Allowing 1Password administration while keeping some vaults off-limits
I think to believe we have a rather common use case here where our IT Support team takes care of several administrative taks in 1Password. Most important tasks: inviting/suspending users as part of on/offboarding, and granting people access to certain vaults through group membership.
Now while for many of the vaults it's ok for them to have access to the credentials stored within, there's also a limited number of vaults where we can't allow that.
This means we can't give the IT Support team members an 'Administrator' role. In fact, they simply can't have the "Manage All Groups" permission since that implies they could give themselves access to all credentials.
A custom group without the "Manage All Groups" permission was something we considered but doesn't work either since it's all or nothing. If we take away that permission, they can no longer create new groups when needed, and managing existing groups would require us to add each support engineer to most of the groups as a group manager.
So bottom line is, we'd like to have a way for our support team to do their day-to-day work taking care of 1Password administrative tasks while making sure some of our vaults can not be accessed.
An idea that came to mind is to somehow be able to restrict management of certain groups to Administrators and Group Managers if that makes sense. We could then created a custom group for our Support team, with group management permissions, but some groups would be off-limits meaning they also can't add themselves to those groups and associated vaults.
Any suggestions would be much appreciated.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @pminne,
We've been looking into ways to bring administration powers to different groups of people within an organization. We have some ideas for how to make this better but we haven't gotten around to implementing them yet.
In your case, I think we might be able to do something better with what exists already. Could you create a new group called "IT Support" which has the "View Admin Console" but no "Manage All Groups". Then you would add your IT Support staff into that group. You would then be able to add this "IT Support" group to each shared vault that you want them to be able to manage. Give the group "Manage" access to the vault. This would then allow the IT Support group to manage who has access to a vault without giving them the keys to the kingdom.
Is that something that would work? I can imagine some use cases where that wouldn't be sufficient but it may be in your case.
Rick
0 -
Hi Rick,
Great to hear it's something you're looking into.
As for your suggestion, that's something we've tried actually. The thing is, we don't assign people to a vault directly (as an individual), but through groups. For several good reasons we prefer to keep it that way (group permissions are easier to manage, simpler vault access management, groups map to departments/roles while vaults may not, etc.).
That means that Support staff needs to manage group membership rather than individual vault membership, for which they need the "Manage all groups" permission. Alternatively we could add all Support staff individually to each of the many groups, with a manager role. The feels a kind of dirty though, and also doesn't allow support staff to create/rename groups. Groups are less static then we'd like them to unfortunately, so ideally Support staff can still do those actions.
If that would be the only way forward for now we can probably make it work, but it would be great if some more elegant solution would become available in the future.0 -
Understood, yes. That makes a lot of sense. Thanks for taking the time to explain your use case. It seems what you’ve described is going to be the best solution within the requirements you’ve defined for now, but certainly we’ll continue to evaluate what is available and hopefully we can make improvements in this area.
Thanks again. :+1:
Ben
0
