Workflow for Teams...
I used 1Password for my personal use and love it. I want to get this for my work as we have so many passwords to remember. However, I don't think the concept of "sharing" credentials they way you all do it is a workable solution for us. But I may not understand how it works, so I don't want to say fully it won't work for us.
- Do I need to create separate vaults per user? What's the concept of a vault?
- If I share a vault, what kind of access does that give the user?
- Is the master password basically kept by me, and sharing the vaults only shares that info, but the uses can't do anything to those vaults, or can that change info in a shared vault?
- Is dropbox still the best way to access vaults from different systems?
- We have a mixed environment of Macs and PCs, is there any issues with that?
- How does a shared vault work? Say I share a vault with 3 users, do they have their own master logins, or some kind of login? And do they see all the info in the shared vault, or just certain info? I think you have a private setting, right? Would that see stuff marked private?
- What work flow do most teams use? Do they have various vaults depending on the level of user? And if I do multiple vaults and say I have 3 or 4 levels of vaults.
Level 1 - Base level (access to common apps)
Level 2 - Intermediate level (access to higher level apps)
Level 3 - High level (access to the high level apps)
Level 4 - Admin (access to all apps)
How would that work? Would I have to share 4 vaults and from the end-user standpoint, would they need a password for each vault?
Personally, and again, I don't want to say your system won't work right... But, to me, it seems like the best way to do this is to have Users and give permissions to users to do things. Maybe I want a user to have access to copy and paste a username and password, but not actually see the password. And if I want to change that password and decommission that user's rights, then I should be able to do that. I didn't like the "it's like sharing a big secret, once shared, it's out there."
We would probably require like 6+ Mac seats and 4+ PC seats, so this can get pricy, especially since you do major upgrades probably once a year or so. I would need to make sure this works flawlessly in our environment before making the decision to buy the app.
-Seven
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @SevenTwist,
Personally I don't think 1Password in its current form is going to suit you. At the moment we don't have granular permissions or the concept of users. There simply exists a vault and a password to decrypt the vault's contents. Depending on how complex your groups are e.g. department X needs access to everything in vault Y with the exception of items A, B & C for individuals J & K then the simple concept of vaults will get complicated very quickly. I'll try and answer some of your questions now.
- A vault is simply a way of storing multiple items which anybody can access with the password for that vault. A vault can be per user, per group, it's whoever you share the sync data and password with.
- The password gives the person total access. They can add, delete and modify items and assuming you are syncing the changes made by any single person will be synchronised to everybody else.
- In 1Password for Mac and iOS your primary vault is considered special compared to your secondary vaults. The idea is the password for your primary vault is your Master Password, it will unlock not just your primary vault but any secondary vaults you've also created or added to this copy of 1Password. Each vault still has its own password but we store the encryption keys (not the password) so that once your primary is unlocked the rest are accessible. For this reason we recommend you create separate secondary vaults for sharing with different passwords and keep your primary Master Password secret. As you can see from my answer to question 2. access to a secondary vault is complete access.
- Dropbox is currently your best option for syncing between Apple and Window machines.
- 1Password for Windows is different from 1Password for Mac but it's a conceptual difference than a blocking issue. 1Password for Windows doesn't handle vaults in the same way, instead you can open a single vault at a time and so you must remember the passwords for all of the secondary vaults (if a person has access to multiple ones).
- This very much depends on how you set up 1Password for Mac. You can ensure each person has their own primary vault with their own unique Master Password and then attached one or more secondary vaults. That person could only access this arrangement of vaults on this copy of 1Password with that Master Password. In contrast say you set up two copies of 1Password with a non-sensitive secondary vault. They would both access it with the same password. Now if you were to then add a vault with sensitive data to one copy that vault is only accessible on that machine but if the other person can access the machine then the password they use would gain them access to everything. I may need to rewrite that depending on how clear you find the description.
- It's pretty much whatever you can imagine. Some might do a vault per department, some might do levels of sensitivity as you suggest - both are a layer of meaning that we're attaching on top of the vault concept and it's all about who has the password to unlock it. As I said at the start of this response, the more complex your requirements the faster the vault concept will break down. Imagine Venn diagrams for complex organisational frameworks.
For the Macs, if you had four levels of sensitivity then the easiest route forward is a unique primary vault for each person and then you would attached between 1-4 secondary vaults as their requirements dictated. They wouldn't need to remember the passwords for the secondary vaults on the Mac as the Master Password for their unique primary vault is sufficient. For people on Windows they would need up to four passwords as you access them one at a time.
As you can see, this along with your permissions means it's probably likely we're not a fit right now. 1Password is aimed more at the consumer market and while it can fit certain businesses and fit well, you seem to require what I'd deem enterprise level functionality.
Just a word of note, completely independent from everything written above. I'd be sceptical of any solution claiming they can allow a user access to but not to view a password. If the password needs to be entered into a web page then all it takes is a small amount of knowledge to retrieve it as web pages are not secure. I actually keep a small JavaScript snippet for testing purposes, it allows me to check if filling is working with passwords when users say they're having troubles with a certain site. It's that easy. No matter what solution you end up deciding on, I would strongly suggest ensuring all website passwords are renewed in the event of a user have access withdrawn.
