Help with process for sharing only certain items from a vault with team members.

Hello,
We recently migrated from LastPass to 1Password. And we noticed that 1Password doesn't allow you to share only certain items from a vault. We have big vaults with **hundreds **of credentials and many different teams in our company. We can't share the whole vault with our team members for **security **and **privacy **reasons. So, instead, we want **only **to share the items the team requires. This is something that we used to be able to do with LastPass.

I reached out to Support a few weeks ago about this, and I was told that this wasn't possible to do with 1Password. I was suggested to duplicate the entries that I wanted to share with each user vault, which is ridiculous, and it's becoming a nightmare when it comes to updating our 1Password entries. Instead of only updating 1 single entry, now I'll need to update all the entries I have duplicated.

Is there any alternative that I could use with my company? -- As I mentioned, what we want to do is to be able to share only certain items from our vaults with our team members instead of sharing the complete vault.

I appreciate any help on this matter.
Thanks!


1Password Version: 8.10.4
Extension Version: 2.8.1
OS Version: Windows 10
Browser:_ Chrome
Referrer: forum-search:sharing items

Comments

  • Hello @NestorIbarra,

    I'm sorry to hear you're having trouble sharing items in 1Password.

    1Password works a bit differently when it comes to sharing and organizing items, but our team would be happy to you determine the best way to accomplish your goals. Please send an email to business@1password.com and include a link to this community page so we can discuss your questions in more depth.

    Thank you,

  • NestorIbarra
    NestorIbarra
    Community Member

    Thanks, I just sent the email.

  • Thanks for letting me know, @NestorIbarra.

    We're nearing the end of day here, but someone should be in touch with you on Monday at the latest.

    Have a wonderful weekend.

  • sgng
    sgng
    Community Member

    This is something we'd need, too. Please publish the solution here!

  • Hello @sgng,

    Can you elaborate on your organizations use case for 1Password and the trouble you are having? Once I better understand your goals, I'll be able to share more information or connect you with the relevant experts inside of 1Password.

    Thank you,

  • sgng
    sgng
    Community Member

    Let's say we have a vault called "Marketing". In this vault there's all kind of stuff belonging to marketing department, like Google Ads, MailChimp, social media accounts, etc.

    One of these entries (let's call it XYZ) is like 1Password (teams) and doesn't let the owner give the possibility to look at invoices to someone else than himself or admins. For most of the entries in the vault the credentials are the only ones we have, so they have owner privileges that allow the user to do every kind of dumb stuff.

    To download invoices for bookkeeping purposes, finance department needs access to the entry XYZ in the Marketing vault. Now marketing doesn't want to give finance access to all the entries, but just to the one it needs to. Finance should not be able to even accidentally cause a mess like deleting something.

    So the solution you suggest is to make a copy of the entry XYZ and copy it to "Finance" vault. Now we have XYZ1 in marketing and XYZ2 in finance. But this means if something changes for XYZ1 it's doubling the maintenance work, because XYZ2 needs to be updated, too. But marketing department now doesn't have access to the "Finance" vault and vice versa. So it needs at least one person from each department or someone with higher privileges (access to both vaults, like an admin or the owner) to achieve this.

    Management summary: I'm suggesting two features here. Being able to share single entries in a vault with other users, without copying and having more maintenance work. And being able to give some users privileges to at least see and download bookkeeping stuff like invoices. Perhaps the latter is possible in 1Password Business, but we have the Teams version.

  • Hi @sgng,

    As you mentioned the Finance department would only need select items from the Marketing vault, a solution might be to create a new vault (for example: Marketing & Finance). The few items that need to be shared with both departments could be moved to the new vault. This vault could be shared with specific users (and custom groups, if using 1Password Business) from both departments. Those from the Marketing department could maintain full permissions to edit items, while the Finance users could be granted fewer permissions to prevent unwanted data loss.

    I do realize managing another vault may not be your preference, though this would ensure no duplicates need to be maintained across your many vaults.

    And being able to give some users privileges to at least see and download bookkeeping stuff like invoices. Perhaps the latter is possible in 1Password Business, but we have the Teams version.

