Shared Vaults - Revoke Sharing Priveledges
I've started using shared vaults with my team, which is working great. However, I'm concerned that if a team member leaves they'll have access to all the passwords in the vault. Is there a way to revoke access once a team member leaves? Would it be a matter of creating a new vault and deleting the old shared vault? It would be nice to have a way to manage permissions on shared vaults. Looking for a good solution.
Comments
-
From "Secrets can't be unshared" in the User Guide:
Sharing a vault with someone is like telling them a big secret (all of the secrets in the contents of the vault): you cannot untell the secret at a later date.
There is no mechanism within 1Password itself to revoke someone’s ability to unlock a shared vault. If you share a 1Password vault, it’s shared fully: each person with whom you share it has complete control over it. Indeed, anyone you share a vault with can change the vault’s Master Password as easily as you. As a consequence, it isn’t possible within 1Password to revoke an individual’s use of a shared vault.
Changing the Master Password for a vault will not prevent someone from unlocking a copy of a vault that they may already have. So changing a Master Password is not a reliable way to revoke someone’s ability to unlock a vault for which they previously knew the Master Password.
It is possible to limit someone’s access to future updates of the vault by revoking their ability to synchronize data. For example, by using Dropbox’s Kick Out feature, the owner of a Dropbox shared folder can prevent further data synchronization with someone. However, this will not prevent that person from using a copy of the 1Password data they already have.
0 -
Thanks Khad. This helps as I consider a solution.
0 -
On behalf of Khad, you're welcome! Please let us know if you have any other questions. We're always here to help! :)
0 -
I understand it's a hard problem, but a solution to this would be really helpful. I've been using 1Password as my personal credential database for quite some time, and am beginning to work with a company who keeps credentials in various places. 1Password's shared vault feature seems like a possible solution to keeping everyone up to date with the current credentials for accessing client systems.
An obvious and understandable concern for them is the ability to easily revoke shared vault access, and your answer to this question seems like the only possible one regardless of how you build the system, but given that when a company wants to revoke shared vault access they probable also want to change passwords across the board, perhaps a feature that allows the regeneration of passwords for selected records would be a useful feature.
0 -
Hi @chivalry71
Thanks so much for adding your thoughts here. Multiple vaults is still a relatively new feature, in the grand scheme of things, and our developers are looking into how we can improve this feature to make it even more useful for both individuals and larger groups. Your feedback here is much appreciated! :)
0
