1 Item - Multiple Vaults?

13»

Comments

  • ag_anaag_ana 1Password Alumni

    @daimoonmedia:

    We don't have a timeline to share at the moment I am afraid, but thank you for letting us know that you would like this as well :)

  • Any update on this? I'm currently in trial with 1Password and a few competitors. I absolutely love everything about this product except your sharing solution through the vaults. We are a small team but it will be a hard pass if this isn't even being seriously considered.

  • ag_anaag_ana 1Password Alumni

    @Mattbeatty89:

    Other than copying the item in multiple vaults, or putting it directly in a shared vault, I am afraid that we don't have anything else to share at the moment :(

  • This has also been very painful for us - please move higher up your priority list, we need this functionality and not having it completely obscures the purpose of vaults in the first place.

  • ag_anaag_ana 1Password Alumni

    Noted @Sessapine, thank you for letting us know!

  • We are also very interested in this for a Teams account we're setting up, We have a variety of team members -- many of whom need access to shared interests in various vaults,

  • ag_maxag_max

    Team Member

    Hi @LewG

    Thanks for taking the time to share, and for letting us know your team could benefit from this functionality. :smile:

  • Hello, I will immediately buy OnePassword Business with at least 25 seats as soon as this feature is implemented fully/correctly. We absolutely need **group **plus **individual **password access and sharing permissions for our department that has a mix of roles - IT support / developers / admin / AV / contractors. We manage hundreds of passwords, and I can see that as it stands now, to grant the correct visibility to each person / unit, I would have to create and maintain many multiple vaults and synchronise the duplicated passwords in each. That is a messy work-around that is not flexible or scalable. I have had 'OnePassword' as an approved line item in my budget for the last two years but will not purchase until this issue is resolved. I would prefer to use OnePassword versus other similar online tools based on your ownership and privacy policy. I check these forums every few months and read the same threads to see when this feature will be implemented - hoping that it will be soon! :) Hope this feedback is helpful - I can explain further offline if necessary.

  • ag_maxag_max

    Team Member

    @IanBurrowes

    I appreciate you sharing your feedback about your use case here. I also encourage you to reach out to our Go To Market team at [email protected], if you're not already in contact with them. They may be able to work with you and provide a solution using the current features found in 1Password.

  • ClemensGClemensG
    edited July 2021

    I wanted to enroll 1password to our teams as well, but lacking the feature of "linked" items is holding me off too.
    We have some hundreds of passwords to share between our teams. Some of them shared with only one other team, some of them with multiple teams. Building separate vaults for every sharing constellation makes the product quite unusable. People always have to use the "all vaults" option, which makes it hard to manage private and shared accounts within one account.
    Most users don't know who has access to a password, so can't choose the right vault to search.

    I understand that the separate encryption keys for each vault are an issue for this feature, but isn't there a way around? Thinking of some kind of an update table only holding IDs and timestamps of linked items which got updated and as soon as someone with access to both/all vaults with the linked item logs on, it gets updated. If someone uses this linked item, without having access to the vault with the updated version, you could at least give him a warning about a possibly outdated item.

  • BenBen AWS Team

    Team Member

    Hi @ClemensG

    It is possible that there could be another solution here in the future, but for now creating separate vaults for each sharing situation is the only option. Unfortunately I suspect if there were an easy win to be had here we would've already taken it.

    Thinking of some kind of an update table only holding IDs and timestamps of linked items which got updated and as soon as someone with access to both/all vaults with the linked item logs on, it gets updated.

    It would seem this would mean having to decrypt the full details of each item in that table every time anyone with access to those items unlocks 1Password. Depending on how big the table is, that could substantially slow the process. Not saying that for sure this approach wouldn't work, but that is one potential roadblock I could foresee.

