Best practice: Teams, overlapping interests and duplicate passwords


What is the best practice for organizing vaults among different departments?

Let's say we run one vault for IT and one for PR. Now it turns out both need access to a mailing tool like mailchimp.
IT had it first, so we would duplicate it for the PR vault. But once IT changes the password, PR has an outdated one.
We kinda work around this by naming one "copy of" and tagging its source, so users know whom to ask for an update. But that is a crutch. It does feel crutch-y.

In theory, we could run vaults for every login we have. But the sysadmins are already slightly crazy and that might push them over the edge.

We could try to structure the vaults around smaller topics (like "mails") or roles (like "sending mails"), but that is a very distracting and time consuming exercise in the topology of our business.

So: Any hints or recommendations? Any use of groups or tags that we might have missed?

Or maybe you are already working on separating logins from vaults? So one login can be in several vaults and gets updated on all of them?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • Lars
    1Password Alumni

    Welcome to the forum, @tobias_prinz! Great question. A lot of what will work best for a particular team depends on how the team itself is structured, so there's no ultimate "right" answer to a question like this.

    For example, if you have everyone in the company all on the same team, then you would do this one way, whereas if IT and PR are actually two different teams with their own sign-in addresses at, that's a different matter. I'm going to assume here that everyone is part of the same overall 1Password Teams account.

    If you have different departments, the most flexible and powerful (not to mention easiest) way to handle something like this would be through the use of Groups in the Pro plan of 1Password Teams. If you create a group for each department, you can define for the entire group what resources the group's members have access to. So you can give the group access to certain vaults but not others, and do this only once, then add people to the group and they will inherit the privileges of that group by virtue of their membership in that group (department).

    If your team is not on the Pro plan or you prefer not to use Groups to delineate departments for whatever reason, you can accomplish the same thing by adding individual members of a department to a particular vault. But that doesn't eliminate the vault-based nature of 1Password Teams currently, and using groups or not, you would still need to spend some time figuring out which logins need to be shared amongst different departments within your overall team, and put those in a vault that you can then invite only the proper groups or individuals into.

    We've been aware for some time that this is sometimes an issue for teams, and we're kicking around some ideas for how we might accomplish allowing an individual Login (or other) item to live in multiple vaults in a manner that syncs between the vaults instead of requiring a copy that doesn't update when one version changes. I wish I could tell you that we had something to report on that score, but with the upcoming 1Password 7 occupying our primary focus currently, I just don't. Part of this issue is the complexity of allowing such cross-vault updating in a way that meets our (and our customers') security standards. So until we've got a solution that reliably meets that standard, we'll have to leave that one in the "not right now" category, much as we'd like that to be different. Thanks for the suggestion/request, however - this gives us one more reason to continue work on this as soon as possible.

This discussion has been closed.