Individual item permissions

I am loving the idea of 1Password for teams, except I've noticed some critical drawbacks that may prevent it from making a viable use-case in my business.

  1. I have an assistant that works for me directly independent of my business day-to-day. I wish to share pertinent information with her, but don't wish to share all of my passwords at once or any specific ones permanently.
  2. My business stores login credentials and other important secure information in order to provide the best service possible. When someone has to do work relating to a particular client, they will need access (temporary or permanent) to relevant information. In the current team organization, I'd have to create individual vaults for each client? This seems tedious and inefficient as I have 70-some active clients. That's a lot of vaults to parse when I want to access a particular one.
  3. Critical question. When 1Password shares a vault (without access to reveal passwords) and the password is copied, can it be pasted in a regular text window?

I looked at a number of solutions for managing passwords within my team. The main criteria I settled on was the ability to share access (read-only, not revealed), with the ability to revoke access at any time. These typically included individual password sharing and permissions. What are the important new features in development while the Beta of 1Password for Teams progresses?


1Password Version: 550024
Extension Version: 4.4.3.90
OS Version: OS X 10.11.1
Sync Type: Teams
Referrer: kb:dropbox-2fa, ug:ios/setting-up-one-time-passwords, ug:ios/multiple-vaults, ug:ios/setting-up-one-time-passwords, kb:dropbox-2fa

Comments

  • rdouma
    rdouma
    Community Member

    Apart from question 3, which I don't really follow, I have the same questions. I actually thought the whole point would be to be able to manage access control on a record level. I was expecting users, groups ideally and the ability to assign permissions to items to users (and ideally groups). I am not sure how the current approach is different than using 1Password with synced vaults over Dropbox, which we currently use. Already quite good, but the main disadvantage is that it's a "all or nothing" approach that I would love to get away from. I'd love to understand how this is better/different than sharing vaults via Dropbox?

  • Hi @W_Integrations ,

    To respond to your questions:

    1. As you are probably aware, the best way to do this is have a vault that you and your assistant have access to, and put the items there.
    2. You haven't mentioned who you are granting access to, but if they are employees, you could have a vault named "Client information" and put all of your client items in that vault. But if you need to separate access on a per-client basis, then making separate vaults for each client, though seems cumbersome, it probably the best way to go. Items within a single vault can not be shared differently, though I think with 70+ clients, you might find that even more cumbersome trying to coalesce each item with each client. Though we'd love to hear your thoughts on this matter on how you would like to see it work.
    3. If you do not grant reveal access, there is no copy function in the app, and it is not copied to the clipboard at all. It can only be used to fill a login page in a web browser using the 1Password extension. Note, it may be possible for a technically advanced user to access the password. Technically speaking, if you grant access to the password to send to the web browser, you can't really block an advanced user from extracting it (from memory, from the web browser, etc), but for the average user, the feature protects them from copying and pasting the password where they shouldn't.

    If you have further questions, do not hesitate to reply.

    Cheers,
    Kevin

  • Hi @rdouma ,

    Access control is at a vault level. Groups is not currently a feature, but we'll certainly add your feedback as a feature request. The difference between Teams and Dropbox syncing is as follows:
    1. with Dropbox, user permissions are limited to full read/write access to each vault you share. 1Password for Teams offers various levels of read, write, exporting, and vault management permissions.
    2. User access in 1Password for Teams is controlled via a central management console. Creating vaults, inviting users, changing access permissions is quick and easy. In Dropbox, access is controlled for each vault separately through sharing the vault file with each user.
    3. Your mileage may vary, but when sharing with many users, you'll find the performance of syncing change with 1Password for Teams is very fast, as Dropbox is optimized for sync of entire files, not database records.

    Dropbox often meets the needs of a small number of people, and we still plan on supporting it, but we think you'll find that if your needs go beyond sharing a few vaults with full read/write access, you'll find 1Password for Teams will better fit the bill. And of course please send us any feature requests you may have.

    Regards,
    Kevin

  • rdouma
    rdouma
    Community Member

    Thanks for your elaborate answer @ag_kevin. I had somehow assumed that this would "of course" bring record level access control, not sure if the current approach adds a lot of value for my small team. But with lots of different accounts. Like the original poster, it somehow feels so unnatural to create tens of vaults but maybe that's just a matter of mindset.

    Curious: is the reason this approach was chosen that the entire vault is encrypted/decrypted and not individual records?

  • averyanov
    averyanov
    Community Member
    edited November 2015

    @ag_kevin
    Suppose I have 100 passwords to be stored in 1Password for teams. Among them:

    • 50 passwords have to be shared with 2 of my co-workers (A and B);
    • 30 passwords have to be shared with 1 co-worker (A only);
    • 20 are not shared at all.

    Regarding the fact that I cannot set sharing options for individual password in a vault, what is the best way to implement this sharing scheme?

  • Hi @averyanov ,

    In your case you would have three vaults. One vault for A and B containing 50 passwords, one vault for A containing 30 passwords, and the remaining 20 passwords would go into your personal vault.

    Regards,
    Kevin

  • averyanov
    averyanov
    Community Member

    @ag_kevin thanks!

  • Hi @rdouma ,

    The reason this approach was taken was a matter of manageability. Let's say you give access to some passwords in a vault to a user. How does that user see these items? Well, in the vault of course. So your other users will all have the same vault but see different items in it. That sounds ok at first, but then it becomes difficult to determine who has access to each item and can become unmanageable when you have a lot of items in the vault and a lot of users. By placing the items in separate vaults it's easy to see who has access to which items and it's easy to revoke and grant access.

    Since you mentioned groups, you could consider vaults as the way to have groups. Make a vault and name it after a group, and give access to all those in the "group". And if you need to give access to more than one group, make another vault with combined access. I realize it's not quite the same groups but it may be helpful in your case.

    I hope I've been able to explain the reasoning well enough. Feel free to reply if you have further questions. And thank you for your feedback - we consider all feedback when improving 1Password in the future.

    Cheers,
    Kevin

  • rdouma
    rdouma
    Community Member

    Thanks @ag_kevin. I agree that vaults can be seen as a sort of group. I'll be pondering and playing.

    Thanks again, as always when dealing with you guys it's a pleasure to see how much effort you put in communication. Thumbs up.

  • Glad to help. We'll be here if you need us!

  • averyanov
    averyanov
    Community Member
    edited November 2015

    @ag_kevin after a while I still don't get the idea of the best way to organize passwords to vaults.

    What you offer is to define groups of users and create a vault per group according to desired passwords visibility per each group. But when there are multiple roles in company this gets messy.

    Suppose I have managers, support, devops, network engineers, developers, lead developers and accountants teams.

    • some passwords are visible to individual roles only;
    • some to support and devops;
    • some to developers and devops;
    • ...

    As you see there can be multiple combinations of roles. In case of N roles there will be 2^N combinations of them. In my case – 2^7 = 128

    This means that I will have to use up to 128 vaults to make all permissions combinations possible (in real life there surely will be tens of them, not 128). This looks too hard to be managed effectively.

    This seems to be a result of individual items permissions management absence.

    Do I get the point? Any suggestions?

  • Hi @ag_kevin,

    I agree with you. Only solution would be if you would support folders and mangage access to this folders.

  • Hi @averyanov ,

    Thinking of them as groups is a suggestion and may not work for all organizations. As you mentioned, in real life the number of combinations of member access will be much lower, so you might find it to be quite workable, or you may need to organize them differently. This is how you would do it today. However, we will certainly take your feedback and consider it when making future changes to the 1Password for Teams.

    Thanks for sharing your thoughts!

    Cheers,
    Kevin

This discussion has been closed.