Disallow owners from re-joining a group or vault

wilrnh

Right now it seems that an admin of a Teams/Family account has access to every shared password. The admin can remove the "admins" group from a vault, but they can also add it to any shared vault. I'm not sure if this is by design, or a bug.

If this is correct, is it possible to configure Teams and Family to disallow admins from adding the "admins" groups to vaults which they do not manage? Eg, they removed themselves as managers, or they created vaults without adding themselves as manager. This would grant group owners some privacy from the "admins"

I currently admin our company's Teams account, but I'd like to ensure that myself, and any other "admin" does not and will never be able to view vaults shared among specific teams, leaving the vaults maintenance entirely up to the group managers.

Thanks for any feedback on this!
-Will

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Jacob

Hi @wilrnh! Thanks for posting about this. If an admin is not a manager of a vault, and the admin group doesn't have management permission on that vault, they won't be able to manage it. You have to give them or one of the groups they are in the manage permission for them to add and remove people from the vault. Those members won't even see the vaults in the Admin Console since they can't manage them. Hope that helps. :)

wilrnh

Hi @Jacob you are very correct. It seems the issue is with Owners not Administrators. It seems Owners are exempt from all these rules. And the console seems to actively disallow unchecking the "manage" permission of the Owners group on the vaults.

If this is correct, is it possible to disallow Owners from adding the "owners" group to vaults which they do not manage? I'd like to isolate shared vaults for only specific groups and users. Just because a user is an Owner or Admin shouldnt allow them to bypass this isolation.

Lemme know if this makes sense or I'm doing something entirely illogical. Also, if you could update the title of this post to reflect "owners" not "admins" that would help other users to find this documentation. If not I can open another post nbd just lemme know.

Thanks so much for your help,
-Will

Jacob

@wilrnh Yes, that's true. Owners are just that: Owners. I would recommend using Admins or custom groups to manage things in a more specific way. Then there can only be one Owner of the account, and the others can do what they need to as well (manage billing, etc.). Learn more about using groups and custom ones:

Use groups in 1Password Teams

Hope that helps! Let us know if you have some questions.

wilrnh

Thanks for clarifying @Jacob. I think this is exactly what I'm trying to avoid. If I understand correctly, all shared passwords in 1password are visible to the account Owner, regardless if the password was shared directly with them, and there's no way to change that.

I'm not sure how this can work in a company setting, where a "security" team would likely own such an account, but they really should not be able to view "social media account passwords" for example, which may be shared across a "community" team. If you have any suggestions around such a use case please do "share" :)

-Will

Jacob

@wilrnh That is correct. Personal vaults aren't available to owners though — those are only for that member. I'd recommend using groups to manage things. They should work for your scenario. You can create a security and community group if you need. Otherwise, you can stick with the default groups and create vaults to organize your company. This is simpler and better if you want to put things in one place and people across the teams in your company don't need access to multiple vaults.

Only one person needs to be the owner of the account. Others can be administrators or custom group members and manage the account in those ways. Hope that helps.