Team member able to add items to vault but not see the password
Hi,
We are evaluating 1Password Team and I was wondering if it possible to have the permission set in a way that team members can:
- Add (copy/move/create) items to the vault
- But not be able to see the password of the items
I thought setting the permission like this (screenshot) would work but it doesn't it requires the "Reveal passwords" permission for someone to share an item from their Personal, Primary, etc vault to this vault.
Am I doing something wrong?
Cheers,
S
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:add to vault without read permissions
Comments
-
Hi S.,
Thank you for taking the time to write in. :)
Unfortunately, even if someone has read-only access to passwords, and even if they don't have the “reveal passwords” permission enabled, they'll be able to view the passwords if they're determined. For instance, a user may still obtain the password by examining a web page using the developers’ tools for their web browser. So the read-only permission may be used to prevent accidental disclosure and may help reduce the risk of ”shoulder surfing” and other social engineering attacks, but it will not stop anyone who has any determination.
So you aren't doing anything wrong. That's just the limitation we face with that particular control.
–Max
0 -
that's fine if they pop up the dev console & co to access the password. The main reason why I don't want them to easily access the password if that I don't want them to copy/paste passwords in chat and other documents. I'll rather have people use the share features in 1password for example.
I still don't understand why they can't add an item to the vault if they don't have the "reveal passwords" read permission. Makes no sense when you have write to vault permissions.
0 -
that's fine if they pop up the dev console & co to access the password. The main reason why I don't want them to easily access the password if that I don't want them to copy/paste passwords in chat and other documents. I'll rather have people use the share features in 1password for example.
That makes sense, and I understand where you're coming from! I certainly wouldn't want my employees to send passwords in an unsafe way if I'm paying for them to have access to a secure alternative ;)
I still don't understand why they can't add an item to the vault if they don't have the "reveal passwords" read permission. Makes no sense when you have write to vault permissions.
I tested this out a bit with a variety of vault permissions -- including one configuration that matches the one from your screenshot -- and was able to move items to the vault without being able to reveal any passwords. (I was also, at one point, able to move an item to a vault that I couldn't see at all because I had given myself "Write" permissions but not "Read" permissions.) Can you try this again to see if it's working now? There's a chance that this was changed at some point between your original message and my attempt to test it out.
If you're still unable to do this I'll let our development team know to see if we can change the way this works or if there's a reason why it isn't doable. 8-)
0