Feature request: State your business
Hi!
For starters: I'm a big fan of 1password and the way I can integrate it using secrets automation. For example: I don't ever actually have to lay eyes on some secrets because they are generated, stored and passed to my infrastructure automatically.
However, there's always the need for a "break glass"-protocol. For that, it would be great if 1password would offer a "state your business" feature. This would require anyone that wishes to read a certain password/secret to state why they need it. This then should be logged part of the Activity Log. Same could go for giving access (or requesting access?) to a certain vault.
Right now I've got to write down these reasons somewhere separate for auditing purposes. This makes the auditing proces more complicated and leaves room for errors.
Any thoughts?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @timzwanenberg! 👋
Thanks for the feedback! I'd love to learn more about your need for such a feature. Right now, when you grant someone access to a vault you're able to control whether they can view, export, or copy passwords in that vault using controls included with 1Password Business:
Would you mind sharing an example of a scenario where you'd feel that this sort of feature would be useful to you and your organization? I can forward your use case and feedback to the team.
-Dave
0 -
Hi @Dave_1P,
Thanks for your response.
This would be useful in situations where an employee shouldn't have access to certain passwords/secrets by default, but only in case of an emergency.For example: An employee should never have access to one of our clients production databases. But in case of an incident where the integrity of data might be affected, sometimes it's necessary in order to investigate the incident. If this happens, the reason for the employee getting temporarily access should be logged for auditing purposes. If this could be part of the Activity Log, I would have all relevant audit data in one place instead of scattered over 1password and a manual log someplace else. Also, during an incident it's easy to forget to update the manual log.
And if you take things one step further: A next step would be to make a break glass protocol where certain user groups don't have access to vaults/items by default, except when triggering the break glass protocol. When there's no 1Password administrator available to temporarily assign a vault's viewing permissions to a certain employee, the employee could temporarily assign it themselves by "stating their business". At a later time the stated reason can then be reviewed by an authorised employee and if it turns out the protocol was misused, actions can be taken. The break-glass protocol could be a separate vault permission just like 'view', 'create', 'manage', etc.
So I understand these are actually two feature requests. The first making auditing easier and more foolproof. The second making a break-glass protocol possible improving the continuity of our business during incidents. Searching the community I see the break-glass protocol has been requested before. But the first one is new I think.
Feel free to challenge the need for these features. Maybe there're better ways.
Let me know!Best regards,
Tim
0 -
Thank you for the thoughtful and detailed reply! I can see how a temporary access feature could be useful along with greater controls for auditing such a feature. While I can't make any promises, I've filed a feature request on your behalf.
Our product team will consider the request for the future. 🙂
-Dave
ref: PB-44367019
1
