Change request: Company access to Private vault

BobW
BobW
Community Member

1Password docs suggest that users only put "private" items in their Private vaults, and all company items in a shared vault. This makes sense, except that in a business setting, everything is ultimately a company item (which Agile seems to recognize, as evidenced by the repeated suggestion that people keep non-company personal items in an attached Family account).

In the event that someone leaves a company unexpectedly, the company is likely going to want access to whatever's in the Private vault without going through complicated recovery processes with many sites/services, which isn't even possible with some third-party services. The only solution is to take over the person's e-mail account and do a 1P account recovery. This works, but it's tedious, and we have to be careful we don't accidentally remove the account before we recover it, since removing an account kills its Private vault. It also can get messy in those cases where we decide to forward the former employee's e-mail to another employee, which is a frequent occurrence.

Thus, my request: make sure the team admin can access all data in the 1P account. In the case of Private vaults, this could mean auto-sharing them, making them accessible through some admin feature, or just letting the admin disable them altogether at the team level.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @BobW: Thanks for reaching out. I’m sorry for the confusion!

    1Password docs suggest that users only put "private" items in their Private vaults, and all company items in a shared vault. This makes sense, except that in a business setting, everything is ultimately a company item (which Agile seems to recognize, as evidenced by the repeated suggestion that people keep non-company personal items in an attached Family account).

    That isn't quite right. The documentation I am looking at here doesn't say anything like that:

    and

    But if there's some other documentation you're reading that says something more like that you're describing, please let me know so we can clarify the wording.

    Suffice to say, it's definitely not recommended to keep non-company stuff in a company account, since you could be removed and lose access to that account.

    In the event that someone leaves a company unexpectedly, the company is likely going to want access to whatever's in the Private vault without going through complicated recovery processes with many sites/services, which isn't even possible with some third-party services. The only solution is to take over the person's e-mail account and do a 1P account recovery. This works, but it's tedious, and we have to be careful we don't accidentally remove the account before we recover it, since removing an account kills its Private vault. It also can get messy in those cases where we decide to forward the former employee's e-mail to another employee, which is a frequent occurrence.

    That's a really good point. I'm not sure what the solution is, since 1Password is setup this way for good reason. But perhaps we can figure out something that might help in the future, without causing other problems.

    Thus, my request: make sure the team admin can access all data in the 1P account. In the case of Private vaults, this could mean auto-sharing them, making them accessible through some admin feature, or just letting the admin disable them altogether at the team level.

    It's not something that's possible by design in 1Password, since only the user has the keys to decrypt the data in the vault (hence the need to "take over" the account by doing a recovery in your example), but I do agree that it is a problem worth solving, if it can be done in a good way. Thank you for bringing this up!

  • adamjb
    adamjb
    Community Member
    edited January 2020

    As a business owner trialing 1Password for Business, this is an issue for me as well.

    I need access to an employee's Private vault if I fire them, or some way of forcing all logins to be saved in a shared vault.

    There shouldn't be any privacy concerns, as my employees understand that the 1Password Business plan is for business logins only. They can use the included 1Password Family plan to store personal items.

  • Hi @adamjb

    In the case of employee termination, if you'll be taking over the employee's company email address, there may be a workaround. Please reach out to business@1password.com for further details. Thanks!

    Ben

This discussion has been closed.