This SQL snippet provides a simple way to manage Passbolt user permissions directly from the MySQL database, It can be used by system administrators who need to adjust resource access (passwords, folders, or shared secrets) without using the web interface, for example, when a user has left the organization or needs elevated privileges on multiple entries,
By using these queries, you can, identify a user’s internal Passbolt UUID (id) using their email address, bulk update their access level (type) in the permissions table, convert all “update” permissions (editable) to “owner” permissions (full control), or any combination you require,
This method is especially useful for large instances where manual adjustments via the UI would be too time-consuming,
The permission constants used by Passbolt are,
READ = 1
UPDATE = 7
OWNER = 15Use with caution, modifying permissions directly in the database bypasses the application’s validation layer, always back up your Passbolt database before running updates.
-- Permission types in Passbolt
-- READ = 1
-- UPDATE = 7
-- OWNER = 15
-- 1. Get the user ID
SELECT id, username
FROM users
WHERE username = '[email protected]';
-- 2. Copy the retrieved user ID
-- 3. Update their permissions from UPDATE to OWNER
UPDATE permissions
SET type = 15
WHERE aro_foreign_key = 'UUID_USER'
AND type = 7
AND aco = 'Resource';#passbolt #mysql #permissions #sysadmin #security