FEATURE SUGGESTION: Allow me to assign vault access to pending users

hesspaulhesspaul Junior Member

Once I invite users to a team, I would like to be able to go into individual vaults and groups and assign their access. For one thing it gets something off my todo list. For another, it helps me give the user a good first impression because they will quickly see any project vaults they are supposed to be involved with.

It "feels" like there might be something insecure about this request (giving people access who aren't yet users) but I can't think of any actual major new risks from this that I am not already taking.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • This would be very helpful. I've had more than one instance of a new user being very confused after accepting invite and only seeing personal vault.

  • JacobJacob

    Team Member

    Hey @hesspaul! That's a very good suggestion, and I would love to see it to. The thing is, the security architecture of 1Password Teams doesn't make this possible. Similar to the issue I mentioned in another thread about adding pending users to groups, the user has to be confirmed before you can add them to a vault. Thanks for the suggestion, but it's just not something we can do at this point. We do send you an email to confirm new users, and once you do you can add them from their profile page in the Admin Console. :) If you have some ideas for improving this feel free to let us know.

  • michaelglassmichaelglass Junior Member

    Sorry, to be clear: I'm a fan of assigning future vault access to pending users. E.g., after confirmed, the pending user will have access to these vaults. Is that also impossible?

  • JacobJacob

    Team Member

    @michaelglass That's not possible either, I'm afraid. The post I linked to in my last reply explains why. I would be happy to go into a bit more detail if you'd like, but that's the simple version of it.

  • I can't say enough how much I'd love to see this as an administrator of a 24/7 support team.

    Far too often I get requests to add someone to the database late Friday when my weekend has begun and to be able to just go in and confirm the user and the system sets up all the permissions needed in one shot would be a huge time saver.

    It seems like a simple thing to add. If security is a concern, why not add a confirmation to the user AND the vaults/groups that were originally set up for confirmation at the same time? This seems like an easy ask.

    As an administrator, there are many things to do in a day. If you were on our side of the fence where you were being emailed, slacked and called to get someone set up in vaults/groups because they weren't available until you were done your shift, you may understand a bit more.

    I'll give this suggestion a +5

  • rickfillionrickfillion Junior Member

    Team Member

    Let me see if I can provide a little bit more insight into why this isn't possible right now.

    Currently, a pending user isn't really a user. A real user has public/private key pairs, and providing access to a vault is a matter of re-encrypting the vault's keys with the user's public key. This requires that both the user have a public key to use for encryption, and that the admin (or person performing the action) have access to the vault's encryption keys. Which means that it can't be automated by our server because we don't have access to the vault encryption keys.

    All of that being said... we hear you. And we've been working on something that will hopefully open the door to being able to do something like this in the future. We aren't quite there yet, but making it possible to add a pending user (a user account that hasn't been acknowledged by its owner yet) to a vault or group is something definitely a goal.


This discussion has been closed.