to use roles from context 
• PB-47092 DR - WP5.19 Update DisplayScimSettingsAdministration to use roles from context
• PB-47093 DR - WP5.20 Update DisplayUserDetailsInformation to use roles from context
• PB-47094 DR - WP5.21 Update DisplayAccountRecoveryUserSettings to use roles from context
• PB-47095 DR - WP5.22 Update UserWorkspaceContext to use roles from context
• PB-47096 DR - WP5.23 Create the RoleContextProvider and add it on ExtAppContext
• PB-47214 DR - WP5.24 Update the RoleEntity to avoid name bypass
• PB-47215 DR - WP5.25 Update RolesCollection to filter out Guest role
• PB-47216 DR - WP5.26 Update FindRolesService to filter out guest role
• PB-47231 DR - WP5.27 Create component DeleteRoleNotAllowed

Fixed

• PB-46180 Incorrect folder name encoding in sharing progress dialog
• PB-46612 Add missing border radius to secret history selected revision
• PB-45978 Resize bar continues dragging after mouse release
• PB-46905 Display the "Remove from group" action button to group managers
• PB-46627 Fix missing space in the “Advanced settings” of the password generator tabs between the last component and the CTA
• PB-46930 Secret history review should display an unknown user when creator does not exists
• PB-47298 KDBX not set expiry if never is set

Maintenance

• PB-46636 Remove eslint v8 compatibility
• PB-46890 Small upgrade for js-yaml (Medium)
• PB-46831 Increase coverage of passbolt-styleguide DisplayUserTheme to 100%, and verify no change occurs when the user selects the already-selected theme
• PB-29338 React 18: upgrade changes with Legacy DOM renderer
• PB-47057 React 18: Remove unused dev dependency jest-dom 
• PB-47069 DisplayResourceDetailsInformation Test Cases for Expired Passwords
• PB-46831 Increase coverage of passbolt-styleguide DisplayUserTheme to 100%
• PB-47069 DisplayResourceDetailsInformation Test Cases for Expired Passwords
• PB-47311 Major upgrade for serialize-javascript (Medium)
• PB-46832 Increase coverage of ThemeEntity
• PB-46833 Increase coverage of AccountSettingsService 
• PB-46834 Increase coverage of ThemeModel
• PB-47011 ESLINT - WP1.1 Install phantom dependencies