1 Item - Multiple Vaults?

13

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    @daimoonmedia:

    We don't have a timeline to share at the moment I am afraid, but thank you for letting us know that you would like this as well :)

  • Mattbeatty89
    Mattbeatty89
    Community Member

    Any update on this? I'm currently in trial with 1Password and a few competitors. I absolutely love everything about this product except your sharing solution through the vaults. We are a small team but it will be a hard pass if this isn't even being seriously considered.

  • ag_ana
    ag_ana
    1Password Alumni

    @Mattbeatty89:

    Other than copying the item in multiple vaults, or putting it directly in a shared vault, I am afraid that we don't have anything else to share at the moment :(

  • Sessapine
    Sessapine
    Community Member

    This has also been very painful for us - please move higher up your priority list, we need this functionality and not having it completely obscures the purpose of vaults in the first place.

  • ag_ana
    ag_ana
    1Password Alumni

    Noted @Sessapine, thank you for letting us know!

  • LewG
    LewG
    Community Member

    We are also very interested in this for a Teams account we're setting up, We have a variety of team members -- many of whom need access to shared interests in various vaults,

  • Hi @LewG

    Thanks for taking the time to share, and for letting us know your team could benefit from this functionality. :smile:

  • IanBurrowes
    IanBurrowes
    Community Member

    Hello, I will immediately buy OnePassword Business with at least 25 seats as soon as this feature is implemented fully/correctly. We absolutely need **group **plus **individual **password access and sharing permissions for our department that has a mix of roles - IT support / developers / admin / AV / contractors. We manage hundreds of passwords, and I can see that as it stands now, to grant the correct visibility to each person / unit, I would have to create and maintain many multiple vaults and synchronise the duplicated passwords in each. That is a messy work-around that is not flexible or scalable. I have had 'OnePassword' as an approved line item in my budget for the last two years but will not purchase until this issue is resolved. I would prefer to use OnePassword versus other similar online tools based on your ownership and privacy policy. I check these forums every few months and read the same threads to see when this feature will be implemented - hoping that it will be soon! :) Hope this feedback is helpful - I can explain further offline if necessary.

  • @IanBurrowes

    I appreciate you sharing your feedback about your use case here. I also encourage you to reach out to our Go To Market team at business@1password.com, if you're not already in contact with them. They may be able to work with you and provide a solution using the current features found in 1Password.

  • ClemensG
    ClemensG
    Community Member
    edited July 2021

    I wanted to enroll 1password to our teams as well, but lacking the feature of "linked" items is holding me off too.
    We have some hundreds of passwords to share between our teams. Some of them shared with only one other team, some of them with multiple teams. Building separate vaults for every sharing constellation makes the product quite unusable. People always have to use the "all vaults" option, which makes it hard to manage private and shared accounts within one account.
    Most users don't know who has access to a password, so can't choose the right vault to search.

    I understand that the separate encryption keys for each vault are an issue for this feature, but isn't there a way around? Thinking of some kind of an update table only holding IDs and timestamps of linked items which got updated and as soon as someone with access to both/all vaults with the linked item logs on, it gets updated. If someone uses this linked item, without having access to the vault with the updated version, you could at least give him a warning about a possibly outdated item.

  • Hi @ClemensG

    It is possible that there could be another solution here in the future, but for now creating separate vaults for each sharing situation is the only option. Unfortunately I suspect if there were an easy win to be had here we would've already taken it.

    Thinking of some kind of an update table only holding IDs and timestamps of linked items which got updated and as soon as someone with access to both/all vaults with the linked item logs on, it gets updated.

    It would seem this would mean having to decrypt the full details of each item in that table every time anyone with access to those items unlocks 1Password. Depending on how big the table is, that could substantially slow the process. Not saying that for sure this approach wouldn't work, but that is one potential roadblock I could foresee.

    Ben

  • cryptochrome
    cryptochrome
    Community Member

    What a wonderful discussion. While I share not just the experience but also the sentiment that something needs to change in 1P to make this easier for all of us, I would also like to throw in the perspective of a security engineer and CISO:

    Sharing passwords is bad. Not matter how, no matter what.

    Even if you use a very secure system to share accounts and passwords, like 1P, it's still an accident waiting to happen. Instead of waiting for 1P to give us better sharing options, you should work towards avoiding shared accounts altogether. From a security best practice perspective, every user should have their own account to access a system. System accounts (like root, admin, etc.) should only be accessible by a very limited subset of people.

    I know this is easier said than done (and outright impossible in some scenarios), but it's certainly something everyone should work towards and try to accomplish as much as possible. At least when it comes to user accounts. I am not really talking machine to machine communication (which 1P tries to tackle with their new "Shared Secrets" product).

    Just some food for thought.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for sharing this perspective @cryptochrome! Indeed, finding a balance is a good challenge :)

  • tmchow
    tmchow
    Community Member

    What is the status on this? It's been 3 years since this thread was started and it's still not in the product. I find this limitation a rather huge one within a company where you want a single item but multiple pointers to it from separate vaults. ... basically saying what everyone has already.

