Move Permissions

We have quite a lot of vaults and some of our team members need to be able to move items between vaults. We do take a zero trust approach toward permissions given to the users.
There is a permission checkbox for "Move Items", but this doesn't seem to work on its own.
After some troubleshooting I noticed you will need both the "Export Items" and "Delete Items" permissions as well. But that's something you really do not want in a multi-user environment, even with the excellent auditing in 1Password.
Is this something that will be fixed in the future?


1Password Version: 8.7.0
Extension Version: 2.3.7
OS Version: Windows 11
Browser:_ Firefox

Comments

  • gijsbertvanharn
    gijsbertvanharn
    Community Member

    As elaboration on why we rather do not enable the Export Items and Delete Items permissions:
    Export Items: we want to prevent (easy) access to export to all items to a plain text file. Items stay within 1Password when you're moving them between vaults.
    Delete Items: 30 days recovery time usually isn't enough in the real world. Somehow you will always need it after 31 days. :) Archive Items is a perfect replacement for this.

  • ScottS1P
    edited September 2022

    Hey @gijsbertvanharn,

    Thanks for bringing up the "move items" permission, along with the related "export items" and "delete items" permissions. We get a lot of questions on this, so it's my pleasure to help explain what's happening, and share your feedback with the team. Let's dig in.

    Here's how 1Password works right now: 1Password doesn't actually "move" items between vaults. It creates a new copy of the item in the destination vault, deletes the item from the existing vault. This means that the "move items" permission is just the collection of related permissions needed to make it appear like an item has been moved. If a team member can't export items, it shouldn't matter where they are going. If they can't delete items, and if another user has access to the same shared vault, but not the new destination, it's going to look a lot like the data got deleted.

    With all of that said, I do see why this is confusing and not optimal for your (and other) teams. I've shared your situation and explanation of the permissions with our team for their consideration, and while I can't promise if or when any changes may be implemented, I would like to thank you for sharing with us and contributing to 1Passwords evolution.

    Please let me know if you have any other questions or comments on your use case. The better we understand how you use 1Password, the better we can consider your situation when considering future changes.

    Thank you!

    ref: IDEA-I-353

  • gijsbertvanharn
    gijsbertvanharn
    Community Member

    Thanks for the detailed reply!
    I figured it would be something like that :)
    However, in my eyes, a move is functionally something else than an export or delete. The item doesn't leave the 1Password tenant as a plain text file and doesn't get removed from the 1Password tenant to be purge in 30 days.

    I just seems weird to have to assign 3 permissions to move an item while one of the permissions is literally called "Move Items".
    Shouldn't the move permissions invoke these underlying actions/permissions where required?

  • ScottS1P
    edited September 2022

    Hey again and thanks for following up.

    On my end, enabling the "move items" client permission automatically enables the "archive items" and "copy and share items" permissions too, but not the "export item" permission which is also needed. I overlooked that initially, and it does seem like a bug to me. I'll get this reported to our devs right away.

    Thank you,

    ref: dev/core/core#12573

  • gijsbertvanharn
    gijsbertvanharn
    Community Member

    Great to hear. Thanks!

  • My pleasure :)

  • gijsbertvanharn
    gijsbertvanharn
    Community Member

    Are there any updates regarding this question?

  • Hello @gijsbertvanharn,

    Thanks for checking in. I don't have any updates on this case at this time, but it is still on our radar.

  • kurtd
    kurtd
    Community Member

    Same issue here. I couldn't get move to work for a user until I checked the export box which was a bit frustrating to figure out. I too would rather have export and delete disabled but still allow move.

  • Hi @kurtd,

    I appreciate you reporting this on your end. Though I don't currently have any time estimate to share, I can confidently say that this issue is still on the radar to be fixed.

This discussion has been closed.