Family members clarification needed

Basjoe
Basjoe
Community Member
edited January 2023 in Families

I'm evaluating 1P. I've created a Families system. I am the administrator. I've imported my approx 500 records. I've created 2 vaults, one for me and one for my wife. I've MOVEd the records to one or the other of these vaults (by the way this is an onerous task hampered by a disappointingly poor UI design). I have created a family member id for my wife, and given her the rights to use her vault plus the shared vault. Now I want to make myself a member, so that when I operate as myself (rather than as the system administrator) I will work only with my own vault plus the shared vault. But 1P will not allow me to do this, because I have the same email address as the system administrator. Obviously somebody somewhere has solved this and hidden it together with the appropriate help pages at the bottom of the filing cabinet drawer marked "beware of the leopard".


1Password Version: couldn't find it, despite referring to help page
Extension Version: couldn't find it, despite referring to help page
OS Version: Windows 10
Browser:_ Chrome

Comments

  • Basjoe
    Basjoe
    Community Member

    When, as a newcomer to 1P Families, you are invited to manage your new system, you are given a web address https://my.1password.com/signin . I assumed that this web-based management software would be the functionality that would allow me to make progress. I have since searched your website and found that you offer standalone software with much more sophistication. Using that software would have saved me about three days onerous work. VERY angry.

    I'm getting the impression that the technical crypto behind your system is excellent, but the surrounding administration and design has a long way to go. Anyway, my original question still stands.

  • Basjoe
    Basjoe
    Community Member

    Crikey, it's worse than that. When you invoke the browser extension, you are not given a choice of which identity to log in as. HELP !

  • Hi @Basjoe

    I see we've discussed the discoverability of the desktop/mobile apps in another thread. To your question about multiple accounts for yourself... that is not how 1Password Families was designed to work. Each account within a membership requires a unique email address. With 1Password Families each account gets their own Personal/Private vault, which only they can see the contents of. It isn't necessary to create a separate vault for each person beyond that, and doing so may lead to further confusion. For example, in the setup you've described, your wife now likely has 3 vaults: the built-in Personal/Private vault, the built-in Shared vault, and also the vault you created for her.

    We typically recommend that multiple trusted individuals within the family be given Family Organizer roles, so that if any one person forgets/loses their 1Password credentials, the whole family isn't in hot water. We have a guide available on this subject here:

    About family organizers in 1Password Families

    Regarding the difficulty in getting started in general, have you reviewed our getting started guides? I feel they could've saved a lot of frustration here. Getting the 1Password apps is step 4 in the guide:

    Get started with 1Password

    I hope that helps!

    Ben

  • Basjoe
    Basjoe
    Community Member

    Hi Ben,
    Well, in the words of Clint Eastwood (in Where Eagles Dare) "I'm just about as confused now as I ever hope to be". You are saying that the administrator cannot see the contents of Personal/Private vaults of family members. In that case I don't see the point of Families at all. You may as well just get an individual account for everybody. Anyway, I think what you are saying is that I will now have to move all my wife's records to her Personal/Private vault somehow and delete the vault I created for her. (** see below) You can imagine how frustrated I'm getting. I've not even started testing basic functionality yet - it's all admin, and already halfway through the trial period. I will read through the guide you've linked to, thanks.

    ** You see, when I get the software up to show the vaults it show Personal, Her Vault, My Vault, and Shared. So is that Personal Vault being shown - her personal vault, my personal vault, or the system administrator's personal vault ? Or something else ?

  • Basjoe
    Basjoe
    Community Member

    Ben I'm reading through the "About Family Organizers" link you gave me, and the section "Use vaults to share" seems to completely contradict what you said. I'm not trying to pick a fight here or be difficult. Back when I was a somewhat younger working man I designed and built large computer systems for multinational companies (including working in crypto with guys from Canada-based Entrust). I say this to reassure you that I am not an idiot. But I just can't seem to grasp the underlying principles of the Families design. Perhaps some of the definition of terms like "Account" or "Family member" or even "Personal" have led me down the wrong track. Myself and wife are trying to draw up a system diagram to understand it, but it's not going too well right now.

  • Tertius3
    Tertius3
    Community Member
    edited January 2023

    @Basjoe In your role as family account creator and family organizer, you're nothing more than the first member of your family account, with the additional permissions to organize the account (inviting more members). But you are a member yourself, with personal vault and all. If you give another person the family organizer role, its account has the same organizing permission as yourself, and if you remove yourself from the organizer role, you're just a member as any other member you formerly invited.

    So there is no need to separate your account into some "administrator" and some "user" role - your account is both.

    If it comes to managing your items and move items around between vaults, you should definitely get the desktop app. It has features to move and generally handle items in bulk. The website is ok for account management, but not good for item management.

    The idea behind the family account is that everyone has its own private space with the personal vault nobody else can look into, and additionally one or more shared vault everyone or someone else has also access to.

