Audit trail for Teams?

Does 1Password for Teams include an audit trail of who is accessing what password? Just an audit trail.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • john_m
    john_m
    1Password Alumni

    Hi @suchitagarwal! Welcome to our forums :chuffed:

    1Password Teams Pro accounts come with an Activity Log feature, which lets accounts owners and administrators see a list of various account activities - you can learn more about it here: https://support.1password.com/activity-log/

    I hope that helps! :+1:

  • suchitagarwal
    suchitagarwal
    Community Member

    Hi John,
    Thanks for your reply. Can I also see which user is accessing/using which password in shared vaults? Just to keep an audit log of who logged in to which shared service at what time?

  • Lars
    Lars
    1Password Alumni

    Hey @suchitagarwal - no, because the users are typically accessing passwords from within native 1Password applications, which rely upon their local cache of the data. You can't see what they access on their own device(s).

  • Nonylus
    Nonylus
    Community Member

    "no, because the users are typically accessing passwords from within native 1Password applications" Couldn't those apps report what passwords have been accessed by each user though? That would be an incredible upgrade. (In a 1Password Team environment)

  • Lars
    Lars
    1Password Alumni

    Thanks for the suggestion @Nonylus! We tend to find that the only things we truly CAN'T do concern cryptography (just like everyone else, we can't bypass the math). So we likely could do this...but it would require an entirely new set of administrative-related code that doesn't currently exist in the native apps. That's not to say you won't see such a thing, just that no mechanism for it exists as of now, and creating it isn't as simple as it might appear at first glance. I'll pass along your suggestion, though - thanks again for your interest in this! :)

  • cjcampbell
    cjcampbell
    Community Member

    I'm curious about this as well. The situation I have in mind is maintaining a "break glass" vault for business continuity scenarios. The component that may differentiate this from the original request is that I'd prefer to keep this vault stored outside the native apps (something akin to travel mode) until an authorized user "breaks the glass" to access the vault. A similar use case is maintaining a vault of credentials that are shared in the event I die or am incapacitated. Again, I don't really want to share the credentials until a specific set of criteria are met. And in both cases, I want to set off a few alarms to reduce the harm of inappropriate access.

    FYI, I have an alternative implementation strategy in mind as well in the event that you introduce an API to manage application features that are not explicitly bound to cryptography and user-based master passwords. The API feature I'd need is the ability to unlock/lock a pre-created vault (and ability to register web-hooks for audit events). From there, I could build out a custom solution to give key people just-in-time access to privileged passwords.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah, that makes sense. Thanks for taking the time to illustrate what you're looking for! :)

  • cloudycol
    cloudycol
    Community Member

    on this - currently looking to move away from Secret Server Online as it is being depricated in its current format, the ability to see what passwords have been accessed by whom and when would be a big miss.

  • Lars
    Lars
    1Password Alumni

    @cloudycol - Not quite sure I understand what you're saying here; you'd like to be able to see which users have accessed which passwords? Or you think that would be a bad idea?

  • cloudycol
    cloudycol
    Community Member

    @Lars - we would like to be able to see who has accessed which password, yes. We currently have this feature available to us within Secret Server.

  • Lars
    Lars
    1Password Alumni

    @cloudycol - thanks for the clarification, and for adding your voice to this request.

    I have to be honest, I don't know that we'll add this feature, since we're of the mind in general that once a set of passwords has been shared with a user, if they leave, the best practice is to change ALL passwords that user had access to, rather than relying on an internal mechanism to tell you which passwords the system thinks that user accessed. But I'll certainly add your voice to the group of admins who'd like to see this. :)

This discussion has been closed.