    Ben

  • cryptochromecryptochrome Junior Member

    What a wonderful discussion. While I share not just the experience but also the sentiment that something needs to change in 1P to make this easier for all of us, I would also like to throw in the perspective of a security engineer and CISO:

    Sharing passwords is bad. Not matter how, no matter what.

    Even if you use a very secure system to share accounts and passwords, like 1P, it's still an accident waiting to happen. Instead of waiting for 1P to give us better sharing options, you should work towards avoiding shared accounts altogether. From a security best practice perspective, every user should have their own account to access a system. System accounts (like root, admin, etc.) should only be accessible by a very limited subset of people.

    I know this is easier said than done (and outright impossible in some scenarios), but it's certainly something everyone should work towards and try to accomplish as much as possible. At least when it comes to user accounts. I am not really talking machine to machine communication (which 1P tries to tackle with their new "Shared Secrets" product).

    Just some food for thought.

  • ag_anaag_ana 1Password Alumni

    Thank you for sharing this perspective @cryptochrome! Indeed, finding a balance is a good challenge :)

  • What is the status on this? It's been 3 years since this thread was started and it's still not in the product. I find this limitation a rather huge one within a company where you want a single item but multiple pointers to it from separate vaults. ... basically saying what everyone has already.

    I can appreciate that this is technically complex for the 1Password team to implement but this doesn't change our need for it. While we could create more vaults and move items to those vaults which can have different permissions but then you get into a maze of permission hell, needing to think about who has access to what. Think of this scenario:

    Vault foo (permission: Alice and Bob)

    • Item 1
    • Item 2

    Vault bar (permission: Charlie and Danny)

    • item 3

    Suppose now Item 2 needs to be shared with Charlie and Danny in addition to Alice and Bob. However, item 3 should be only for Charlie and Danny.

    So to do this, you need to create another vault, that gives permission to all 4 people and move item 2 to it:

    Vault foo (permission: Alice and Bob)

    • Item 1

    Vault bar (permission: Charlie and Danny)

    • item 3

    Vault bar (permission: Alice, Bob, Charlie and Danny)

    • item 2

    I think it's easy to see how this gets out of hand quickly. The most logical way to think about this is how everyone has requested it: be able to have item 2 in both Foo and Bar vaults:

    Vault foo (permission: Alice and Bob)

    • Item 1
    • Item 2

    Vault bar (permission: Charlie and Danny)

    • item 3
    • item 2

    Sure we could copy item 2 to Vault Bar, but that then forks it and violates a huge benefit of 1Password -- 1 source of truth for a password. So the logical to thing for us to request is that Item 2 is NOT a copy, but actually the same item as what's in vault foo just protected with different permissions/access depending on the user and vaults they have access to

  • tmchowtmchow
    edited August 2021

    We are a company of about 75 people and surprised this does not exist yet as a feature despite this thread being 3 years old, and past requests being 4-5 years old.

    While I appreciate that this may be hard to do technically, this is an obvious need from my POV, and also evidenced by how many people have asked for it.

    We can certainly create new vaults for this but not only does that seem to unnecessarily create vaults it is more of an issue of managing the complexity of permissions to vaults.

    Consider this example:

    vault foo (access: Alice, Bob)

    • item 1
    • iem 2

    vault bar (access: Charlie, Danny)

    • item 3
    • item 4

    If Charlie and Danny need access to Item 2 along with Alice and Bob, without also sharing access to item 1, the only way to do it is to create a third vault and move item 2 to it:

    vault foo (access: Alice, Bob)

    • item 1

    vault bar (access: Charlie, Danny)

    • item 3
    • item 4

    vault car (access: Alice, Bob, Charlie, Danny)

    • Item 2

    You can see how this gets unruly quite fast.

  • ag_anaag_ana 1Password Alumni

    @tmchow:

    Thank you for the feedback as well, and for the example! I am sure our developers will find this useful, and the example you brought up is one I believe was discussed in the past :+1:

  • Linked Items by ID please please please!

