Creating Custom Groups
Currently the groups available are much too broad. For example we have a user who I would want to give "create" access to vaults and "assign" access to vaults they are allowed to administer, but I don't want them to be able to see every vault and definitely don't want them to be able to allow them to view every vault.
As it stands now, in order to allow them to create a vault, I must also give them access to every vault.
What I would prefer is something similar to the prompt when adding someone to a vault except relating to vaults when creating a group.
- Create a Vault
- Assign users to any vault
- Delete any vault
- View any Vault
- Create new Users
- Delete Users
etc, you get the idea.
Then I can have granular control over the ability my groups of users have and you don't have to play the game of catch up trying to decide which are the "correct" default groups to have which will benefit the most users. Users can decide for themselves.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @jfelchner,
Love seeing new threads with your name next to it. :) Thanks for the detailed feedback as always. Groups are going to get better. 1Password for Teams had group support from day 1, but we disabled them at the UI level a couple months before release because we weren't happy with them and the complexity they brought versus the value. We're slowly reviving them and trying hard to solve the complexity issues that we were encountering.
Hopefully we can get groups to become as powerful as you'd like them to be.
Rick
0 -
@rickfillion :) Awesome news. Thank you.
0 -
You're welcome.
Rick
0 -
Please note that "Add users to a vault" permission is already available. Any user with "Manage" vault permission can add users to this vault.
It won't be possible to implement the global "Assign users to ANY vault" permission. Before someone could add another person to a vault, they must first have access (the vault encryption keys) themselves. Same is true for "View any Vault" permission. Both of them are controlled not just through a policy but also with crypto.
0 -
@jfelchner Admin is able to assign any user to any vault that admin has access to. It is unusual but possible to create vaults without giving access to them to the Admins group (there is a checkbox that can be unchecked when the vault is created).
We are still tweaking how groups work and hope to publish new changes soon. Currently we have hard-coded groups and permissions. At some point we would like to allow users to tweak the permissions for each group.
Here is the list of permissions we got so far:
PermissionRecover = 0x000001 PermissionViewAdminConsole = 0x000002 // Show the admin console on the client PermissionViewPeople = 0x000010 // Show the people list in the admin console PermissionAddPerson = 0x000020 PermissionChangePersonName = 0x000040 PermissionSuspendPerson = 0x000080 PermissionDeletePerson = 0x000100 PermissionViewVaults = 0x000200 // Show the vault list in the admin console PermissionUsePersonalVault = 0x000400 // Allow users to see and use their personal/private vaults PermissionAddVault = 0x000800 PermissionDeleteVault = 0x001000 PermissionViewGroups = 0x004000 // Show the group list in the admin console PermissionManageGroups = 0x008000 PermissionViewTeamSettings = 0x010000 // Show the settings tab in admin console PermissionChangeTeamSettings = 0x020000 PermissionChangeTeamAttrs = 0x040000 PermissionChangeTeamDomain = 0x080000 PermissionSuspendTeam = 0x100000 PermissionDeleteTeam = 0x200000 PermissionViewBilling = 0x400000 // Show the billing tab in the admin console PermissionManageBilling = 0x8000000 -
@roustem ahhhhhhhh I did not know that's how it worked (obviously ;)) Thank you so much for clearing that up!!
So if I create a vault and do not check the admin checkbox, not even admins can see it. That works much better for my situation currently (so that's awesome), but is also quite a delima because one would assume (or at least I would hahaha) that an admin would have superuser powers and have access to everything in the account.
0 -
@jfelchner We got the Owners group for that.
We didn't make that change yet, hope to make it soon -- the members of the Owners group will always be added to every team vault with "Manage Only" permissions. That would allow Owners to manage the vaults but do not see them on their Home screen.
0 -
Glad you're excited, @jfelchner! I'm pretty excited to get these changes implemented, too. I think it will solve a lot of problems. :)
0 -
Is there any update on this? I'd love to be able to simply manage a group to give members of it access to a set of vaults rather than adding users to each of those vaults individually.
0 -
@kylev @penderworth this would be my primary use case for custom groups as well. I'd like to be able to create groups for departments within my company, and for members of groups to automatically receive access to multiple vaults in bulk. Without this functionality, allocating vault access in 1Password for Teams on a user-by-user basis could become tedious and error-prone as my company grows.
0 -
@lucascantor That does seem to be the main use case. I can see the interest, too. At the moment, I'd recommend using separate vaults for each department. I know that doesn't work across the board, but we're planning on adding custom groups in the future as I mentioned before. :) We did make allocating access a bit easier in each vault in that all you need to do is click the user to select them and add them to that vault. We're getting there.
0
