Is it possible to restrict the access to the trash for a shared Vault?

Hello there,

We have a vault shared throughout our organisation which contains sensitive items.
Those items get duplicated when exported/migrated into a more secure vault (i.e. just for administrators). One version is in the new vault, another is in the trash of the old one.

I'm not sure if this behaviour is normal but if it is, an easy solution for us would be to remove the access to the trash for the members.

Members already do not have permissions to empty the trash nor to move items into it (admin restricted).

Could this be done? What other solution could you suggest?

PS: Emptying the trash is not really an option.

Thanks,

Kevin


1Password Version: 7.1.2
Extension Version: Not Provided
OS Version: OS X 10.13.6
Sync Type: Cloud
Referrer: forum-search:access trash

Comments

  • khad
    khad
    1Password Alumni

    Hi @kevindelord,

    I wonder if it would help if I understood your workflow a little bit better. For example:

    • Is there a reason you don’t put the items in the vault that only administrators have access to from the start?
    • Is there a reason you can’t empty the Trash?

    Apart from that, I’m concerned that removing access to the items in the Trash may give a false sense of security. If someone ever had access to an item, they could have written down the password on a piece of paper. If you don’t change the password when you move the item to a vault that they can’t access, they will still have access to that password – even if they can’t access it in the Trash. But if you do change the password after you move the item to the more restricted vault, then it won’t matter what’s in the Trash of the old vault.

    So the best practice would be to never give them access to the item(s) in the first place, or to change the passwords after you move the items.

  • kevindelord
    kevindelord
    Community Member

    Hello @khad,

    Giving access to wrong credentials was obviously a mistake.
    This is not our workflow to first give everything to everyone and then revoke access.

    Someone in our team moved an item to the wrong vault and than moved it back to the previous/another more secure vault.
    The problem now is that this item is in the trash of the wrong vault, even if it was there just for few minutes.

    So your solution would be to update the password within the new vault?

    Emptying the trash is not option (in case of unforeseen issues or mistakes).

  • khad
    khad
    1Password Alumni

    @kevindelord,

    Yeah, changing the password after access has been revoked is the only way to guarantee they no longer have access. (This is true regardless of whether the item is in the Trash or not.)

  • kevindelord
    kevindelord
    Community Member
    edited January 2019

    @khad,

    Not the solution I was looking for but will do I guess...

    Thanks

  • Ben
    Ben
    edited February 2019

    Understood. It is important to us to not build features that have a high chance of misleading people about the security of their data.

    Ben

    ref: apple-3016

This discussion has been closed.