Password Manager App Overview
Store personal credentials, share team passwords with role-based access, generate strong passwords, track every view and copy with a full audit trail, and manage expiration reminders β all from a secure vault built into MangoApps Workforce.
What is Password Manager?
Password Manager is the centralized credential vault inside MangoApps Workforce. It gives every employee a private space to store personal logins (Slack, GitHub, Jira) while letting admins and authorized team members share credentials (Wi-Fi, API keys, vendor portals) with fine-grained group-based access control. Passwords and notes are encrypted at rest using Rails 7+ built-in encryption, every view and copy is logged to an immutable audit trail, and expiration dates drive proactive rotation reminders.
The app integrates with the Ask AI module through a dedicated Password Agent that lets users retrieve, list, create, and manage passwords via natural language commands β all within the same access-control and audit boundaries.
Core Value Proposition:
- π Encrypted Vault β Passwords and notes encrypted at rest with Rails ActiveRecord Encryption; never stored in plaintext
- π₯ Team Sharing β Share credentials with groups, teams, or the entire organization using public or restricted access levels
- π Full Audit Trail β Every view, copy, create, update, and delete is logged with user, timestamp, and IP address
- π€ AI-Powered Retrieval β Ask AI Password Agent for natural language password lookups and management
At a Glance
| π Personal Vault | π₯ Team Sharing | π Smart Search | β° Expiry Management |
|---|---|---|---|
| Private passwords only you can see | Group-based or public access | Text + semantic vector search | Rotation reminders, auto-expire |
| π Audit Logging | π·οΈ Categories | π Password Generator | π€ AI Agent |
|---|---|---|---|
| Views, copies, changes, IP tracking | Wi-Fi, Software, API Keys, Banking | Cryptographically secure 16-char | Natural language via Ask AI |
Perfect For:
- π€ Employees β Store personal logins, search for team passwords, copy credentials with one click, mark favorites
- π₯ Managers β Share team credentials with controlled group access, view who accessed shared passwords
- π’ HR / Admin β Configure security policies, manage categories, review analytics and audit logs, enable the AI agent
How It Works
Password Lifecycle
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PASSWORD ENTRY LIFECYCLE β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββ βββββββββββββ βββββββββββββ ββββββββββββββββ β
β β CREATE βββββΆβ ACTIVE βββββΆβ EXPIRING βββββΆβ EXPIRED β β
β β Entry β β & In Use β β Soon β β (rotate) β β
β ββββββββββββ βββββββ¬ββββββ βββββββββββββ ββββββββββββββββ β
β β β β
β β βΌ β
β β βββββββββββββ β
β β β ARCHIVED β (can be restored) β
β β βββββββββββββ β
β β β
β βΌ β
β Every action logged: created β viewed β copied β updated β archived β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Access Control Model
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ACCESS CONTROL MODEL β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β PERSONAL PASSWORDS SHARED PASSWORDS β
β ββββββββββββββββββ ββββββββββββββββββββββββββββββββββ β
β β Owner ONLY β β Access Level determines who: β β
β β β’ View β β β β
β β β’ Edit β β PUBLIC βββΆ All app users β β
β β β’ Delete β β β β
β β β’ Audit β β RESTRICTED βββΆ Specific β β
β ββββββββββββββββββ β β’ Groups (allowed_group_ids) β β
β β β’ Explicit user grants β β
β β β’ Admins (always) β β
β ββββββββββββββββββββββββββββββββββ β
β β
β PERMISSION HIERARCHY β
β βββββββββββββββ β
β β Super Admin ββββΆ Full access to all shared passwords β
β β Admin ββββΆ Full access to all shared passwords β
β β Manager ββββΆ Access if in allowed group or granted β
β β Employee ββββΆ Access if in allowed group or granted β
β βββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Personal Passwords (My Passwords)
Every employee gets a private vault for storing personal credentials that only they can access.
Creating a Personal Password
- Click New Password from the dashboard or sidebar
- Fill in the entry details:
- Title (required) β a descriptive name like βSlackβ or βAWS Consoleβ
- Username / Email β the login credential
- Password (required) β type manually or click Generate for a cryptographically secure 16-character password
- Website URL β direct link to the login page
- Notes β additional instructions or context (encrypted at rest)
- Select My Password for visibility
- Choose a Category (Software Licenses, Personal, etc.)