  • ag_maxag_max

    Team Member

    Thanks for adding your voice to this discussion, @JamesFez.

  • It's 2021! What's the suggested flow for this? We end up having to create a new vault per person and then copy to those vaults, but the original item, if changed, will not propagate to the other vaults.

    If I'm hearing from this thread correctly, the suggested flow would be to create a vault and add users to the vault. We have a single shared vault amongst our team, but contractors and one-offs get their own Vaults so that they do not need access to the company-wide vault. Just looking for ways to streamline and secure access without it being overly obtuse.

  • ag_maxag_max

    Team Member

    @westurner

    Whenever possible, it's good practice to store credentials in a vault and share them with anybody who needs access. Using a single shared vault is a potential solution for your team members, as this will help prevent the build-up of copies across your vaults, which must be changed individually. If you cannot share the same vault with multiple users, such as the case with guests, then that leaves copying items to your separate vaults. Assigning a tag to these copied items can help you track down the copies when they need to be edited.

  • Thanks @ag_max - I'll check into tags and see if that can help us.

  • ag_anaag_ana 1Password Alumni

    Sounds good @westurner, let us know how it goes :)

  • Please add my vote to the tally. I found this thread by searching for exactly this feature. I need to share some logins/credit cards/etc. with both my work and home vaults for the same reasons other users have described above.

  • ag_maxag_max

    Team Member

    All set, @1PW_user2021, thanks for adding your voice to the request.

  • I've been struggling to find a good article online about "best practices for organizing your 1Password vaults" and now I understand better why I keep coming up empty. The reason is that you can't implement any good strategy because of the issues discussed in this thread.

    When you've got various facets to organize:

    • People
    • Work Relationships
      • Employees
      • Contractors
    • Departments
      • IT
      • Marketing
      • Sales
      • Management
    • Roles
      • Managers
      • Developers
    • Clients
    • Projects
    • etc.
      there are too many combinations and overlapping cross-sections to say access security is "per vault" (at least the way vault is currently defined).

    Could we layer access security "per subset" on top of "per vault" (i.e. a "virtual vault")? Then you could dump all the items into one vault and create restricted subsets that can come and go while leaving the vault as is.

    Examples of subsets might be:

    • Employees with Role "Manager" on Project "Foo"
    • Developers on Project "Foo" OR Developers on Project "Bar"
    • Managers in Sales OR Managers in Marketing

    Items in the vault can have a subset applied to them if desired.

    Who you are (or more specifically what facets are set on your user profile) determine what subsets you see.

    I know this might be a pipe dream. Just trying to find a hybrid solution that doesn't rock the boat too much but still allows us to make progress on this.

  • ag_anaag_ana 1Password Alumni

    @Larry Daniele:

    Could we layer access security "per subset" on top of "per vault" (i.e. a "virtual vault")? Then you could dump all the items into one vault and create restricted subsets that can come and go while leaving the vault as is.

    I think this is a nice idea. I will be happy to pass it to the developers :+1:

  • I left 1Password several years ago for Dashlane because of the ability to share individual passwords to team members. There are not a ton of those, but it is much more simple to simply share individual passwords rather than creating a vault for each set of members to share the password with. However, with Dashlane eliminating their app and going exclusively web based, I have returned to 1Password and am trying to work out a good system for organizing logins across multiple vaults. It would be pretty neat if along with permission levels for users in a vault, you could also simply assign various users to be see certain passwords within a vault. That way I could have a private vault and a shared vault with the shares within the vault a more granular level.

    That's my 2 cents worth.

  • LarsLars Junior Member

    Team Member

    Welcome to the 1Password Support Community, @jumpinjohn! Welcome back and thanks for the perspective.

    We're considering multiple paths forward to make sharing more convenient for users. Some of what makes this more difficult is the institutional debt of choices made in the past; they are not immediately or easily alterable. Beyond that, however, is our unwavering commitment to make sure this is done correctly.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file