You may have a number of follow up questions so please do ask and we'll do our best to answer them.
0 -
Here is our team's makeup:
6 macs, 4 PCs
8 - 10 team members
I could see as few as 2 security levels or as many as 4. But just for the sake of argument, let's say 3.All computers are common use... meaning, we have edit suites and portable computers. No computer is assigned to anyone specifically, so does that complicate things? I'm sort of confused by the Primary Vault versus the Secondary Vaults.
But let's see if I follow or if I'm missing some logic/info:
I have each person create their own primary vault and set passwords... I create for myself as the main ADMIN a Primary Vault and 2 Secondary Vaults.
1. Primary Vault for ADMIN
2. Secondary Vault 1 for Power Users
3. Secondary Vault 2 for Limited UsersNow do I move items (logins etc) from the primary to the secondaries I wish them to reside? And once they are in the secondaries, from what you said, the people who have access will have FULL ACCESS. So say I have 40 log-ins:
1. Primary Vault: (12 super secure logins)
2. Secondary Vault 1 for Power Users (20 logins)
3. Secondary Vault 2 for Limited Users (8 logins)So with this setup... the people who I have shared Secondary Vault 2 with, only have access to the 8 logins in that bottom vault. And I would give access to the power users to both Secondary Vault 1 and 2, so they have access to 28 of the logins. And I would have control and access to all 30 being that I have the rest.
Is my logic on point, or is there some hiccup that I'm missing?
Okay, last thing... (for now), how does the PC aspect of this affect things? If I'm understanding you, lets say I setup the vaults like this:
1. Primary Vault for ADMIM - Password: "allbits"
2. Secondary Vault 1 for Power Users - Password: "somebits"
3. Secondary Vault 2 for Limited Users - Password: "limitedbits"So on the PC, to access any of these vaults, I would need to know my master password for the primary vault, as well as the two secondary vault passwords. Is that correct?
If this is the setup, I guess it would work. Though changing passwords for sites/apps when people leave may be tough. But this may be workable.
0 -
Hi @SevenTwist,
We'll address everything else momentarily but it sounds like it would be prudent to discuss your computer setup a little more first.
When you say no computer is assigned to anybody specifically are we talking remote profiles using something like Active Domain or are things like email via the browser and so one generic user profile is used by everybody?
We assume an OS X user account is in use by a single person and so we store a local copy of the vaults in the accounts Library folder. If the desire is the ability for multiple individuals to access a specific combination of vaults just for them but only from a single OS X user account the complexity for the user ramps up considerably. I can talk about one way you could work it if that's the case but just to clarify, this isn't a scenario we had originally envisaged.
Once we know that piece of information I feel I can answer your questions above in a much clearer manner without accidentally causing any misinformation.
0 -
Yes, all the computers we use only have one single user profile.
0 -
Hi @SevenTwist,
Okay, that does make it more complicated.
Nothing changes in 1Password for Windows. Each vault is separate and you would first open the vault (as in access the file) and access would only be to those that know the Master Password for that vault. Using your example from above, you could have all three vaults syncing via the likes of Dropbox and a power user can open and unlock the limited and power user ones because they know both passwords. You could unlock the admin one because you know that password too.
The Macs are more tricky. You would have to set up each in the exact same manner. You would use your admin vault as the primary, and then the other two as secondary vaults. Your admin password would unlock all three vaults for you and that fits with your requirements.
Anybody else trying to use this Mac though would first need to switch to another vault on the lock screen and they could then unlock just that one, like they could in 1Password for Windows. It would be imperative that your admin vault though was always the primary though as if you mixed them up and had the limited vault as the primary one, anybody (which is actually everybody at a guess) could then access all three vaults - definitely not good. You would have to keep your power users and limited users as secondary vaults only for this to work.
You would probably want to avoid having individual vaults too as each individual vault would have to be another secondary vault on every Mac. That would be 3 vaults (admin, power & limited) + 10 more for a total of 13 vaults on every Mac - probably not what you're looking for.
All of this is because we assume each individual has their own OS X user account and the ability to unlock a single secondary vault was never envisaged to allow what you need it to on this scale. It will work, but if it seems inelegant that's why.
So 1Password could allow you to have three, even four layers (if needed).
Now both 1Password for Windows and 1Password for Mac can be downloaded from our AgileBits Download page with a 30 day trial. Given you have Windows machines involved iCloud Sync isn't an option so the need for 1Password for Mac (Mac App Store) isn't a deal breaker. This way you could download both and try it out. You could create your three vaults with a couple of test items and see what you think. We'll do our best to answer any questions you have but I wonder if actually seeing it in action will make things a lot clearer.
Let us know what you think :smile: Apologies for the delay, I was on my days off but I will be properly back tomorrow if you have more questions as well as the rest of the team :smile:
0
