Scim Bridge and DigitalOcean
itadminscimdo
Hi Team,
I have deployed for demo / training purposes. Thank you for the 14 days trial! Works fine. I can delete, create, suspend, rename groups, and could be quite convenient to propose to potential clients for deployment.
Some questions
- Since, I have used the 1-ClickApp through the DigitalOcean marketplace, the newest version is 2.7.0 provided as image. While, in 1password Integrations, I see an update available to 2.7.1. Tried updating using kubectl set image deploy/op-scim-bridge op-scim-bridge=1password/scim:v2.7.1, but it didn't work out although there were no logs during the process
I reinstalled the 1-click-app through DigitalOcean, but that only includes 2.7.0 for now.
Is there any way to update only the scm-bridge svc in the cluster?
I saw that, once automated provisioning is enabled, users synced from Google Workspace will have automatically a private vault created. Can we prevent this?
There's a difficulty in implementing this from a business point of view for companies who already implemented a hybrid model without Provisioning, where the whole company had access to create Vaults. For example, Teams who already have Vaults and which users' now will be synced from Google Workspace to 1password... we would then need to manually assign the newly created groups to those already existing Vaults. Any possible way to handle this the best way possible?
Many thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:scim
Comments
rather 2.7.2*
Also: is it a normal behavior that provsioned user who got an automatic Vault can't be manageable by Team Owners? I cannot edit a Private Vault's permissions.
Team Member
Hi @itadminscimdo:
Great questions. The DigitalOcean Marketplace release of 1Password SCIM Bridge sometimes takes a bit longer to be updated, and I'll check in with the team on when we're releasing the next version.
All users in a 1Password account will always have a Private vault that is exclusive to them that can't be modified or viewed by any other user, even Owners or Admins.
Groups can be added to existing vaults by editing the vault, or vaults can be added to a group if that's easier.
Jack
hey Jack,
Thanks a lot for the explanations. How about editing permissions of a Private Vault such as: the possibility to move it, or export it? They all have full owner access rights, so my worry is that those vaults will be shared with unauthorized e-mails.
One possibility is to limit the custom domains in the permissions scheme for item sharing.
This means that all items can only be shared with the authorized domains.
What about if we want to prevent all private vault owners to share this vault, or to invite people from unauthorized domains, or in general... how is it possible that I prevent export of items within their Private Vaults? If they have access to export a vault, this means that passwords can leak out in the wild in plaintext.
Team Member
Hi @itadminscimdo:
Your best bet here would be to only allow items to be shared with specific domains. It isn't possible to restrict users from using the Private vault. If you'd like to dig deeper into this, contacting us at
[email protected]would likely be best.Jack
@Jack.P_1P, thanks a lot for your valuable input!
Team Member
You're very welcome! Feel free to get in touch if there's anything else we can help you with!
Jack