Add non-users to groups during invitation


When new users get confirmed after recieving their invitation, they log in to an empty 1Password as an admin needs to log into the dashboard to assign that person vault/group access first.

Wouls it be possible to pre-add the users to groups and vaults during the invitation process already?


  • Jacob

    Hey @henkisdabro! Great suggestion. It would be really cool, I'll admit. It isn't possible for us to add, though, because of the way adding members works. When you invite someone, the cryptography keys don't exist until they create their account (set up their Account Key and Master Password). And you have to approve that account so you can grant them access to shared vaults, since that process happens cryptographically (using their new public key). The member's keys then work with each vault's keys in the third step (adding the member to vaults). It's simply not possible to give someone data before they're approved as a member.

    Hope that helps explain things. :) We're going to look at improving which vaults are added by default when you a team member is added. That may help out with this as well.

  • 365nice
    Community Member

    I too would find this useful - but being able to specify what are the default vaults on signup are would skin the cat a different but equally useful way.

  • Jacob

    Thanks for the feedback, @365nice. :)

  • zero_shane
    Community Member
    edited October 2016

    I'd like this feature - too - and understand the challenge.

    But ... I'm constantly frustrated when I create new users for my environment, I have to go through a 3 step process to onboard them to 1password:

    1. Send Invite (wait for acceptance)
    2. Approve new user
    3. Add user to appropriate groups or vaults

    I'd like to see this process reduced to just:

    1. I sent invite / Define groups and/or Vaults - user accepts invite - and user is now fully enabled (not requiring the additional approve the accepted already invited user) - now user is entitle with appropriate permissions to vaults/groups

    Realizing the chicken-and-egg problem with the cryptographic side of the things (keys not existing, etc...) Wouldn't it be possible to create a simple provider-side/server-side call-back solution?

    During invite time, allow me to "add invited member" to any group vault. Since they don't (essentially) exist ... Have a call-back in the whole user invite/accept/accept process that checks for any group or vault memberships that should be enrolled for the new user ... once that chain has been fulfilled (eg accept/approved/keys created, etc), add the users keys to the appropriate group/vault.

    Obviously this requires that your API workflow on the back end has support for some sort of callback mechanisms, or can be easily adjusted to make a API call out to determine if any pending steps are necessary once the user has been fully added/entitled w/ keys. You'd need to store a blob of info about what groups/vaults the user was enrolled in at invite time.

  • Thanks for posting about this @zero_shane. We would like to make it simpler for folks, and we have a few ideas on doing that. Right now we're working on a few other things, but I'd be happy to let the team know you asked about this. :)

    ref: B5-1806

This discussion has been closed.