How to manage 100+ customer credentials with a team of 15 on a "need to know" basis ?

We're a digital consulting company that builds and maintains web apps, mobile apps, servers, and websites for our clients. We typically work on 10-20 projects at a time, with a very large backlog of past projects in "maintenance mode" that we also need to support.

We'd like to follow the "need to know" style of security and only give specific employees access to projects they directly work on. So maybe 2-3 employees on a given project out of the total 15 of us.

I'm struggling to figure out how to accomplish this with 1Password Teams or Business...

It seems like the only way to control permissions is at the VAULT level, does that mean we would need to create separate vaults for all 100+ (and growing) of our clients? And then assign the 2-3 people to each vault? Each client really only needs 1 or 2 entires (usually a "server" and a "login" or two) so each vault would be quite sparse doing it this way, but I can't see another way to do it?

Summary:
1. Lots of customers/clients (100+ and growing)
2. Each customer/client normally has 1-3 entries in 1Password (a server, and a few logins to their website, sendgrid, etc)
3. We'd like to only give access permission to the 2-3 people that "need to know" (directly working on the project for that customer/client)
4. We'd like to not go insane managing all of this, although it might be too late for that ;)

Do you guys have any recommendations on how to accomplish our goals inside 1Password?

Thanks!


1Password Version: 6.8.8
Extension Version: Not Provided
OS Version: OSX 10.12.6
Sync Type: Dropbox

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ksouthworth: Indeed, you'd need to create a vault for each client. I know that sounds daunting, but it doesn't take long to do that and it only needs to be done once for each client. And, perhaps more importantly, that ensures that things are truly kept on a "need-to-know basis" cryptographically. This is not enforced merely by permissions. People who are not granted access to a vault simply will not have the keys to it at all, and, by extension, it won't even show up in their account. They won't know it exists unless they have access to it. For example, there are untold numbers of company vaults here at AgileBits that I've never even heard of!

    But as far as the "not go insane managing" part, maybe SCIM can help. The best thing to do would be to reach out to our business team at business@1password.com so they can work with you to find the best solution for your company. :)

  • Bjdavis22
    Bjdavis22
    Community Member

    Fourth place this has been requested. This work around is rough. Essentially, you are saying that a new vault has to be made for each shared login, right?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Bjdavis22: Please see my reply to you here, and let's continue the conversation in a single place to avoid confusion, and slowing down response times for everyone else.

This discussion has been closed.