How can I share a login between vaults?

I've got a password that two groups/vaults need to have. There doesn't seem to be a way to assign a login to multiple vaults that I'm in. My IT people need this password just as much as my Creative people.


1Password Version: 6.0.1
Extension Version: 4.5.2
OS Version: 10.11.2
Sync Type: iCloud
Referrer: kb:teams-admin-access-control, kb-search:shared, kb:is-sharing-secure

Comments

  • Hi, @TylerTheHanson, and welcome to the forum! :)

    You're correct that you can't assign a single item to multiple vaults, though you can copy an item between vaults. Before I get to the second part, though, I'm curious if this item is just a one-off thing or if there are other items like this that more than one group of people need to access. Ideally, you'd have a vault containing this item (and others) that both creatives and IT people would have access to; that way you don't have to worry about keeping things in sync.

    However, if it's just this one item, and you're not too concerned with the trouble, it is possible to copy an item between vaults. In 1Password for Mac, just select the item, click the share button at the top (next to the Favorites star icon), then select the vault you'd like to copy it to, and click Copy. In 1Password for iOS, it goes the other way: at the bottom of the item, click "Move and copy...", then "Copy", then choose the vault.

    Note that copying an item to another vault creates a new item in that vault, so updates to one will not update the other. That's why the ideal situation is to have just one copy in a vault that both groups share.

    I hope that makes sense! :)

  • TylerTheHanson
    TylerTheHanson
    Community Member

    Aw, shucks! Yeah - I know I can copy these passwords (it happens multiple times), but it still would be a great feature request to have - I wonder if other users of 1Password for Teams would benefit from logins shared across multiple departments/vaults.

  • @TylerTheHanson, unfortunately the same cryptography behind 1Password for Teams that ensures people without access to a vault cannot read its contents also prohibits the feature you describe.

    Let's say you have a Creative vault and an IT vault. Each vault has its own key that it uses to encrypt its contents. Without that key, no one can read data in the vault or add data to the vault. The only people with the key to the Creative vault are those who've been granted access to the vault.

    So if an IT person changes this special item in the IT vault, there is no way for them or us to update a corresponding item in the Creative vault because they cannot access that vault or its key (nor can we). The only people who could do that would be those who have access to both vaults. So the only way the feature you request would be possible is if the only person making changes is someone who has access to both vaults. Otherwise the items would inevitably get out of sync.

    As you can see, it's not a feature we can feasibly implement with the current architecture since it would require a particular kind of user to keep the items in sync, and we can't rely on something like that for a solution that is supposed to be automatic. I hope that helps.

    Now, theoretically, we could implement something like this if we used more keys that were shared among vaults in clever ways, but in reality it would basically be the same as creating a third vault that both groups of people could access, just without showing it as another vault to the user. At this point, that's a level of complexity we're not comfortable attempting unless and until there is a strong demand for it.

  • TylerTheHanson
    TylerTheHanson
    Community Member

    Thank you for your response, Rob. I really appreciate the transparency. I will just attempt to make copies that are up-to-date in the meantime. Perhaps in the future, there will be shared vault passwords, though I do (somewhat) understand the complexity of programming such an undertaking.

    Thank you so much!!

  • Happy to help, @TylerTheHanson! I understand the frustration of a workflow like that, and as you said, maybe we'll be able to solve this problem more elegantly in the future. :)

    Let us know if we can help with anything else!

This discussion has been closed.