    So if you imported 500 entries, there are perhaps 200 of your own, 200 of your wife and 100 shared between you both. To sort these, you can do this, for example:

    • create one temporary shared vault and move all your imported items into this vault
    • identify and move every item that belongs to you into your personal vault (use the app for this)
    • identify and move every item that is to be shared between you and your wife into the preexisting default "shared" vault
    • create another temporary shared vault for items belonging to your wife
    • identify and move every item that belongs to your wife into her temporary shared vault you just created
    • instruct your wife to move her items from her temporary shared vault into her personal vault (with the app)
    • Now you probably have a few items left in the temporary import vault. Handle these and make the vault empty. Remove that vault.
    • And the temporary shared vault for your wife should now be empty, as soon as she moved her items into her personal vault. Remove it, as soon as it is empty

    As result, you have your own entries in your own personal vault, your wife has her items in her personal vault, and both of you have some items in the default "Shared" vault of the family account. No other vaults exist.

    You don't need more shared vaults at the moment. Should you invite more members to your family, for example children, there may arise the need to share some items between some of the members, but not to all members. For this, you can create additional shared vaults and set access controls so only people have access who want/should have access. The primary purpose of additional vaults is different access between family members.

  • @Basjoe

    Perhaps some of the definition of terms like "Account" or "Family member" or even "Personal" have led me down the wrong track.

    Let's start by clarifying that there is no such concept as a separate "system administrator" with 1Password Families. You, the person who signed up for the 1Password Families membership, are by default the Family Organizer. You can also promote other people to this role, and we recommend doing so, for the purpose of recovery:

    Recover accounts for family or team members

    As for defining account vs membership vs member: The membership is the container for accounts (members) and vaults. Generally, you would only need one membership. Each person would have their own account within that membership.

    Each account will have a vault accessible to them called Personal. This is a system created vault, and it is unique in that it is the only vault that nobody else can ever access. This is the vault most folks will store their non-shared information in. There is also a built-in Shared vault, which everyone in the family has access to. Additional vaults can be created by any member. Member created vaults can (optionally) be shared with other family members. By design, any Family Organizer can add access for themselves to any member created vault.

    You are saying that the administrator cannot see the contents of Personal/Private vaults of family members.

    Correct. Family Organizers cannot see any Personal vaults other than their own.

    In that case I don't see the point of Families at all. You may as well just get an individual account for everybody.

    There are three primary advantages of 1Password Families over separate individual memberships:

    1. With 1Password Families vaults can be shared. Changes to items within shared vaults made by anyone with access will be reflected in near real-time so long as everyone is connected to the internet. With separate individual memberships vaults cannot be shared. Copies of individual items can be sent between individual memberships (more info), but changes made by either party will not be reflected on the other party's copy. Once shared they are separate and distinct items.
    2. Recovery is only possible within the context of 1Password Families or 1Password Business. Individual memberships cannot be recovered. If the individual forgets or loses their credentials, there is no recovery path. This is because we (AgileBits) do not have the keys to your data. Only a Family Organizer has the keys necessary to recover a family member's account.
    3. Cost savings is another factor. 1Password Families is a less expensive solution for up to five included family members than even two separate individual memberships.

    Anyway, I think what you are saying is that I will now have to move all my wife's records to her Personal/Private vault somehow and delete the vault I created for her. (** see below)

    That would be my recommendation, if her intention is to have some items that are inaccessibly by you, yes.

    You can imagine how frustrated I'm getting. I've not even started testing basic functionality yet - it's all admin, and already halfway through the trial period. I will read through the guide you've linked to, thanks.

    I do think the guide will help immensely, as it covers many of these basics.

    ** You see, when I get the software up to show the vaults it show Personal, Her Vault, My Vault, and Shared. So is that Personal Vault being shown - her personal vault, my personal vault, or the system administrator's personal vault ? Or something else ?

    Each account has its own unique Personal vault which only it can see. If you log in as any other user, you will see a Personal vault, but it will be distinct from any other account's Personal vault. No one ever even sees that anyone else's Personal vault exists.

    I'm reading through the "About Family Organizers" link you gave me, and the section "Use vaults to share" seems to completely contradict what you said.

    Could you please highlight the language in the guide that you feel is contradictory? I'd like to explore if there are any corrections needed, or if I can further clarify what I've said.

    Thank you for sticking it out with me here. Hopefully we're getting closer. 😊 I'm happy to help with any follow-up questions you or your wife may have.

    Ben

  • Basjoe
    Basjoe
    Community Member

    Ben, I really want to thank you for this. It's clear we had superimposed our system design experience onto a comparatively simple model, making it far too complex. I'm sorry you had to put in so much effort to clarify it all, but it is nevertheless much appreciated. We're still working our way through it, so that we can make the right organisational decisions and get the best out of it for our needs, and I thank you for the suggestions.

  • You're very welcome! I'm happy to have helped.

    It's clear we had superimposed our system design experience onto a comparatively simple model, making it far too complex.

    😁 Indeed. Our family offering is intended to be fairly simple and approachable. There are more advanced features (such as varying levels of administrator access) available with 1Password Business. That is likely overkill for home use, but I figured I'd put it out there if that is indeed the level of flexibility you're looking for.

    We're still working our way through it, so that we can make the right organisational decisions and get the best out of it for our needs, and I thank you for the suggestions.

    For sure. Please feel free to loop back if there is anything further I can provide.

    Ben

This discussion has been closed.