Organization across many vaults.
Hello,
I work in IT for a company with hundreds of employees, and we currently have rather poor password policies. We have created a 1Password account for our IT team, and are considering expanding it to cover more of our employees. We would want each employee to have a vault for their passwords that was still accessible by IT, so that we can manage company accounts. Currently, we store employee passwords in vaults by office, with tagging to link all of an employee's items and all accounts of a certain type.
There are two problems I have with this setup.
The first is that there seems to be no ability to organize vaults, so creating hundreds of vaults that IT would all have access to would make it more difficult to find vaults, because they're all displayed when I go to select a vault.
The second is that the web portal and the Mac app each have one feature the other lacks when it comes to using tags. The web app allows me to click on a tag and be taken to a list of items that have that tag, while the Mac app just selects the tag as if it were any other text. Meanwhile, the Mac app displays tags as a nested structure, rather than listing every single subtag in the sidebar. This allows me to see just the collection of tags I'm searching through, instead of scrolling through hundreds of tags.
Are there any solutions for these issues?
Thank you.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @sstudios
Thanks for taking the time to write in with this concern.
We would want each employee to have a vault for their passwords that was still accessible by IT, so that we can manage company accounts.
I'd start by saying that this isn't the typical sort of setup that we see. That's not to say that it is impossible, or even inadvisable, but it isn't something we've really accounted for in the design of 1Password. Generally most organizations have their team members use their 'Private' vault to store any credentials that are unique to them, e.g. their company email account, the account they use for scheduling/time cards, etc. Then any items that others within your team need to access would be stored in various shared vaults. How the shared vaults are created / broken down varies greatly, but the most typical situation is a vault per department, perhaps with a second vault per department for the management of that department.
Currently, we store employee passwords in vaults by office, with tagging to link all of an employee's items and all accounts of a certain type.
Just to be sure I understand... does this not mean that everyone in a given office will have access to each other's accounts?
The first is that there seems to be no ability to organize vaults, so creating hundreds of vaults that IT would all have access to would make it more difficult to find vaults, because they're all displayed when I go to select a vault.
Yes, indeed. With the current UI having hundreds of vaults is not very scalable. You can limit the impact of this a bit through the use of the All Vaults preferences, but that won't prevent vaults from showing up in the vault listing:
Use All Vaults to see all your items at once
How would you manage the items in these vaults if the vaults were hidden entirely from the UI? Do you have any thoughts on how we might improve this for your use case?
The second is that the web portal and the Mac app each have one feature the other lacks when it comes to using tags. The web app allows me to click on a tag and be taken to a list of items that have that tag, while the Mac app just selects the tag as if it were any other text. Meanwhile, the Mac app displays tags as a nested structure, rather than listing every single subtag in the sidebar. This allows me to see just the collection of tags I'm searching through, instead of scrolling through hundreds of tags.
I'm not sure I follow. When I click on a tag in the sidebar of 1Password for Mac I'm shown all of the items that have that tag applied:
Is that not the experience you're having? As for support of nested tags in the web UI... that is something we have an issue filed for, and we hope to address in the future.
Thanks!
Ben
ref: dev/b5/b5#7041
0 -
Hi Ben,
Thank you for your response. Our issue is that we have a number of accounts that IT needs access to for troubleshooting and updates. So, these accounts would need to be in vaults that are accessible to both the user and IT. At the moment, only IT has 1Password, and users have to remember their own passwords, but this is far from ideal. User will use their private vault for the accounts that IT doesn't need to access, but we do require some items to be shared.
Just to be sure I understand... does this not mean that everyone in a given office will have access to each other's accounts?
That's what I'm hoping to avoid. We want all our IT admins to have access, but each user should only see their own items.
How would you manage the items in these vaults if the vaults were hidden entirely from the UI? Do you have any thoughts on how we might improve this for your use case?
What would be great is some form of folder structure for vaults. If these user vaults could be placed in folders by office, with the ability to display only the items in each office, that would be great. The dashboard would then only display around a dozen items, which is quite manageable.
I'm not sure I follow. When I click on a tag in the sidebar of 1Password for Mac I'm shown all of the items that have that tag applied:
This works fine, it's that when I click on the tag where you have it highlighted on the right, in the item, it doesn't take me to the list of items with that tag, which can be nice to navigate nested tags with. The web portal does support this, and I find it useful there.
Thank you.
0 -
Thanks for the extra details @sstudios! From what you've described, letting folks use their Private vaults for items that only apply to them is likely still the best way to go here, and use custom vaults for items that need to be shared amongst several people. For items that only need to be shared with one specific person and IT, perhaps letting the person store that in their Private vault, and having them work with IT whenever IT needs access might be the best compromise. Doing things this way will also reduce the chance of your members exposing items to an unintended audience. You would want to ensure you have handling of Private vaults added to your employee off-boarding process, to ensure continuity when folks leave your organisation.
What would be great is some form of folder structure for vaults. If these user vaults could be placed in folders by office, with the ability to display only the items in each office, that would be great. The dashboard would then only display around a dozen items, which is quite manageable.
I'll pass your feedback about this on to our engineering team for their future consideration.
This works fine, it's that when I click on the tag where you have it highlighted on the right, in the item, it doesn't take me to the list of items with that tag, which can be nice to navigate nested tags with. The web portal does support this, and I find it useful there.
Ah, perhaps you're misinterpreting Ben's screenshot; in the screenshot, Ben has clicked the highlighted tag on the left of the screenshot; the middle column of the app has updated to list only those items that include the selected tag (in this case, there are 5 items with that tag included).
Cheers,
John
0