"Invite & Remove People" Permission

scottsb
scottsb
Community Member

Does the "Invite & Remove People" permission for custom groups allow a non-owner, non-administrator to remove an owner or administrator account?

Either way, but especially if so, please consider this a feature request for a stand-alone permission for inviting users that does not also grant removal permission. It's odd that there's a dedicated "Suspend People" permission (which is the least dangerous), yet anybody who can invite users can also remove users.

Even better would be there to be a permission that's specific to inviting guest users only, but I imagine you don't want to multiply the options too much, and I can see that is more useful for us than it would be for many.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    Does the "Invite & Remove People" permission for custom groups allow a non-owner, non-administrator to remove an owner or administrator account?

    @scottsb: Yes.

    Either way, but especially if so, please consider this a feature request for a stand-alone permission for inviting users that does not also grant removal permission. It's odd that there's a dedicated "Suspend People" permission (which is the least dangerous), yet anybody who can invite users can also remove users.

    That's a good point. From our own experience and working with others, it seems like generally the person who invites is going to be the same as the one who removes, but we'll continue to evaluate this.

    Even better would be there to be a permission that's specific to inviting guest users only, but I imagine you don't want to multiply the options too much, and I can see that is more useful for us than it would be for many.

    That does sound like it has the potential to cause more confusion, but it's in interesting idea. Thanks for the suggestions! :)

  • scottsb
    scottsb
    Community Member

    Our use case is that we use guest vaults to transfer credentials securely between us and our clients (we're an agency). For ease of onboarding, we'd like to allow account management to invite clients as guest users to access their specific vault. The most ideal scenario would be if they could remove these guest users they create as well, but it's an uncomfortable level of risk to allow account management to delete any user in the entire system, particularly including owners and administrators.

    Really our need could be met in a number of ways. In rough order of "idealness" here are a few examples:
    1. Combined invite & remove permission (specific to guest users)
    2. Separate invite & remove permissions (removal allowed for all users)
    3. Combined invite & remove permission (removal limited to non-admin/owner users)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for sharing more details! That makes sense. I'm not sure what the best solution is, but we'll continue to listen to feedback and see what we can do to help in the future. Cheers! :)

This discussion has been closed.