- Optionally set an Expiration Date for rotation reminders
- Click Create Password
Password Generator
The built-in generator uses crypto.getRandomValues() to produce 16-character passwords with:
- Uppercase and lowercase letters
- Numbers
- Special characters (
!@#$%^&*()_+-=[]{}|;:,.<>?)
The password strength indicator evaluates entries in real time and rates them as Weak, Fair, Good, or Strong based on length and character diversity.
Managing Personal Passwords
- Favorites β Star entries for quick access from the Favorites view
- Search β Find passwords by title or username with text search
- Copy β One-click copy to clipboard (logged in audit trail)
- Archive / Restore β Soft-delete entries without permanent removal
- Tags β Add custom tags for additional organization
π₯ Team Passwords (Shared)
Shared passwords let teams securely distribute credentials like Wi-Fi passwords, vendor portal logins, API keys, and shared service accounts.
Access Levels
| Access Level | Who Can View | Use Case |
|---|---|---|
| Public | All users with Password Manager access | Office Wi-Fi, guest network passwords |
| Restricted | Only members of selected groups + admins | API keys, production credentials, vendor portals |
Creating a Shared Password
- Click New Password and select Team Password for visibility
- Choose an Access Level:
- Public β visible to everyone with the app
- Restricted β visible only to members of selected groups
- For restricted passwords, select one or more Allowed Groups from the organizationβs notification recipient groups
- Fill in credentials and click Create Password
Who Can Create Shared Passwords
Admins control which groups are authorized to create team passwords through the Settings > Permissions panel. By default, only managers and admins can create shared entries. This is configurable per-group through the who_can_create_shared_group_ids setting.
Explicit Access Grants
Beyond group-based access, the system supports explicit per-user and per-group access grants through PmEntryAccess records:
- View access β can see the password entry and copy the credential
- Edit access β can modify the entry (implies view access)
- Each grant tracks who granted access and can have an optional expiration date
π·οΈ Categories
Categories organize passwords into logical groups with color-coded badges and icons throughout the interface.
Default System Categories
| Category | Icon | Color | Description |
|---|---|---|---|
| Wi-Fi Networks | πΆ | Blue | Office and guest Wi-Fi passwords |
| Software Licenses | π» | Purple | Software and SaaS account credentials |
| Team Accounts | π₯ | Green | Shared team email and service accounts |
| API Keys | π | Amber | API keys and developer tokens |
| Vendor Portals | π’ | Indigo | Vendor and supplier portal logins |
| Social Media | π | Pink | Company social media accounts |
| Banking & Finance | π¦ | Teal | Financial and banking credentials |
| Personal | π | Gray | Personal passwords (default category) |
Custom Categories (Admin)
Admins can create additional categories from the Categories tab:
- Set a custom name, icon (FontAwesome), color, and description
- Categories are ordered by
sort_orderand then alphabetically - System categories cannot be deleted; custom categories can only be deleted when they have no entries
π Search & Discovery
Text Search
Search passwords by title or username using the search bar available on the dashboard and dedicated Search tab. Results are filtered to only include passwords the current user is authorized to access.
Semantic Vector Search
Password Manager includes AI-powered semantic search using pgvector embeddings:
- Entries are automatically embedded when created or when the title changes
- Search queries like βwireless credentialsβ can match entries titled βGuest WiFiβ
- The smart search hybrid approach tries vector search first and falls back to text matching
- Embeddings are generated via the
UnifiedEmbeddingService
Filtering
The entry list supports combined filters:
- Category dropdown β filter by any active category
- Text search β substring matching on title and username
- Favorites only β toggle to show only starred entries
- Filters can be combined and cleared with a single click
π Audit Trail & Compliance
Every interaction with a password entry is recorded in an immutable audit log.