    If you're referring to the invoices related to your 1Password account subscription, with 1Password Business, you can create a custom group (e.g., called "Role: Billing Access" or similar), and grant that custom group the account permission Manage Billing. Any users you add to that group will then have access to the "Billing" option in the web interface's sidebar, and can view and manage all of the account's billing settings, including invoices related to your 1Password subscription. For 1Password Teams this functionality isn't available, so only those in the Owners group can manage your subscription.

    Use custom groups in 1Password Business

    Finally, both 1Password Business & Teams can assign users to receive invoices via email:

    1. Have an owner member open their web browser, and sign into the account's web interface: https://start.1password.com
    2. In the sidebar on the right, they click "Billing" (by default, this option is only visible to account owners)
    3. On the billing page, they click "Billing Settings"
    4. In the settings pop-up, they'll see the "Invoice Recipients" setting; it's a comma-separated list of email addresses that should receive future automated invoice emails. They should update the list to reflect the addresses they want future emails to go to
    5. They click "Save Settings" to save their changes
  • limesalt
    limesalt
    Community Member

    I hope 1Password figures this out someday. I am yet another LastPass refugee and was looking for my next move. I signed up for the trial, recreated all of my LastPass folders as vaults, and got fully invested in using 1Password until I realized that the few one-off items that I needed to share with disparate teams required a completely impractical and non-scalable shuffling of credentials and creating new vaults.

    It pains me to say, I'm signing up with Bitwarden because their access control granularity/flexibility is unmatched. To be clear: that's the ONLY thing I like about Bitwarden, but in our case it is a business necessity; we work with overseas contractors, US contractors, employees, business partners, and clients, all with dynamic varying levels of access, and trying to make our situations work the 1Password way would just be a nightmare. Everything else about 1Password was awesome, and I would give you guys my money in a heartbeat if you figure out how to make flexible sharing on par with Bitwarden work with your encryption architecture.

  • sgng
    sgng
    Community Member

    As you mentioned the Finance department would only need select items from the Marketing vault, a solution might be to create a new vault (for example: Marketing & Finance). The few items that need to be shared with both departments could be moved to the new vault. This vault could be shared with specific users (and custom groups, if using 1Password Business) from both departments. Those from the Marketing department could maintain full permissions to edit items, while the Finance users could be granted fewer permissions to prevent unwanted data loss.

    I do realize managing another vault may not be your preference, though this would ensure no duplicates need to be maintained across your many vaults.

    So now let's have an external contractor ("social media consultant" or similar) be in need of this entry (and others in the Marketing vault). He's a guest member with access to only excactly one vault by desgign. Now we have two vaults.

    If you're referring to the invoices related to your 1Password account subscription, with 1Password Business, you can create a custom group (e.g., called "Role: Billing Access" or similar), and grant that custom group the account permission Manage Billing. Any users you add to that group will then have access to the "Billing" option in the web interface's sidebar, and can view and manage all of the account's billing settings, including invoices related to your 1Password subscription. For 1Password Teams this functionality isn't available, so only those in the Owners group can manage your subscription.

    This sounds like we'd like to have the business plan, but we'd need to get the CEO to approve the higher cost. Let's see.

  • @sgng,

    So now let's have an external contractor ("social media consultant" or similar) be in need of this entry (and others in the Marketing vault). He's a guest member with access to only exactly one vault by design. Now we have two vaults.

    Guests can certainly complicate things, as they would need to have their access to their vault removed before being assigned to the new vault. If you're not able to cancel their access to the original vault, the only other option is to copy an item to guest's vault.

    This sounds like we'd like to have the business plan, but we'd need to get the CEO to approve the higher cost. Let's see.

    That's correct that custom groups are exclusive to 1Password Business. With 1Password Teams it will be necessary to rely on the built-in Owners group or invoice recipients.

  • @limesalt,

    I'm sorry to hear about the trouble getting your vaults organized after the move from LastPass. If you'd like to stick with 1Password, I would highly encourage you to contact our Go To Market team via email, as they may be able to lend a hand and work with you to find a solution specific to your situation. You can send an email to business@1password.com to get in contact.

    So that we can 'connect the dots,' feel free to include a link to this thread with your email message: https://1password.community/discussion/comment/682208/#Comment_682208

This discussion has been closed.