    I can appreciate that this is technically complex for the 1Password team to implement but this doesn't change our need for it. While we could create more vaults and move items to those vaults which can have different permissions but then you get into a maze of permission hell, needing to think about who has access to what. Think of this scenario:

    Vault foo (permission: Alice and Bob)

    • Item 1
    • Item 2

    Vault bar (permission: Charlie and Danny)

    • item 3

    Suppose now Item 2 needs to be shared with Charlie and Danny in addition to Alice and Bob. However, item 3 should be only for Charlie and Danny.

    So to do this, you need to create another vault, that gives permission to all 4 people and move item 2 to it:

    Vault foo (permission: Alice and Bob)

    • Item 1

    Vault bar (permission: Charlie and Danny)

    • item 3

    Vault bar (permission: Alice, Bob, Charlie and Danny)

    • item 2

    I think it's easy to see how this gets out of hand quickly. The most logical way to think about this is how everyone has requested it: be able to have item 2 in both Foo and Bar vaults:

    Vault foo (permission: Alice and Bob)

    • Item 1
    • Item 2

    Vault bar (permission: Charlie and Danny)

    • item 3
    • item 2

    Sure we could copy item 2 to Vault Bar, but that then forks it and violates a huge benefit of 1Password -- 1 source of truth for a password. So the logical to thing for us to request is that Item 2 is NOT a copy, but actually the same item as what's in vault foo just protected with different permissions/access depending on the user and vaults they have access to

  • tmchow
    tmchow
    Community Member
    edited August 2021

    We are a company of about 75 people and surprised this does not exist yet as a feature despite this thread being 3 years old, and past requests being 4-5 years old.

    While I appreciate that this may be hard to do technically, this is an obvious need from my POV, and also evidenced by how many people have asked for it.

    We can certainly create new vaults for this but not only does that seem to unnecessarily create vaults it is more of an issue of managing the complexity of permissions to vaults.

    Consider this example:

    vault foo (access: Alice, Bob)

    • item 1
    • iem 2

    vault bar (access: Charlie, Danny)

    • item 3
    • item 4

    If Charlie and Danny need access to Item 2 along with Alice and Bob, without also sharing access to item 1, the only way to do it is to create a third vault and move item 2 to it:

    vault foo (access: Alice, Bob)

    • item 1

    vault bar (access: Charlie, Danny)

    • item 3
    • item 4

    vault car (access: Alice, Bob, Charlie, Danny)

    • Item 2

    You can see how this gets unruly quite fast.

  • ag_ana
    ag_ana
    1Password Alumni

    @tmchow:

    Thank you for the feedback as well, and for the example! I am sure our developers will find this useful, and the example you brought up is one I believe was discussed in the past :+1:

  • JamesFez
    JamesFez
    Community Member

    Linked Items by ID please please please!

  • Thanks for adding your voice to this discussion, @JamesFez.

  • westurner
    westurner
    Community Member

    It's 2021! What's the suggested flow for this? We end up having to create a new vault per person and then copy to those vaults, but the original item, if changed, will not propagate to the other vaults.

    If I'm hearing from this thread correctly, the suggested flow would be to create a vault and add users to the vault. We have a single shared vault amongst our team, but contractors and one-offs get their own Vaults so that they do not need access to the company-wide vault. Just looking for ways to streamline and secure access without it being overly obtuse.

  • @westurner

    Whenever possible, it's good practice to store credentials in a vault and share them with anybody who needs access. Using a single shared vault is a potential solution for your team members, as this will help prevent the build-up of copies across your vaults, which must be changed individually. If you cannot share the same vault with multiple users, such as the case with guests, then that leaves copying items to your separate vaults. Assigning a tag to these copied items can help you track down the copies when they need to be edited.

  • westurner
    westurner
    Community Member

    Thanks @ag_max - I'll check into tags and see if that can help us.

  • ag_ana
    ag_ana
    1Password Alumni

    Sounds good @westurner, let us know how it goes :)

  • 1PW_user2021
    1PW_user2021
    Community Member

    Please add my vote to the tally. I found this thread by searching for exactly this feature. I need to share some logins/credit cards/etc. with both my work and home vaults for the same reasons other users have described above.

  • All set, @1PW_user2021, thanks for adding your voice to the request.

  • Larry Daniele
    Larry Daniele
    Community Member

    I've been struggling to find a good article online about "best practices for organizing your 1Password vaults" and now I understand better why I keep coming up empty. The reason is that you can't implement any good strategy because of the issues discussed in this thread.

    When you've got various facets to organize:

    • People
    • Work Relationships
      • Employees
      • Contractors
    • Departments
      • IT
      • Marketing
      • Sales
      • Management
    • Roles
      • Managers
      • Developers
    • Clients
    • Projects
    • etc.
      there are too many combinations and overlapping cross-sections to say access security is "per vault" (at least the way vault is currently defined).

