Basic Audit Logs for Teams (not Business)
We've just started evaluating 1Password Teams in our organization, as many employees already happily use 1Password with individual subscriptions or stand-alone licenses. However, we've ran into one issue: There seems to be no logging or other accountability (e.g. notifications) for Admins and Owners in Teams without buying the (rather expensive) Business package.
Specifically, we need a way to know when changes are made (by a member of the Admin/Owner groups) to a shared vault. For example, if an Admin (temporarily) adds themselves or someone else to a shared vault, grabs all the passwords, then removes the person again, nobody will ever know. We're a fairly small organization, but we still need to be able to limit who has access to certain passwords.
We'd also like reliable logging for account recovery, however, this is less critical as we still have the added security (from how I understand the process) of the recovered account needing to access their email, as well as notifications to all admins/owners about the pending recovery.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @tinydragon,
It'd be nice if we made some of the more basic stuff available to 1Password Teams so that you could do those things. For the time being you're right that to know those things you would need 1Password Business.
We'd also like reliable logging for account recovery, however, this is less critical as we still have the added security (from how I understand the process) of the recovered account needing to access their email, as well as notifications to all admins/owners about the pending recovery.
You're right... there are email notifications that go out. You'll also get a live feed of the events if you enable the Slack app within Slack if that's your cup of tea. The slack app gives you more information than you would otherwise get cause it actually tells you who confirmed the recovered user.
Rick
0 -
You're right... there are email notifications that go out. You'll also get a live feed of the events if you enable the Slack app within Slack if that's your cup of tea. The slack app gives you more information than you would otherwise get cause it actually tells you who confirmed the recovered user.
Yep, being able to use that would be awesome. Unfortunately, we can't post employees' PII into Slack, so it's not an option. Just being able to officially use 1Password Teams at all took a long time to get approved :'(
Anyway, thanks for your response, it would be great if you'd consider making some kind of logging available to everyone on 1Password Teams. I would argue that every organization, even the smallest ones, urgently need this functionality, particularly for those actions that have huge security implications but may go undiscovered, such as temporarily granting someone access to a shared vault:
- Imagine the two part time sysadmins in a small organization using a shared vault for important IT infrastructure passwords. You'll definitely want someone else as an additional Owner, just in case the two sysadmins happen to be abducted by aliens on their way to lunch. But now that additional Owner can also grab all shared IT passwords without anyone noticing.
- You might not even want any overlap between IT staff and Admins/Owners at all because you don't want the people with email server admin access to be the same people being able to recover accounts. However, that means IT can no longer use shared vaults for critical passwords because additional Admin/Owners can temporarily give themselves access.
- Or a small web development shop who where three people need to use passwords to access a client's infrastructure. They are contractually obliged to safeguard those passwords, and no other staff may access the passwords. So they put them into 1Password Teams, and use a shared vault, because the customer forces them to rotate the passwords every few weeks. Unfortunately, all the Admin/Owner group members now technically have access to that shared vault, so they can no longer fulfil their contractual obligations to their client.
The issue isn't so much preventing any of the above from happening (through fancy custom permissions etc.), but knowing when it did happen, and being able to take appropriate action like rotating passwords.
0 -
I think you’ve made some excellent points, @tinydragon. Certainly gives us a number of things to think about. :)
Ben
0 -
Any news on that? We're still not feeling too comfortable without knowing who was (temporarily) granted access to a shared vault. A basic audit log and/or notification to team owners/admins (and perhaps vault members with "manage" permissions) would help a lot.
0 -
I’m not aware of any definite plans at this point, but I would strongly recommend reaching out to our business team to discuss your needs with them (
business@1password.com
). They may have a better idea.Ben
0