Is it possible to restrict the access to the trash for a shared Vault?

kevindelord

Hello there,

We have a vault shared throughout our organisation which contains sensitive items.
Those items get duplicated when exported/migrated into a more secure vault (i.e. just for administrators). One version is in the new vault, another is in the trash of the old one.

I'm not sure if this behaviour is normal but if it is, an easy solution for us would be to remove the access to the trash for the members.

Members already do not have permissions to empty the trash nor to move items into it (admin restricted).

Could this be done? What other solution could you suggest?

PS: Emptying the trash is not really an option.

Thanks,

Kevin

---

1Password Version: 7.1.2
Extension Version: Not Provided
OS Version: OS X 10.13.6
Sync Type: Cloud
Referrer: forum-search:access trash

khad

Hi @kevindelord,

I wonder if it would help if I understood your workflow a little bit better. For example:

• Is there a reason you don’t put the items in the vault that only administrators have access to from the start?
• Is there a reason you can’t empty the Trash?

Apart from that, I’m concerned that removing access to the items in the Trash may give a false sense of security. If someone ever had access to an item, they could have written down the password on a piece of paper. If you don’t change the password when you move the item to a vault that they can’t access, they will still have access to that password – even if they can’t access it in the Trash. But if you do change the password after you move the item to the more restricted vault, then it won’t matter what’s in the Trash of the old vault.

So the best practice would be to never give them access to the item(s) in the first place, or to change the passwords after you move the items.

kevindelord

Hello @khad,

Giving access to wrong credentials was obviously a mistake.
This is not our workflow to first give everything to everyone and then revoke access.

Someone in our team moved an item to the wrong vault and than moved it back to the previous/another more secure vault.
The problem now is that this item is in the trash of the wrong vault, even if it was there just for few minutes.

So your solution would be to update the password within the new vault?

Emptying the trash is not option (in case of unforeseen issues or mistakes).

khad

@kevindelord,

Yeah, changing the password after access has been revoked is the only way to guarantee they no longer have access. (This is true regardless of whether the item is in the Trash or not.)

kevindelord

@khad,

Not the solution I was looking for but will do I guess...

Thanks

Ben

Understood. It is important to us to not build features that have a high chance of misleading people about the security of their data.

Ben

ref: apple-3016