Your Vault/Uploading vaults

I'm still confused about a few things about the Team setup. I only just got access to the Team part of 1Password so I might need more time to investigate that and actually play with it, but I couldn't find an easy way to use some of the Vaults I already have on my Mac and use them for the Team.
I would have thought that it would be easy to select a Vault and make it available to other members of the Team. Similarly, I should have been given the option to use my mail Vault as the "Your Vault".
Am-I missing something obvious?
The only way to populate the Team Vaults now is to copy/move items from Vault to Vault?

Corentin


1Password Version: 5.5b17
Extension Version: Not Provided
OS Version: 10.11.1
Sync Type: Dropbox

Comments

  • Team vaults are created in the Admin Console of the 1Password for Teams web application. These are kept separate from any personal vaults that you create through the 1Password for Mac app itself.

    You are correct that, if you have items in a personal vault that you would like to share with a team vault, you would have to copy/move those items into that team vault. We have a KB article here that shows how to do that.

    The "Your Vault" is your individual vault that is not shared with anyone else in the team. It is however, still a part of that team account and kept separate from any personal vaults. If you had two separate team accounts (say a work and a family account) then you would have a "Your Vault" for each account.

    I hope this helps :)
    -Jeff

  • cortig
    cortig
    Community Member

    Thanks for the details Jeff. I knew how to copy and move items, but I was hoping to be able to copy/move an entire vault…
    I'm still not sure what I would ever use the Your Vault for then… Why not simply use my own personal Vault that's not part of the team?

    Corentin

  • MrC
    MrC
    Volunteer Moderator
    edited November 2015

    @cortig,

    Consider that you might have 100 work server systems that you log into, that only you access (others on your team do not have, or need, access). Your Vault might be a good choice for placing these logins rather than your personal primary or secondary vaults, esp. if you cannot access these from home or want them to clutter your personal vaults.

  • cortig
    cortig
    Community Member

    I guess… Though using a secondary Vault sounds like a pretty good solution to me (and I access all my vaults from home through syncing anyway).

  • MrC
    MrC
    Volunteer Moderator

    @cortig,

    However, company policy may prohibit that.

    I suppose its just another feature some will use, some won't.

  • cortig
    cortig
    Community Member

    Oh, I see what you mean then. But will there be a possibility to prevent copying the items to a personal Vault then?

    Corentin

  • MrC
    MrC
    Volunteer Moderator

    @cortig,

    AgileBits will have to speak to your question.

    But consider that the Copy/Paste functionally available in a GUI is simply a user convenience feature. Nothing prevents a user from manually transferring data (against company policy), just as nothing prevents an employee from stealing the office stapler (also against company policy, I'd presume).

  • ferthalangur
    ferthalangur
    Community Member

    Hi @MrC and @cortig:

    Here is my take on how you'd use those vaults in an work environment. It would be left as an exercise to the reader to do the policy-writing and training so that people actually do things correctly. :)

    Your Vault is for your own login passwords for work-related systems, work-related access to third party systems, etc. This is not the place to put your personal passwords. When someone is separated from the Team, these will go away, so team members should create a separate 1Password vault for that. See this Thread.

    Everyone is for shared secrets that are fairly trivial, like, a company-wide subscription to Consumer Reports that uses one username and password, or the wireless password, which is plastered everywhere. Nothing very sensitive goes here.

    Everything else goes into Vaults defined by the group that needs access to them, and the amount of sensitivity/trust involved in them.

    For example, all the production server admin passwords that have to be shared should go into a Sysadmin vault. When you add people to the vault you can decide whether to allow them to "Reveal passwords" or "Export" them. Yes, it is better if everyone logs in as themselves and uses sudo instead of anybody logging in as root, but not all systems are implemented with that level of privilege separation.

    It seems like the admin interface for the vaults has enough granularity to control all but the most determined workplace hackers from compromising your security controls.

    You still need to have adequate security control procedures in place. Using segregated vaults with careful selection of access parameters is not a substitute for deleting their accounts and changing the shared passwords after someone leaves the Team. Especially the shared passwords. However, having segregated vaults will make it a lot easier to keep track of which passwords need to be changed and which ones have been changed and also sharing the changed passwords with the remaining Team members.

    _rob_

  • Hi @cortig ,

    ferthalangur has excellent advice there. Your teams account still belongs to the owner, so anything that is personal to you and not work related should go in a different vault. Regarding preventing of copying, there are permissions to prevent exporting of items, and that includes copying and moving items to another vault.

    Keep in mind, as MrC said, the user can still use the password or other sensitive information, so if they really wanted it, they could write it down on paper and enter it elsewhere. 1Password for Teams can limit what the user can do via permissions, but like anything else, if someone can see the password, they can transfer that knowledge elsewhere if they're determined.

    Regards,
    Kevin

This discussion has been closed.