Activity Log: <Name> gave a group access to their vault Private

Options
BlexToGo
BlexToGo
Community Member
edited June 2022 in Business and Teams

Hey there!

The title basically says it all as this is a sentence that shouldn't be possible.
I'm an 1Password administrator in an organization and when I looked at the Activity Log view on the the 1Password website (my-organization.1password.eu/activity-log) to look for an action of a different user, I saw that the 5th entry ever was:

gave a group access to a vault

And because I know that, as an administrator, I can see all vaults expect their private vault, I realized the "vault" can only be their private vault.
I verified this by looking and my own Activity Log because I obviously have rights to my own private vault and as expected I saw:

gave a group access to their vault Private

With the word "Private" being linked to the URL of my private vault.

This seems to be generated by an automated action during account initialization, as it's logged in the same second and directly after the

gave themselves access to their vault Private
joined the account

activity logs.

But what is happening here? What group can this be and why is this logged? Giving group access to my own private vault is a contradiction in itself and is a sentence that shouldn't be written anywhere. In the best case is this activity log very misleading, in the worst case is this a security breach to the private vault.

Best regards

BlexToGo

1Password Version: 1264
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • ag_max
    ag_max
    edited June 2022
    Options

    Hi @BlexToGo,

    The Private vault that every team member in your 1Password account receives when they join the team cannot be shared with anyone by normal means.

    It is worth nothing that if your team is provisioning through the 1Password SCIM Bridge, anyone with the "Provision Manager" group will be able to temporarily see the Private vaults of users who have not yet joined your 1Password account while the invitation is pending. However, provision managers cannot see Private vaults of users once they are fully created.

    As for the "gave a group access to a vault" mention, this is actually for the hidden Recovery group. This ensures users are able to regain access to their vaults after recovery is completed for a user.

    You also mentioned you saw an entry with pointing to your own Private vault in the Activity Log. As it belongs to you, and as you have the appropriate permissions to view the Activity Log, only you can see the link there. For other team members it will be appear as "gave themselves access to a vault.

    I'll also be happy to pass on your feedback to our team, as I understand those log descriptions can be unhelpful or misleading.

This discussion has been closed.