Tracked Actions
| Action | Description | Logged Data |
|---|---|---|
viewed |
User opened the password detail page | User, timestamp, IP, user agent |
copied |
User copied the password to clipboard | User, timestamp, IP, user agent |
created |
New password entry was created | Title, visibility |
updated |
Entry fields were modified | List of changed fields |
deleted |
Entry was permanently deleted | Title |
archived |
Entry was soft-archived | User who archived |
restored |
Archived entry was restored | User who restored |
expired |
Entry auto-expired past its date | Expiration timestamp |
access_granted |
Access was granted to a user or group | Target name, access type |
access_revoked |
Access was removed from a user or group | Target name, access type |
Audit History View
Each password entry has a dedicated Access History panel showing recent events and a Full Audit History page with paginated records. Each audit record displays:
- Action icon and color badge
- User who performed the action
- Relative timestamp (β3 hours agoβ)
Access Statistics
The entry detail page shows aggregate access stats:
- Total Views β how many times the entry was viewed
- Total Copies β how many times the password was copied
- Unique Users β distinct users who accessed the entry
- Last Accessed β timestamp of most recent access
Audit Reports (Admin)
Admins can generate filtered audit reports by:
- Specific password entry
- Specific user
- Date range
- Configurable retention period (default: 365 days, minimum: 30 days)
π Analytics Dashboard (Admin)
The Analytics page provides organization-wide password usage insights:
Key Metrics
- Total Entries β count of all password entries across the organization with active count
- Personal vs. Team β breakdown of personal and shared password entries
- Monthly Accesses β total view and copy events in the last 30 days
- Expiring Soon β count of passwords expiring within the next 30 days
Most Accessed Team Passwords
A ranked table showing the most frequently accessed shared passwords with:
- Password title and category badge
- Total access count
- Last accessed timestamp
β° Expiration & Rotation
How Expiration Works
- Default Expiry β Admins set a default expiry period (e.g., 90 days) that pre-fills for new entries
- Custom Expiry β Users can override with any future date or leave blank for no expiration
- Expiring Soon Warning β Entries expiring within 30 days appear in:
- The dashboard βExpiring Soonβ card
- The dedicated βExpiringβ view in the sidebar
- Warning badges on list and detail views
- Auto-Expire β When the expiration date passes, the entry status changes to
expired
Expiration States
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PASSWORD EXPIRATION STATES β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββ 30 days βββββββββββββ past due β
β β ACTIVE βββββbeforeββββΆβ EXPIRING βββββββββββββββΆβ
β β β β SOON β β
β ββββββββββββ βββββββββββββ β
β β β β
β β βΌ β
β β βββββββββββββ β
β β β EXPIRED β β
β β βββββββββββββ β
β β β β
β β rotate password β β
β βββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π€ Password Agent (AI Integration)
The Password Agent connects Password Manager to the Ask AI module, enabling natural language credential management.
Capabilities
When enabled by an admin, the Password Agent can:
- Retrieve passwords by service name (e.g., βpassword for Slackβ)
- List passwords (e.g., βlist my passwordsβ, βshow team passwordsβ)
- Create passwords via conversational prompts
- Update and delete passwords via natural language commands
Security Guarantees
- All AI-initiated access follows the same access control rules as the web interface
- Every AI retrieval is logged in the audit trail
- Users can only access passwords they are authorized to view
- The agent can be enabled or disabled globally from Settings
Enabling the Agent
- Navigate to Settings in the Password Manager sidebar
- Toggle the Password Agent switch at the top of the page
- Click Save Settings
βοΈ Settings & Configuration (Admin)
Admins configure Password Manager from the Settings tab. All settings are stored as flat key-value pairs in the business marketplace app configuration.
General Settings
| Setting | Description | Default |
|---|---|---|
| Allow My Passwords | Employees can store personal passwords | Enabled |
| Allow Team Passwords | Teams can share passwords with access control | Enabled |
| Show Password Strength | Display strength indicator on create/edit | Enabled |
| Mask Usernames | Hide usernames in list view by default | Disabled |
Security Settings
| Setting | Description | Default |
|---|---|---|
| Default Password Expiry | Days before new passwords expire (0 = never) | 90 days |
| Require 2FA to View | Only users with 2FA enabled can view passwords | Disabled |
| Audit Log Retention | How long audit records are kept (min: 30 days) | 365 days |
Permissions
| Setting | Description | Default |
|---|---|---|
| Who Can Create Team Passwords | Groups authorized to create shared entries | Managers, Admins |
| Max Personal Entries Per User | Limit on personal password count (0 = unlimited) | 100 |
Sample Data
Admins can load sample password entries for testing by clicking Load Sample Passwords in Settings. This creates example entries across categories (Slack, GitHub, Office WiFi, etc.) without affecting existing data.
