Vault Sharing, read-only access? [resolved]
I've created a vault to share and have shared it. I want to use this vault to share logins with family members so they can have access to my 'stuff' in case of an emergency. I've verified that subsequent modifications to the vault are correctly shared, provided I remember to share them. But I don't want the recipient to be able to change fields in this shared vault. I want the recipient to have 'read' and 'execute' access to each item only. But my testing indicates to me that the recipient can change anything in the shared vault.
Here is my question: Is it possible for the creator of a shared vault to set the recipients' access to a shared vault as 'read' and 'execute'? If it is, please let me know; if it isn't, but you have a suggestion how I can accomplish this, please let me know that.
Thanks
Comments
-
I too would like to know the answer to these questions.
0 -
AFAIK no you cannot make a keychain read only. Once its shared all people in the share have read/write access.
0 -
I just wanted to confirm what @thightower has said: There is no read-only keychain - all users will have full access to read and write. I will let our developers know though that you think this would be a useful feature to add!
0 -
I also want to be able to provide my kids with access to certain sites, services, and/or network resources, but I want to keep control of the passwords (in part so I'm not locked out). This is particularly important for sites such as iTunes, where we have a family account. Similarly, because my spouse and I share a number of logins and usernames (such as for commercial websites like Amazon), I want her to be able to access those sites without having to memorize or write down the corresponding password. Yet again, I am the family's password manager, so I don't want my family members overwriting passwords. Thus, the need for read and execute capability, but without write capability. I imagine others have additional use cases they can describe, which might help the developers better understand and design for the nuances of our various needs.
0 -
Thanks, all, for your comments. I'm glad to know that I'm not the only one who would REALLY appreciate having this feature added and I think it's great that the gurus will pass this request on to the developers. My purpose in sharing the vault with family(on the other side of the country) is for them to be able to get to this critical information in an emergency. And it is therefore important, in this case, that the shared vault be an up-to-date copy of data in my primary vault. I realize that there may be other shared vaults even for me, where this is not so critical. And thanks, again, for passing this request along to the developers.
0 -
Hi @jther,
Thanks so much for adding your thoughts and your use case here :) I think it is important to note here that if you share a vault with your wife, she will not have to memorize or write down any passwords - that is the beauty of shared vaults! Additionally, if she changes a website's password, all she has to do is update the 1Password entry as well and you will both then have access to the new password.
In any case, we will certainly keep this in mind!
0 -
Hi Megan,
I believe your response of 3Dec was meant to be written to @jther, instead of to @Griz. I'm @jther and I see now that that note was not clear.
Instead of saying that the 'shared vault be an up-to-date copy.....' I should've said that it's important to me that 'it should be possible to share a vault in such a way that the particular data items be a copy of the corresponding primary vault's data items'.My purpose in sharing vaults is so that our son, who lives on the other side of the country, can get to my logins in case of a dire emergency. (I, too, manage the passwords and such in our house but only on this side of the country). Our lawyer told me, explicitly, that our designated representative needs to have access to all pertinent critical information in case of an emergency to both me and my husband. But that does not mean that I want that representative to be able to change login info, or other pieces of info, until that situation arises.
I wonder, would it be possible to have the option of removing the 'edit' capability from a shared vault when that vault is created? I'd welcome that introduction, even though a user would have to decide about the purpose of the shared vault when adding it.
0 -
Hi, @jther.
I've readdressed @Megan's reply to you instead of @Griz; thanks for catching that. :)
While a 1P4 database containing one or more vaults can't be directly restricted to read-only access, the last paragraph of the article about revoking vault access says:
It is possible to limit someone’s access to future updates of the vault by revoking their ability to synchronize data. For example, by using Dropbox’s Kick Out feature, the owner of a Dropbox shared folder can prevent further data synchronization with someone. However, this will not prevent that person from using a copy of the 1Password data they already have.
The implication is it that you already have the ability to uni-directionally share a vault, limiting it from being updated by severing access to syncing with it, e.g.:
- Configure Dropbox Sync with desired vault to 1P keychain.
- Disable Dropbox Sync but retain the keychain.
- Share the now un-synced keychain through Dropbox.
- Anyone who can unlock that keychain essentially only has read-only access to the vault data in it unless you decide to reenable syncing with it.
- And simply removing the keychain avoids any updated data in it being accidentally synced with the "master copy" in your 1P4 vault.
Here's your intended purpose:
My purpose in sharing vaults is so that our son, who lives on the other side of the country, can get to my logins in case of a dire emergency. … But that does not mean that I want that representative to be able to change login info, or other pieces of info, until that situation arises.
And from your previous reply:
My purpose in sharing the vault with family(on the other side of the country) is for them to be able to get to this critical information in an emergency. And it is therefore important, in this case, that the shared vault be an up-to-date copy of data in my primary vault.
Then your update:
Instead of saying that the 'shared vault be an up-to-date copy.....' I should've said that it's important to me that 'it should be possible to share a vault in such a way that the particular data items be a copy of the corresponding primary vault's data items'.
To clarify, do you mean you'd want all (or just a specific subset) of items in a vault you've shared to be part of another primary vault that could also contain other items that aren't in the shared vault? Or am I unnecessarily complicating this?
For now let's just take the uni-directionally vault sharing example. While not an auto-updating one-time setup it does provide a way to share critical information from 1Password with your family without them being able to modify it. I don't know how frequently that information changes for you personally but often it's infrequent enough that manual resharing, on a regular and/or as-needed basis, is feasible.
Could something like that serve your purposes until more suitable 1P data sharing/syncing options are available?
0 -
WOW!! You guys are absolutely fantastic in your support!. @sjk, thanks so very much responding in such detail and with such clarity. I'm printing out your reply and will study it. I believe that what you detailed in the first part of your note, and summarized at the end ("For now, let's just take the uni-directionally vault sharing example....), is EXACTLY what I want to be able to do: share data via a vault but then disallow updating of that particular vault by others, while knowing that the responsibility of keeping that shared vault in synch rests with me. "Uni-directionally sharing a vault", as you say.
Now I see that I missed the significance of your reference to 1P's link to Dropbox's Kick Out feature when I was first reading your documentation about vault sharing a while ago. What your documentation describes is, again, EXACTLY (I believe) what I want to do: to be able to "limit someone's access to future updates of the vault by revoking their ability to synchronize data." Yet, I do not want to "prevent that person from using a copy of the 1Password data they already have" This sounds like what I want And, if so, I'll add a "WHOOPEE"!
0
