Can I operate the user's private vault with the CLI?

choi_mixi

I am an administrator.
I want to create a user using the CLI and regist password in the user's private vault.
Can I operate the user's private vault with the CLI?
I want to know how.
Is there a way to get the user's private vault's uuid using the CLI?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Lars

@choi_mixi - an Administrator of a 1Password account has fairly broad permissions, but one permission they don't have is the ability to see/manage the contents of any other user's Private vault. Those are private by design and by default, and cannot be changed. Instructions for suspending or removing a user can be found here for the web-based Admin console, and here for the CLI.

choi_mixi

@Lars - Thank you for your reply.
I know your explanation.
However,The first time creating a user using the CLI, the admin can have ability to see/manage the contents of user's private vault. (Only before user's confirm) Maybe this is the correct design for 1password.

ag_ana

@choi_mixi:

However,The first time creating a user using the CLI, the admin can have ability to see/manage the contents of user's private vault. (Only before user's confirm)

I am not sure I understood. Can you please give us the steps you are following so we can test this here too?

choi_mixi

ag_ana

1.create user command(by Admin)
$ op create user xxxx@xxx.com first_name last_name

2.After 1st step,1Password's invite mail is sent to user xxxx@xxx.com
At this time,User do not click [Join your team] button

3-1.Admin can see user's private vault in Web Application.

3-2.Admin can see user's private vault uuid use CLI command
$ op list vaults
… {"uuid":xxxxxxxxxxx,"name":"first_name last_name's Private Vault"}]

Lars

@choi_mixi - that's exactly right; this is the correct design for 1Password.

You are only able to view and access a user's vault prior to the user accepting their invitation (and you confirming them). This condition exists so managers/IT staff can pre-populate a user's vault (say, a new employee) with credentials they'll need (access to company email, other resources, etc). You can use op list vaults (or just use the 1Password web app, frankly), find the vault in question, and then create as many items as you like within that vault. It's provisioning. But, as soon as the user accepts the invitation and you confirm them, you lose the ability to see/manage their private vault.

choi_mixi

@Lars - Thank you for your reply.
I want to know why CLI design is different from Web application design.
If I create a user in the CLI, I can access the user's private vault.
However, if I create a user in the web application, I cannot access the user's private vault.

Lars

@choi_mixi - ah, thanks for clarifying your question. The reasoning has to do with different use-cases for the two ways of interacting with users' data. The CLI is used mostly by IT professionals for when provisioning larger groups of users (or having to do so with smaller numbers of users on a near-constant basis, as is often the case in larger companies). If you want to be able to create users instead of inviting them, and deposit credentials into those user's vault so they're available immediately when the user creates his/her Master Password, then the CLI is for you. If you're just managing people and prefer a more visual approach, then the 1password.com web app with its usage reports and GUI is probably better-suited.

choi_mixi

@Lars - Thank you for your reply.
I suggest that the Web App can select the same operation as CLI. (When creating a user using Web App, Admin can choose whether or not to access the user's private vault)

Jacob

@choi_mixi Thanks for the feedback! That's not likely something we'll be adding in the future, but I'll forward your request to the team for consideration. :)