Bug: Admin is not able to create Vaults
Today a Admin tried to create a Vault but wasn't able too. After I put him in Recovery Group it works.
Afaik Admin Role should be enough.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi random_31731ec7aea.
Thanks for reaching out, I hope you are enjoying the 1Password for Teams beta.
You are correct, and Admin can create new vaults, good resource for finding out permission levels is: https://support.1password.com/teams-admin-getting-started/
In order to resolve an issue like this, we would need a little more detail around the exact issue the admin was having when they attempted to create a vault. e.g. Was the '+' symbol missing from the user's Admin Console, or the Admin Console missing altogether?
Sometimes having the user sign out of the 1Password for Teams web site and back in will resolve an issue like this.
We look forward to helping out further with this issue, if you are able to share some specifics.
We welcome your feedback during this beta, as it's users like yourself that helps us improve 1Password for Teams.
Thanks & Regards,
Mark==========
QA Wrangler,
AgileBits, Inc.0 -
Hi @markaeaton,
I read thru all documentation (incl. Whitpaper) in the beginning. At as I rember admins are allowed to create Vaults. Recovery is done by public key encryption, so there is no need for an Admin to be Recovery to create a Vault, at least how I understood the Design.
The Admin user was able to open the dialog put in the Name of the Vault and After he commited an error Message in Red Color was displayed. I will try to reproduce it, and will get in more detail (error message / screen shot). I will send the details to support Mail address so I could also tell Teamname and so on.
Relogin didn't work either. Just after I added him to Recovery too, he was able to create the Vault with out login.
Random
0 -
Hi random.
Thanks for getting back to us, and thanks for the additional details. It's great to hear that our team's documentation is being put to good use.
Having the exact error message, screenshots and the team name would be super helpful in getting to the bottom of this, the support email address is a good place to send this, mention me in your email so that I can follow-up directly. I'd also be curious to know if the Admin user is able to create vaults after you remove them from Recovery.
Thanks again for the feedback and for taking the time to get back to us.
Mark
==========
QA Wrangler,
AgileBits, Inc.0 -
Hi @markaeaton,
I can't reproduce the error right now.
If it appears again I will come back to you. Maybe it was just a temporary beta bug :-DRandom
0 -
Hi Random.
Glad it's resolved, sorry for the inconvenience. Thanks for update and please keep the feedback coming!
Mark
==========
QA Wrangler,
AgileBits, Inc.0 -
@random_31731ec7aea: I'll also add that I've seen some weird issues that seemed to be related to caching, since they were solved by resetting or simply opening an Incognito window. Definitely give that a try if it happens again (after capturing any relevant information, of course)! :)
0 -
I've managed to reproduce this myself, the error message displayed is "Failed to create vault. Cannot handle request.".
I am a member of the admin and owner groups, and I've tried toggling membership to these groups to no avail. It appears that the request to get the public key for the group fails with HTTP status 434. I'll send a screenshot of the Chrome console to the support email address with a more complete trace.
It appears the original team owner is able to create vaults with no issue, but we have no other users on our team yet so unable to tell if the issue is isolated to my account or not.
0 -
@phindmarsh Thanks for sending over that email. We'll keep the conversation going there for now. :)
ref: LLN-84997-747
0 -
To follow up, a workaround is to put the user into the recovery group.
0 -
Good to know. :+1:
0 -
And you can even remove "recovery group" afterwards and then it still works. At least thats works for us.
0 -
Thanks for following up on this, @random_31731ec7aea.
In theory the Admin should not need to be part of the Recovery group, so we definitely have a bug there somewhere. We'll need to look into this.
In other news, we've had a lot of discussions with users who found the distinction between the Owner, Admin, and Recovery roles hard to understand. We plan on simplifying things by having Owners and Admins automatically be part of the Recovery Group by default. This will make things much easier for the majority of users and will sidestep this bug nicely :)
Of course, we'll still need to fix this bug at some point, however, as we'd like to make the permissions available to these roles customizable.
0 -
Oh no:-( don't remove recoverygroup:-( it is really important for Segregation of Duties.
It is great thats you don't give admin the full power esspecialy how your recovery mechanism works.
Thats were we come to Professional view (gui), cause it is a bad thing to loose important feature cause people don't read documentation.0 -
@random_31731ec7aea: Agreed. But it's also pretty bad to have a feature that most people don't use...and even worse when people lose access to their data as a result. If you have any suggestions, I'd love to hear them.
Let's play a game. I know you really don't want the Recovery Group to go away, but pretend that it already has, and that Owner and Admin users are part of the de facto, but defunct, "Recovery Group" now. What obstacles do you anticipate, and how might we be able to accommodate your use?
0
