Feature request: 1Password Teams app that disables export feature

DariusR
DariusR
Community Member
edited November 2017 in Business and Teams

We have administrators and then we have a LOT of entry level staff.

It would be amazing if we could offer entry level staff access to the 1Password desktop app without giving them the ability to Export/Copy every password/vault we share with them, particularly because we will have no record that they have done so.

If this isn't easy to implement, maybe the solution is rolling out some kind of tracking of whats done in the desktop apps? If an employee exports everything in the desktop app, we should really be able to see that it happened in the logs.

Our current fix is to give people web only access, but we discovered the problem with that a few weeks ago when your website was dropping on and offline.

Thank you

(Please let me know if Feature Requests should be getting posted somewhere else)


1Password Version: all versions
Extension Version: all versions
OS Version: Windows and OSX
Sync Type: Not Provided

Comments

  • @dariusR,

    You should be able to do this already using the current apps and the "export" permission for the vaults you've given your team members access to. This is configurable in the 1Password.com interface.

    Rudy

  • Rudy's right, but it's worth mentioning that this feature requires the Pro plan of 1Password Teams. This may be why you're not seeing it in the list of permissions. The Pro plan includes more fine grained access control.

    Rick

  • DariusR
    DariusR
    Community Member

    Thanks for pointing this out. I didn't make the connection.

  • DariusR
    DariusR
    Community Member

    @rickfillion @rudy

    The feature request in this case would instead be:

    Add a trigger event that logs exports from an app by users.
    This is not currently tracked in the Activity Log nor is it a 'sort by' option in 'Filter by type'.

  • @DariusR : I assume what you're really trying to get a feel for here is "what passwords should i consider updating after person X leaves." If the real intention is to just stop them from being to export, we can do that. So then it becomes "if they take the contents of the vault and export it, what damage could they do?" Export is definitely the easiest way to walk out with the contents of the vault. But it's not the only way. Once you've given someone access to the vault, they can do all sorts of things. Maybe you've removed their access to export the vault, but they may still be able to simply copy the password. And so they could literally copy each password out.

    When we look at it this way, we see that the important part is simply that the user can be considered as having that password. Regardless of how they got to it.

    There's a beta feature in the Pro plan of 1Password Teams that allows for creating a report on a user. Part of this report is item usage, where we define usage as "having seen or made use of the password." And so if a user exported a whole vault, there would be an item usage record for each item in the vault. When reporting on the user, it would tell you that all of those items have had their password "seen" by the user. If the user was to leave the company, you should rotate all of those passwords.

    There's a lot more reports that we want to bring. This is the first in what will hopefully be a long list of them.

    Rick

  • DariusR
    DariusR
    Community Member

    @rickfillion that fills in all of the blanks for me. Thank you for this explanation! I'm excited to try this reporting out.

    Ultimately with employees we have implied trust, not implicit, so know if they make the attempt carries huge significance in doing audits and risk assessments. It forms how and to what to respond.

    What you just described makes this possible.

    Is that beta feature for item reports only available to Owners by chance? I setup this account with the company owners as global admins and me as an administrator and I can't seem to find it.

  • @DariusR : did you enable the beta features under Settings? If so it should should be available to anyone who has the ability to see a Person Details page and has the "View Admin Console" permission, as a button available under the person's name.

    Rick

  • DariusR
    DariusR
    Community Member

    Found it under "Manage" button finally. Not the most intuitive spot. It didn't even occur to me until recently that I simply wasn't finding this beta feature. I figured all of the 'features' were in the obvious and easy to find spots, as most stuff is in this platform. I would have assumed that this report would be somewhere under the 'Activity Log' admin console menu.

    This is a great feature! Excited to see how it develops :)

    Question: Does this show Team Member activities in ALL vaults or only vaults that I've delegated? It appears to not show usage of Private vaults.

    This tangentially makes me wonder: If a Team Member makes a Vault that they dont share access to, or share access but not management of, what happens when that user is deleted? Is the vault inherited or does it disappear forever?

