Can we add organizational sub-folders or sub-vaults under a vault?

ronharris

Created a vault for clients. I would like to be able to create a sub-folder or sub-vault for each client where we can store the passwords to specific systems for each client. Is that possible today or something on the roadmap for the future?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Windows 7
Sync Type: Not Provided
Referrer: forum-search:Is there a way to create sub-folders within a vault?

Jacob

Hey @ronharris! I'd suggest creating a vault for each client rather than one for all of them. That will give you quite a bit more control over who can access things. You can also create as many vaults as you'd like. :) As for organizing things, you can use tags and apply as many as you feel are related to each item. That's more a bit of info for you than something that will help out with what you mentioned here.

ronharris

Can we hide vaults that are no longer active?

If we have a password record in a vault are we able to share that record or are we only able to share a vault?

Could we have tags for clients such as "sony or ibm or bank of America" and then pull up all the items tagged with a client name?

Jacob

@ronharris You can delete them if you'd like, but not hide them. Are you looking for an archive feature?

If we have a password record in a vault are we able to share that record or are we only able to share a vault?

Individual items can't currently be shared, but we're looking into possibilities for adding this in the future. It'd be more like a one-time sending of the item between team members. Right now, we recommend the vault approach because it has a lot of flexibility.

Could we have tags for clients such as "sony or ibm or bank of America" and then pull up all the items tagged with a client name?

Yep, but only within that vault. Again, I wouldn't recommend this approach because giving someone access to the vault means they'll see everything in that vault, not just their data. I'd recommend creating specific vaults for each client. :)

ronharris

We have about 100 clients and the average number of password records would be about 1.8 per client. Most are 1 password, some are two, and a few have 3 or 4 password records. Setting up 100 vaults doesn't seem to make sense. We'll stick to a single clients vault and use tags or naming convention to make it easy to locate the records. We were hoping to be able to share some of the records with certain parties who need access to certain clients. Perhaps that's something Agilebits can consider in the future. Thanks.

roustem

@ronharris You can hide the vaults from the list by changing access permissions to "Manage" only. You will still be able to see the vaults in the Admin Console but they won't appear on your client devices.

ronharris

@roustem - Would I also need to remove all the team members from the vault before setting to Manage only?

roustem

@ronharris If you give yourself "Manage" only permissions to a vault then you won't see this vault in your list. It won't affect any other team members unless you change their permissions as well.

I wonder if we need a "vault archiving" feature for an easy to hide vaults from everyone?

ronharris

@roustem - I can't see us using the vault metaphor for the "clients" solution. It's not elegant at all. When you have folders under a vault for organization and you can share folders or items within a folder, that's when we can use 1Password to manage passwords for client systems. For now, we'll have all the items in the client folder for all clients and only our team will have access to the folder.

Vault archiving sounds good, especially if you can return the vault to an active status. Managers of archived vaults should be able to see the archived vaults when managing "vaults".

julie-tx

@ronharris -

It sounds like this may partially be an organizational structure for the data issue. By that I mean if you view the structure of a "team" in the same way you might view a filesystem, our vault structure is very "flat" - our "directories" (vaults) can't have "subdirectories" (folders).

Would that be helpful? Access to a "directory" implies access to a "subdirectory", and so on? You have access at the top level and clients have access below that, and if there are still more subdirectories - say, operations items within a client "subdirectory" - those can be further limited?

ronharris

@julie-tx - I don't know that I can answer your question. It seems to me that the most elegant way of meeting my requirement is to use a single vault for clients and be able to use sub folders for each client. Otherwise, managing the vault permissions becomes a nightmare.

I need my internal team technical team to have access to anything in the vault so I would want security to be assigned at the vault level and cascade down to each folder.

We have an external team of developers who need access to certain information within a client folder. They don't need access to all client folders.

I want to be able to add the external developers to one or more client folders with a default set of permissions for the group. Within each folder, I would like to be able to limit access to individual items. For example, I have 3 different password records for 3 different systems. The external team only needs access to 1 of those passwords (the system they are working on).

1PW for Teams is new to me, although I have used 1PW for years. Our account only has 3 vaults in it right now, the two default and one new one called Accounting. I have installed the Windows 10 app on my Surface. I have not invited a guest to join a vault, so I don't know how that process works yet.

I hope I have answered your question.

roustem

@ronharris Thank you for the details!

The access in 1Password for Teams is based on vault encryption keys. When you give someone access to a vault, this person receives their own copy of the encryption keys and along with the list of permissions (can write, can print, etc). Because of that, the person will have access to the contents of the entire vault.

We believe this approach both simple and powerful enough to cover most of the use cases — when you think about access, you can always think in terms of vaults, not individual items.

However, I can see that vault-based access might not handle everything. In some cases, there is just a single item that needs to be shared and it will be an overkill to have a new vault just for that.

We plan to add individual item sharing and that might help in your case. The items could be shared (copied) between several vaults and the system will keep track of that. With item sharing, you would be able to set up a vault for external developers and copy the individual items there. If the shared item changes, the system will prompt to resend the changes to other vaults.

ronharris

@roustem - The sharing item in different vaults would work for us. We would copy from our main client vault, the items (password records), to the external developer vault. Maybe an item setting to keep items in sync or prompt before syncing changes could be applied to the items. Thanks.

dteare

That's great to hear, @ronharris. I'm happy to hear that Roustem's proposed item sharing would work for your use case. It would be really helpful for me personally as well so I'll help you remind @roustem to add it as soon as possible :)

Take care,

++dave;

vipconsult

We are on the same road.

From what I understand you will implement a new option to link individual items between different vaults so changes to one will affect all others right ?

vipconsult

Our case study is the following.

teams TE and VI both support company PA -
VI supports the servers
TE develops websites which are deployed on the servers

VI team
senior technician
junior technician

PA team
ceo
accounting

TE team
senior web dev
junior web dev

vault
sshLogin
ftpLogin
monitoringLogin
websiteLogin
hostingCompany

How would you suggest to organise it to achieve the following.

VI team
senior technician - access to all items
junior technician - access to - ftpLogin , monitoringLogin , websiteLogin
PA team
ceo - all items
accounting - hostingCompany
TE team
senior web dev - ftpLogin, monitoringLogin, websiteLogin
junior web dev - ftpLogin,websiteLogin

TE team would be guests

I am a new user so your help would be greatly appreciated

rob

Hi, @vipconsult.

Roustem would like to implement item linking between vaults eventually, yes, but it's not likely to happen very soon.

Guests can only have one vault, so you would have to duplicate items for your TE team like this:

Junior Dev Vault -- accessed by junior web dev (guest)

• ftpLogin
• websiteLogin

Dev Vault -- accessed by senior web dev (guest), junior technician, senior technician, CEO

• ftpLogin
• monitoringLogin
• websiteLogin

Accounting Vault -- accessed by accounting, CEO, senior technician

• hostingCompany

Admin Vault -- accessed by CEO, senior technician

• sshLogin

Then you would just have to keep ftpLogin and websiteLogin in sync between the Dev vault and Junior Dev vault.

In general, item-level access isn't well supported at this time. Rather, access is managed by vault. There is definitely a good use case for item-level access as you've described, but it's not something we can do right now.