Issue: Account Owner Permissions & Vaults

Firstly, I want to share that this issue/concern was raised by my company's infrastructure leaders and cybersecurity/information security leaders while discussing rolling out 1Password for our global IT teams.

Issue/Concern: 1Password account "Owners" have full permission to manage ANY vault and their vault access cannot be restricted. Therefore, they can add and remove themselves or anyone in the organization to any vault, at any time, without any guardrails.

Why is this a problem?
As many organizations, we have a broad IT department broken out between application teams, security, cloud and on-premise infrastructure teams as well as deskside and helpdesk support. Our IT teams have a separation of duties for operations and security reasons. Therefore, whoever is a 1Password "Owner" should not be able to see highly sensitive passwords, API keys, etc of another team. So if our cybersecurity/infosec team does not have access to make administrative changes to our server infrastructure but they are supposed to manage the access at the highest level for our 1Password account, should they be owners? What if one owner assigns themself to a vault with sensitive passwords that should only be accessible to our server team?

What we found

• 1Password does not provide native email alerts to notify all 1Password Owners/Administrators when an employee is added or removed from a vault. This would be a great feature at least for 1Password Enterprise accounts.
• There is no ability to remove the "Owners" group from a vault if the "Manage Vault" permission is granted to a different group. (e.g. A group with only the server team managers and/or director)
  • But if an "Owner" can't manage every vault, then what if the non-owner group member(s) lose access to 1Password or leave the organization? Answer: An Owner or other authorized 1Password Administrator recovers their account or the vault is lost permanently with the only option for it to be deleted by an "Owner". -- Yes, an enterprise will need to accept this risk but they should be offered this level of granularity for certain password/credential security use cases!
• Shared vault credentials and other data are not secure enough for use within our IT teams with the current and only available way of structuring shared vault permissions with "Owners".
• Shared vaults are useful for non-IT teams for internal team account sharing. (e.g. Marketing, sales and social media teams)

Conclusion
We do not feel comfortable using 1Password as our exclusive password management solution due to the lack of available permissions that essentially allow the Owner(s) to elevate their shared vault permissions with no available native 1Password platform warnings, alerts or options to implement guardrails. I hope this drives a strong discussion and would be happy to speak to 1Password leadership on this topic in a private meeting as the only available solution is what is outlined in the link below which was also the only recommendation by a 1Password solutions architect. Due to this lack of permission granularity, our IT teams do not feel comfortable using shared vaults.

https://www.1password.community/kb/1password-launch-kit/setting-up-1password-for-large-organizations/687