    I would throw in a couple feature requests for this :
    -Let us generate a report on ourselves. I was a bit sad to see the menu option missing when I clicked my name.
    -Have this report give some indication, without unnecessary disclosure, how and if the Team Member is using their private vault. IE: Are entries being saved in it, updated, used. How many entries are stored, etc.
    -Add something to indicate the number of passwords that are not very secure, are repeating themselves across entries, etc. in their personal vault. This would help us coach individual users on how to more effectively train individual users that aren't using 1Password Teams to its full potential.

    Thank you
    Darius

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2017

    Found it under "Manage" button finally. Not the most intuitive spot. It didn't even occur to me until recently that I simply wasn't finding this beta feature. I figured all of the 'features' were in the obvious and easy to find spots, as most stuff is in this platform. I would have assumed that this report would be somewhere under the 'Activity Log' admin console menu.

    @DariusR: Sorry about that! We do try to bury some things that are more advanced to avoid "oops" moments. :)

    Question: Does this show Team Member activities in ALL vaults or only vaults that I've delegated? It appears to not show usage of Private vaults.

    It's only going to work for shared vaults. Private vaults are truly private; you won't have access to anyone's but your own. So, similarly, since you can't share a Private vault with someone, logging access to data doesn't make sense anyway.

    This tangentially makes me wonder: If a Team Member makes a Vault that they dont share access to, or share access but not management of, what happens when that user is deleted? Is the vault inherited or does it disappear forever?

    Their Private vault is deleted with their account, but any user vaults could be reassigned by an admin.

    I would throw in a couple feature requests for this :
    -Let us generate a report on ourselves. I was a bit sad to see the menu option missing when I clicked my name.
    -Have this report give some indication, without unnecessary disclosure, how and if the Team Member is using their private vault. IE: Are entries being saved in it, updated, used. How many entries are stored, etc.
    -Add something to indicate the number of passwords that are not very secure, are repeating themselves across entries, etc. in their personal vault. This would help us coach individual users on how to more effectively train individual users that aren't using 1Password Teams to its full potential.

    I'm not sure all of that is feasible, but they're interesting ideas. Thanks for the suggestions! :)

    ref: b5-3490

  • This tangentially makes me wonder: If a Team Member makes a Vault that they dont share access to, or share access but not management of, what happens when that user is deleted? Is the vault inherited or does it disappear forever?

    It's impossible for a Team Member to create a vault without giving the Owners group Manage access to that vault. And so the vault will never be marooned. The user can be deleted and if the Owners want to give someone else access to that vault, they can do so.

    Let us generate a report on ourselves. I was a bit sad to see the menu option missing when I clicked my name.

    I didn't realize that we didn't allow this until this week. I want to see this fixed too.

    Have this report give some indication, without unnecessary disclosure, how and if the Team Member is using their private vault. IE: Are entries being saved in it, updated, used. How many entries are stored, etc.

    Our first implementation of this feature had this kind of information, but we removed it. We want to provide owners and admins the ability to see that kind of information somehow.

    Add something to indicate the number of passwords that are not very secure, are repeating themselves across entries, etc. in their personal vault. This would help us coach individual users on how to more effectively train individual users that aren't using 1Password Teams to its full potential.

    This one is trickier. It's something we'd love to do though. :)

    Rick

  • DariusR
    DariusR
    Community Member

    It's impossible for a Team Member to create a vault without giving the Owners group Manage access to that vault. And so the vault will never be marooned. The user can be deleted and if the Owners want to give someone else access to that vault, they can do so.

    Amazing. This is much more simply and effective than I understood it to be.

    I didn't realize that we didn't allow this until this week. I want to see this fixed too.

    Glad I finally found that hidden menu entry so I could offer the feedback ;)

    Our first implementation of this feature had this kind of information, but we removed it. We want to provide owners and admins the ability to see that kind of information somehow.

    Happy just knowing its already been a consideration and is in the pipeline somewhere. Thank you.

    This one is trickier. It's something we'd love to do though. :)

    Again, only a feature that's potentially relevant to Teams. I can imagine some of the hurdles and risks given that the necessary focus of the platform is encryption and security over excessive functionality.

  • Awesome. Thanks. :)

    Rick

This discussion has been closed.