Can I operate the user's private vault with the CLI?

I am an administrator.
I want to create a user using the CLI and regist password in the user's private vault.
Can I operate the user's private vault with the CLI?
I want to know how.
Is there a way to get the user's private vault's uuid using the CLI?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • LarsLars Junior Member

    Team Member

    @choi_mixi - an Administrator of a 1Password account has fairly broad permissions, but one permission they don't have is the ability to see/manage the contents of any other user's Private vault. Those are private by design and by default, and cannot be changed. Instructions for suspending or removing a user can be found here for the web-based Admin console, and here for the CLI.

  • choi_mixichoi_mixi
    edited December 2019

    @Lars - Thank you for your reply.
    I know your explanation.
    However,The first time creating a user using the CLI, the admin can have ability to see/manage the contents of user's private vault. (Only before user's confirm) Maybe this is the correct design for 1password.

  • ag_anaag_ana

    Team Member

    @choi_mixi:

    However,The first time creating a user using the CLI, the admin can have ability to see/manage the contents of user's private vault. (Only before user's confirm)

    I am not sure I understood. Can you please give us the steps you are following so we can test this here too?

  • choi_mixichoi_mixi
    edited December 2019

    ag_ana

    1.create user command(by Admin)
    $ op create user [email protected] first_name last_name

    2.After 1st step,1Password's invite mail is sent to user [email protected]
    At this time,User do not click [Join your team] button

    3-1.Admin can see user's private vault in Web Application.

    3-2.Admin can see user's private vault uuid use CLI command
    $ op list vaults
    … {"uuid":xxxxxxxxxxx,"name":"first_name last_name's Private Vault"}]

  • LarsLars Junior Member

    Team Member
    edited December 2019

    @choi_mixi - that's exactly right; this is the correct design for 1Password.

    You are only able to view and access a user's vault prior to the user accepting their invitation (and you confirming them). This condition exists so managers/IT staff can pre-populate a user's vault (say, a new employee) with credentials they'll need (access to company email, other resources, etc). You can use op list vaults (or just use the 1Password web app, frankly), find the vault in question, and then create as many items as you like within that vault. It's provisioning. But, as soon as the user accepts the invitation and you confirm them, you lose the ability to see/manage their private vault.

  • @Lars - Thank you for your reply.
    I want to know why CLI design is different from Web application design.
    If I create a user in the CLI, I can access the user's private vault.
    However, if I create a user in the web application, I cannot access the user's private vault.

  • LarsLars Junior Member

    Team Member

    @choi_mixi - ah, thanks for clarifying your question. The reasoning has to do with different use-cases for the two ways of interacting with users' data. The CLI is used mostly by IT professionals for when provisioning larger groups of users (or having to do so with smaller numbers of users on a near-constant basis, as is often the case in larger companies). If you want to be able to create users instead of inviting them, and deposit credentials into those user's vault so they're available immediately when the user creates his/her Master Password, then the CLI is for you. If you're just managing people and prefer a more visual approach, then the 1password.com web app with its usage reports and GUI is probably better-suited.

  • choi_mixichoi_mixi
    edited December 2019

    @Lars - Thank you for your reply.
    I suggest that the Web App can select the same operation as CLI. (When creating a user using Web App, Admin can choose whether or not to access the user's private vault)

  • JacobJacob

    Team Member

    @choi_mixi Thanks for the feedback! That's not likely something we'll be adding in the future, but I'll forward your request to the team for consideration. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file