π§ Navigation & Sidebar
The Password Manager sidebar provides role-aware navigation:
All Users
| Tab | Description |
|---|---|
| Dashboard | Overview with stats, recent entries, expiring alerts, and quick search |
| All Passwords | Combined view of personal and accessible shared entries |
| My Passwords | Personal vault β only entries you own |
| Team Passwords | Shared entries you have access to |
| Search | Dedicated search page with results table |
Admin-Only Tabs
| Tab | Description |
|---|---|
| Categories | Manage password categories (create, edit, delete) |
| Analytics | Organization-wide usage statistics and top accessed entries |
| Settings | Configure security, permissions, limits, and AI agent |
π Security Architecture
Encryption
- Passwords β Encrypted at rest using
encrypts :password_encrypted(Rails ActiveRecord Encryption, non-deterministic) - Notes β Encrypted at rest using
encrypts :notes_encrypted(Rails ActiveRecord Encryption, non-deterministic) - Transport β All data transmitted over HTTPS
Business Isolation
- All queries scoped to
current_businessβ no cross-tenant data access - Database-level constraints enforce
business_idon every table - PostgreSQL CHECK constraints enforce valid enum values for
visibility,status, andaccess_level
Two-Factor Authentication
When the Require 2FA to View setting is enabled:
- Users without 2FA enabled on their account are blocked from viewing password details
- Users without 2FA are blocked from copying passwords via the API
- A clear error message directs users to enable 2FA in their security settings
Database Constraints
| Constraint | Enforces |
|---|---|
pm_entries_visibility_check |
Visibility must be personal or shared |
pm_entries_status_check |
Status must be active, archived, or expired |
pm_entries_access_level_check |
Access level must be public or restricted |
Foreign keys with ON DELETE CASCADE |
Cleanup on business or user deletion |
Dashboard Overview
The dashboard is the default landing page and provides a consolidated view of the userβs password landscape:
Stats Cards
Four summary cards at the top:
- My Passwords β count of personal entries with link to full list
- Team Passwords β count of accessible shared entries with link to full list
- Expiring Soon β count of entries expiring within 30 days with warning indicator
- Favorites β count of starred entries with link to favorites view
Recently Accessed
A table of the 5 most recently accessed entries showing:
- Title (with favorite star indicator)
- Username
- Category badge
- Type (My / Team)
- Last accessed timestamp
- One-click copy button
Expiring Soon Alert
When entries are nearing expiration, a warning card appears below the recent entries table showing each expiring entry with its category and countdown.
Frequently Asked Questions
Q: Can I see other employeesβ personal passwords?
No. Personal passwords are visible only to the owner. Not even admins can view personal password entries belonging to other users.
Q: Who can see shared passwords?
It depends on the access level. Public shared passwords are visible to all users with Password Manager access. Restricted shared passwords are only visible to members of the allowed groups, users with explicit access grants, and admins.
Q: Are passwords stored in plaintext?
No. Both password and notes fields are encrypted at rest using Rails ActiveRecord Encryption with non-deterministic mode, meaning even identical passwords produce different ciphertext.
Q: What happens when a password expires?
The entry status changes to βexpiredβ and it displays a red βExpiredβ badge. The password remains accessible but serves as a reminder to rotate the credential and update the entry.
Q: Can I recover a deleted password?
Archived passwords can be restored. Permanently deleted passwords cannot be recovered, but the audit trail retains a record of the deletion including the entry title.
Q: How does the Password Agent work?
When enabled, the Password Agent integrates with Ask AI to allow natural language commands like βpassword for Slackβ or βlist my passwords.β All access through the agent follows the same permission rules and is logged in the audit trail.
Q: Is there a limit to how many passwords I can store?
Admins can set a maximum number of personal entries per user (default: 100, 0 = unlimited). There is no separate limit on shared passwords.
