Few questions about Teams

Hi
I have a few questions:

  • Right now the passwords are stored on your servers and I read somewhere you are HIPAA compliant, still I was wondering if there will be a version that allows me to keep everything internally. We're a hosting company in Europe and can't store data in the US. Preferably we would want to run a 1Password Server in our own datacenter.
  • Do I understand correctly that there are three types of passwords? The ones you share with everyone in the team, the ones that are only for a team member but still work related and the ones that are private to the team member for personal use. Number 1 and 2 can be recovered by the Team admin, number three can never be recovered by anyone else then the user.
  • Are all three passwords in different vaults in different locations?
  • Can a team member "easily" copy / export all passwords from the "everyone" vault to his private vault? How can I prevent this? (I do understand that I can't prevent copy/pasting every item).
  • When the user leaves the company, can I lock access to the "everyone" vault and the "user" vault? Can there be a time limit on these vaults that make the user have to check in every x days, to prevent the vaults from locking? Is the user still able to export his "private" vault to his own 1Password? How long before his own 1Password app stops working because of licensing?
  • Is there an audit log to see who accessed which passwords?
  • Is there a way to approve passwords by an admin? In our current tool we often have passwords that aren't complete. For example customer domain name is missing, IP address of device is missing, etc. I would like to have team members store passwords in an "inbox" to make sure they at least got written down, then have an admin approve the password for correctness.

Well, that was more than a few questions :-)

Gabrie


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Gabrie,

    I can try to answer these for you...

    Right now the passwords are stored on your servers and I read somewhere you are HIPAA compliant, still I was wondering if there will be a version that allows me to keep everything internally. We're a hosting company in Europe and can't store data in the US. Preferably we would want to run a 1Password Server in our own datacenter.

    I don't know the specifics about HIPAA, so I can't say whether or not we're compliant. We haven't closed the door to the idea of self-hosted versions of the Teams server. During the beta phase that won't be available as we want to have the flexibility to do changes quickly without having to worry about who's all running what versions. Once we're out of beta this will be something we'll be able to look into more seriously.

    Do I understand correctly that there are three types of passwords? The ones you share with everyone in the team, the ones that are only for a team member but still work related and the ones that are private to the team member for personal use. Number 1 and 2 can be recovered by the Team admin, number three can never be recovered by anyone else then the user.

    Not quite. Everyone should consider any data they put into Teams as belonging to the company/team that owns the account. Admins/Owners can recover the contents of any vault on Teams. I don't put my personal twitter account in any of our Agilebits Teams vaults for example. The "Your Vault" vaults in Teams can only be recovered if the company can also take over your email account, but that's something just about every company can do.

    If someone is looking to store data in 1Password in such a way that the Team admins can't get access to it, then we recommend that they either create their own Team so that they're their own admin, or that they enable "Personal Vaults", which are not tied to Teams at all. "Personal Vaults" are what we're calling vaults as 1Password users have known for years : decentralized, sync it if/how you want.

    Are all three passwords in different vaults in different locations?

    I'm not sure what you mean by this, given the answer to the previous question.

    Can a team member "easily" copy / export all passwords from the "everyone" vault to his private vault? How can I prevent this? (I do understand that I can't prevent copy/pasting every item).

    The "Everyone" vault is a bit of a free for all vault. Everyone has read/write access to it, and we don't allow changing the access controls for it. If you're looking to limit this, then you should create a new Vault, and in that vault you can limit users' access to the "Export"/"Send" options. This would stop them from being able to copy that item to another vault or do any kind of bulk export operations. We use that option a lot here to make sure someone doesn't copy items over to another vault.

    When the user leaves the company, can I lock access to the "everyone" vault and the "user" vault? Can there be a time limit on these vaults that make the user have to check in every x days, to prevent the vaults from locking? Is the user still able to export his "private" vault to his own 1Password? How long before his own 1Password app stops working because of licensing?

    When a user leaves the company, you should start by Suspending the user account right away. The next time his devices are online they'll lock the user out of the vaults associated with your Team. You can then Delete the user account, and the client apps will delete all data associated with your Team as soon as they get the notification.

    Until you've suspended or deleted the user, they'll still have access to their vaults, and will be able to export data (assuming they have that access) to other vaults. Once suspended or deleted, the user will lose access to that data.

    There's currently no mechanism that forces users to check in every x days. It's something we'd like to have implemented though. It'd be defined at a Team level so that an admin could say "devices need to check in every X days." If a device hasn't checked in and X days elapses, then the device would treat it as a suspended account and stop the user from accessing any of the data (but not actually delete it).

    Once a user is no longer a Teams user, they'll need a standard 1Password license. As it's currently implemented, they'd likely immediately fall into the "Trial Expired" mode which would stop the user from adding or editing data, but will not stop the user from viewing or exporting their non-Teams data. The data is theirs, and we don't want to lock them out of it. I specifically mentioned "As it's currently implemented" because I'd like us to do better here and offer a proper trial after the Teams account is removed. It's on my very long todo list.

    Is there an audit log to see who accessed which passwords?

    1Password for Teams keeps audit information about who added/edited items, vaults, changed access controls etc... This audit information isn't yet accessible via the Admin console, but should be eventually. The 1Password apps themselves keep track of when passwords were last accessed. We don't yet sync this information back up to the server, but that's something we'd like to add.

    Is there a way to approve passwords by an admin? In our current tool we often have passwords that aren't complete. For example customer domain name is missing, IP address of device is missing, etc. I would like to have team members store passwords in an "inbox" to make sure they at least got written down, then have an admin approve the password for correctness.

    That's interesting. You could create an "Inbox" vault where anyone could create/edit items, then have a "Company Passwords" vault where nobody but admins had Create access. This way team members would only be able to create or move items into the Inbox vault. Then an admin could make sure it's complete and move it into the "Company Passwords" vault. Would that do the trick?

    I hope this answers your questions. Let me know if you have any others.

    Rick

  • Gabrie
    Gabrie
    Community Member

    Thank you for the excellent answers !!!

  • :+1:

    I enjoyed Rick's answers, too :)

This discussion has been closed.