Best practice for user who needs limited access to a vault

richardsgf
richardsgf
Community Member
in Business and Teams

We are on 1Password Teams.

We generally have vaults organized by functional area: operations, marketing, HR, etc.

We do employe some contractors who need limited access to some of the credentials. For example, a marketing contractor might need access only to passwords 1, 4, and 10 out of the 30 passwords that are stored in the marketing vault. Another contractor might need access to passwords 1, 7, 8, and 10 out of the 30 passwords in that vault.

What's the best practice here?

Ideally I would create a vault just for that contractor ... but then I only have the choice to copy a credential into the vault. This runs the risk that the credentials between the vaults get out of sync.

Alternatively, ideally, I could select individual credentials to grant access to users in a vault. Perhaps for guest users. But this does not appear to be a feature.

Alternatively, I give the contractor access to the entire vault but then they have way more access than they should.

What are other people doing? What is the best practice here?

Thank you

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • ag_tommy
    ag_tommy

    @richardsgf

    You could create a vault specific to the need and place the credential(s) there. Invite the user as a guest. As a guest they get access to a single vault.

    Correct, in the above situation you would either copy or move the item(s) into the vault. Copy would be a duplicate that may get of of sync just as you mentioned. You could help to alleviate this by removing the user when the project is finished and then deleting the items.

    In this specific situation the copy option may be best as it leaves the originals in the team vault. The contractor would likely not be changing credentials in this situation. So there would be little or no possibility of a problem in duplicating the login.

    Ideally, to further control access individual credentials would be used by the contractor. Then you can invalidate those credentials when the contractor leaves. That may or may not be possible given how some site logins/access work(s).