Change request: Company access to Private vault

BobWBobW Junior Member

1Password docs suggest that users only put "private" items in their Private vaults, and all company items in a shared vault. This makes sense, except that in a business setting, everything is ultimately a company item (which Agile seems to recognize, as evidenced by the repeated suggestion that people keep non-company personal items in an attached Family account).

In the event that someone leaves a company unexpectedly, the company is likely going to want access to whatever's in the Private vault without going through complicated recovery processes with many sites/services, which isn't even possible with some third-party services. The only solution is to take over the person's e-mail account and do a 1P account recovery. This works, but it's tedious, and we have to be careful we don't accidentally remove the account before we recover it, since removing an account kills its Private vault. It also can get messy in those cases where we decide to forward the former employee's e-mail to another employee, which is a frequent occurrence.

Thus, my request: make sure the team admin can access all data in the 1P account. In the case of Private vaults, this could mean auto-sharing them, making them accessible through some admin feature, or just letting the admin disable them altogether at the team level.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @BobW: Thanks for reaching out. I’m sorry for the confusion!

    1Password docs suggest that users only put "private" items in their Private vaults, and all company items in a shared vault. This makes sense, except that in a business setting, everything is ultimately a company item (which Agile seems to recognize, as evidenced by the repeated suggestion that people keep non-company personal items in an attached Family account).

    That isn't quite right. The documentation I am looking at here doesn't say anything like that:

    and

    But if there's some other documentation you're reading that says something more like that you're describing, please let me know so we can clarify the wording.

    Suffice to say, it's definitely not recommended to keep non-company stuff in a company account, since you could be removed and lose access to that account.

    In the event that someone leaves a company unexpectedly, the company is likely going to want access to whatever's in the Private vault without going through complicated recovery processes with many sites/services, which isn't even possible with some third-party services. The only solution is to take over the person's e-mail account and do a 1P account recovery. This works, but it's tedious, and we have to be careful we don't accidentally remove the account before we recover it, since removing an account kills its Private vault. It also can get messy in those cases where we decide to forward the former employee's e-mail to another employee, which is a frequent occurrence.

    That's a really good point. I'm not sure what the solution is, since 1Password is setup this way for good reason. But perhaps we can figure out something that might help in the future, without causing other problems.

    Thus, my request: make sure the team admin can access all data in the 1P account. In the case of Private vaults, this could mean auto-sharing them, making them accessible through some admin feature, or just letting the admin disable them altogether at the team level.

    It's not something that's possible by design in 1Password, since only the user has the keys to decrypt the data in the vault (hence the need to "take over" the account by doing a recovery in your example), but I do agree that it is a problem worth solving, if it can be done in a good way. Thank you for bringing this up!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file