Can't add myself to a Team vault
Our Team has multiple Vaults and many Admin users.
If I'm not added to a Vault, I can see it, and I can add other users, but I don't show up in the list to add myself.
Probably a use-case you didn't think of yet, but we want to give people access to many Vaults, but only when they need it. For example, we start an internal project that only 2 people are on. Later I want to join the project and add myself, but I currently cannot.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:vault
Comments
-
Hey @danielmorrison! Sorry for the confusion. We just introduced a few new concepts in Groups, and they need a bit of explanation. So here it goes.
When you're managing a team member's access to a group, you can make them either a Member or Manager of that group. If they're a Member, they have access to any vaults that the group has access to as a whole. If they're a Manager, they can change who is in the group, and they are also a member of the group. A Manager in the administrators group is able to add and remove users from the Team, create and archive vaults, and edit the permissions of other team members. That last one includes yourself, so you'd be able to effectively add or remove yourself from a vault.
If I'm not added to a Vault, I can see it, and I can add other users, but I don't show up in the list to add myself.
I just tested this, and I wasn't able to reproduce that exact result. I may be doing things a bit differently, though. If I am, just let me know what you'd like me to test. So, I found that if I created a vault and had the "Let administrators manage this vault" box checked, they would be added to it automatically as managers (it shows up in the Vaults tab of the Admin Console) but it wouldn't show up in their list of vaults. That's probably what you're looking for.
I then switched to my other user who was an admin and added myself to the vault by clicking the Manage Access button under the People section of the vault's page in the Admin Console.
So my question is, are you creating the vault, or is someone else? And are you checking that "Let administrators manage this vault" box during creation? That'll give us a better idea of what's happening. :) Thanks so much!
0 -
@penderworth, I have the same question as Daniel. Your steps describing what you did are the same thing I am seeing, but I think what both Daniel and I are wondering about is this aspect you mention:
I then switched to my other user who was an admin and added myself to the vault by clicking the Manage Access button under the People section of the vault's page in the Admin Console.
Why did you need to switch users? If I'm an administrator of a vault through my group membership, why can't I add myself directly to the vault? Another administrator can add me (as you illustrate), and I can add other users to the vault, but I can't add myself.
0 -
@scottsb As I mentioned in my post, we're not sure why that would be, but we can investigate:
So my question is, are you creating the vault, or is someone else? And are you checking that "Let administrators manage this vault" box during creation? That'll give us a better idea of what's happening.
If you could let me know those details in your case, I'll look into what's going on. :)
0 -
@penderworth: The situation only arises when somebody else has created the vault. If I create the vault, I'm added automatically.
We first experienced this with some vaults we created before the checkbox you mention was added to the interface. However, in testing yesterday, we continued to have the issue when vaults were created with that checkbox checked.
0 -
@scottsb Thanks for clarifying. To answer your question about why I needed to switch users, it was because I wanted to see if other admins on the account were automatically added to the vault as I expected them to be. They were indeed. That box specifically means that administrators given the capability to add themselves to the vault (they gain access to it), but not that it will display for them automatically. They actually need to go in and add themselves, or the person who creates the vault needs to do that in the People section as I mentioned. We could probably do better with the wording on that checkbox. Let me know if that's what's a bit confusing for you as well.
0 -
@penderworth: but this isn't possible:
They actually need to go in and add themselves.
When I'm logged in and looking at a vault that I didn't create, my own name is not in the list. I can add any other user, and other users with management rights can add me, but I can't add myself.
The real world situation is that the company leadership (who are members of the "owners" and "admins" groups) needs to be able to grant themselves access to any team vaults that are created. Right now any leader can add any other leader, but he/she can't add his/herself since his/her own name isn't an option in the "people" menu on the vault.
Hypothetical example:
- The account has two admin users Amy & Andy and one regular user Roger.
- Amy creates a vault FooBar (checking the "let admins manage this vault" box).
- Amy is automatically added to the vault as an individual user.
- If Amy opens the people menu, she can only see Andy & Roger as options.
- If Andy opens the people menu, he can only see Amy & Roger as options. Because Andy's own name doesn't appear, he can't add himself to the vault. If Amy weren't available to add him, there would be no way to add himself †.
† Technically, he could grant "view" rights to the full admin group to access the contents, but that may not be desirable and shouldn't be needed, as he should be able to add just himself with view rights.
0 -
Hi @scottsb,
You are right. At the moment, the person cannot manage their own access to a vault.
When we designed this we wanted to prevent an Admin from easily gaining access to all shared vaults in the team. The idea was that the Admins should be able to manage the access for other people but it does not mean that they should have unlimited access themselves. The Admins already have a lot of power we tried to add a (small) barrier to prevent the abuse of it. We also had a team that wanted to have a vault with financial information that is not accessible to Admins and Owners.
Now, it would be possible for Admins with manage-only permissions to work around this restriction. They could do that by changing the group permissions or by creating a new Admin user. This change will be recorded in the activity log and can be audited later but there is not much we can do about it.
At this point, we are still in beta and we could take the implementation in either direction. We could either relax the restrictions and allow every Admin quick access to any vault or we could tighten it up further and make it more difficult for individual Admins to grant themselves access.
0 -
Thanks for the feedback. I would argue pretty strongly that the current situation is the worst possible state: since there are trivial workarounds for an admin to get access to a vault without any one else's involvement, it is only security theater (and a usability barrier) that they can't grant themselves access directly. One of the things I appreciate about 1PW is that you guys avoid security theater in general, so I definitely hope you move away from the current implementation.
Between the two alternatives you mention for a final release, it seems that if you have admin rights to a vault, by definition you should be able to administer it fully. If you grant yourself access to the vault, that can be recorded to the audit log. In the case where a vault is so sensitive that admins shouldn't have access, you already have the interface in place: the vault creator would just not grant admins any rights to the vault when creating by leaving the checkbox unchecked.
0 -
I wanted to second the need for this. If the original owner of the vault leaves your company, you have to jump through hoops to give yourself access. It doesn't make sense that as an admin i can grant access to every person at my company except myself. I can still gain access, but i have to now create an admin only account, grant access to it from my account, then go into the admin account to give my account access. It's an unnecessary and painful step to have to do.
0 -
Thanks to everyone who added clarification to this. I came back to check because I was trying to add myself to a team vault and couldn't.
Since am an Administrator and have Manage permissions on the Vault, it doesn't make sense that I can't add myself.
Hope you can add a fix for this, as it is very confusing.
0 -
@danielmorrison Thanks! We'll do our best to improve this. :)
ref: B5-974
0