    Could we layer access security "per subset" on top of "per vault" (i.e. a "virtual vault")? Then you could dump all the items into one vault and create restricted subsets that can come and go while leaving the vault as is.

    Examples of subsets might be:

    • Employees with Role "Manager" on Project "Foo"
    • Developers on Project "Foo" OR Developers on Project "Bar"
    • Managers in Sales OR Managers in Marketing

    Items in the vault can have a subset applied to them if desired.

    Who you are (or more specifically what facets are set on your user profile) determine what subsets you see.

    I know this might be a pipe dream. Just trying to find a hybrid solution that doesn't rock the boat too much but still allows us to make progress on this.

  • ag_ana
    ag_ana
    1Password Alumni

    @Larry Daniele:

    Could we layer access security "per subset" on top of "per vault" (i.e. a "virtual vault")? Then you could dump all the items into one vault and create restricted subsets that can come and go while leaving the vault as is.

    I think this is a nice idea. I will be happy to pass it to the developers :+1:

  • jumpinjohn
    jumpinjohn
    Community Member

    I left 1Password several years ago for Dashlane because of the ability to share individual passwords to team members. There are not a ton of those, but it is much more simple to simply share individual passwords rather than creating a vault for each set of members to share the password with. However, with Dashlane eliminating their app and going exclusively web based, I have returned to 1Password and am trying to work out a good system for organizing logins across multiple vaults. It would be pretty neat if along with permission levels for users in a vault, you could also simply assign various users to be see certain passwords within a vault. That way I could have a private vault and a shared vault with the shares within the vault a more granular level.

    That's my 2 cents worth.

  • Lars
    Lars
    1Password Alumni

    Welcome to the 1Password Support Community, @jumpinjohn! Welcome back and thanks for the perspective.

    We're considering multiple paths forward to make sharing more convenient for users. Some of what makes this more difficult is the institutional debt of choices made in the past; they are not immediately or easily alterable. Beyond that, however, is our unwavering commitment to make sure this is done correctly.

  • robert1p
    robert1p
    Community Member

    This discussion has been really intriguing. After giving it some thought, I'd suggest abandoning the Vault. And I ask that you hear me out.

    I'd like to propose that encryption be changed to the Item level. Where each Item has a private key, which is shared via a User's public key.

    Since decryption of many Items is not as efficient as a Vault full of Items, each User also has a secure Cache. The Cache provides instant access to prior Items and Tags; and it is immediately updated with changes based on versioning. (Any fields not stored in the Cache, would be obtained from the Item as needed; e.g. attached file or doc.)

    Sharing is done by defining "what" is shared with "whom". Each "Share" is simply a "definition", which initiates the actual sharing of the individual Items.

    In a simplistic example, the Share would be for one or more Items to be shared with one or more Users. This definition would simply create the required permutations of Keys for each User to access each Item.

    A more powerful example would have one or more Items and Tags to be shared with one or more Users and Groups. A subsequent changes to a Tag or Group would utilize the Share's definition to dynamically update the access by Users.

    I understand this would be a large change to the existing product. But it's always nice to have a vision of where the product will be in the future.

    As a migration path for existing users, all Vaults might simply be converted to Shares. Access Mgmt I leave as an exercise for the reader. LOL

  • robert1p
    robert1p
    Community Member
    edited February 2022

    I will admit that one of my concerns with this, is the propagation of UserItem Keys. For example, if each user has an average of 300 Items and a company has 5000 users, then that's 1.5 million keys. (But I'd hope that wouldn't be an problem, since it also means about the same number Items, which the current system supports.)

    However, if it is an issue, a hybrid solution might be considered. Assuming the majority of Items are private, they could be internally Vaulted (without exposing this to the UI). For example, if 20% of Items are shared, this would reduce the propagation to 300 thousand keys; (plus the 5 thousand private vaults).

    Of course this comes with the added complexity of handling both the vaulted private Items and the un-vaulted public Items; e.g. searching both; moving items when shared, etc.

    **
    Additional Notes on the original concept:

    Instead of Private and Shared Vaults, we have Private and Shared Items. For Shared Items, there are ones that I've created and ones that others have created. I would expect the UI to provide a visual difference in each. Likewise we have Private and Shared Tags.

    I'll also point out that a user can create Private Shares; i.e. they are the only user. In this manner, they can arbitrarily organize Items into their own view; (and can place both private & shared items in this view).

    I would expect the UI to support the selection of any combination of Shares:

    • (1) All my Private Items.
    • (1) All my Shared Items; i.e. Items I created.
    • (1) All Items Shared with me; i.e. Items others created.
    • (n) User defined Shares.

    The first three are read-only Shares auto-generated by the system.

    Once I've selected which Shares to view, I would then be able to filter which Items to view via tags, categories, and favorites.

This discussion has been closed.