Recovery Group: Where do we stand?

edited July 2016 in Business and Teams

As an early-ish ßeta user, I added two ordinary Team Members to the Recovery group, so that members of our small team could recover each other's accounts, should the worst happen. Our team is not large enough to justify having multiple owners or administrators, and this setup seemed to work well on paper.

Unfortunately, there was much subsequent discussion about the workings of the Recovery group, including talk of restricting its use by non-Administrators or non-Owners, merging it with one of these groups (so that all privileged users could perform recoveries, without extra steps being required set setup), etc.

I still live in fear of our Recovery setup being somehow ineffective or insufficient and, given the difficulty of performing dry-runs in this particular context without unsettling users to a great extent, it is nearly impossible to conduct regular tests…

Comments

  • JacobJacob

    Team Member

    Hi @francoisjoseph! I really appreciate you checking in on this, because it does seem to have gone to the back burner from the outside. Remember the custom groups and roles @rob talked about in the other thread? Those are now available :)

    For your use case, I would recommend creating a custom group (you can call it Recovery or anything you'd like) and giving that group the recovery permission. Then add all the users you want to have recovery to that group and you should be set. Please let me know if that's what you're looking for, and if not, what would make the experience better so we can improve it.

    I still live in fear of our Recovery setup being somehow ineffective or insufficient and, given the difficulty of performing dry-runs in this particular context without unsettling users to a great extent, it is nearly impossible to conduct regular tests…

    I'm really sorry to hear that. What kind of tests are you trying to perform? If you want to play around with recovery, feel free to add an extra member to test things out. With Gmail addresses, you can add +something before the @ and replace the something with anything you want to use the same email address for something else. You can invite a guest or team member with this and test things out for yourself. Let us know what you think. :)

  • Hello, @penderworth! What a pleasure to hear from you again! :)

    I do indeed seem to latch onto topics nobody else cares about… Whether this is a blessing or a curse remains, of course, to be seen. :glasses:

    The custom group does sound like what I am looking for! Would I be right in thinking that assigning users to this new custom group requires no changing of keys or passwords and that 1Password will take care of all the magic behind the scenes?

    As an aside, I see we are all still members of the old Recovery group. Would having both the old and the new group in place create any conflicts? And can we expect the old Recovery group to disappear at some point? (The message you link to hints at its removal from the UI but, so far, it appears not to have moved and iota.)

    The ideal test, of course, would be to go through a full recovery cycle with a test account, as you very rightly point out, but that implies an extra expense that would take some explaining at the end of the year!

    I appreciate your kind reply and look forward to hearing from you!

  • edited July 2016

    Hmm… At the risk of sounding obtuse, I cannot see anything resembling the Permissions menu you screen-shotted above. I do see a big blue button to create a group, and I can create one easily, but nowhere am I permitted to add such a permission as Recovery… Is there a document somewhere that would point the way, @penderworth? :dizzy:

    Edit — I do see how to access them now, through a ßeta toggle… It is somewhat scary that, once again, something as crucial as Recovery is in flux so late in the game… One follow-up question, if I may: does the Custom Group need to have permissions to access the Vaults or does it simply need the Recover Accounts permission with no direct Vault access? (I assume the latter, but better safe than sorry.)

  • JacobJacob

    Team Member

    @francoisjoseph And a pleasure to hear back from you too. :) Custom groups does take care of things behind the scenes — no strange magic is required on your end. Having people in the old Recovery group and the new one you manually create shouldn't conflict. If it does, let us know so we can look into it.

    Edit — I do see how to access them now, through a ßeta toggle… It is somewhat scary that, once again, something as crucial as Recovery is in flux so late in the game… One follow-up question, if I may: does the Custom Group need to have permissions to access the Vaults or does it simply need the Recover Accounts permission with no direct Vault access? (I assume the latter, but better safe than sorry.)

    Sorry for the confusion there. I forgot to mention the toggle. Custom group permissions are pretty stable at this point. If you do find any issues with it, please let us know. I've been using it for a few weeks and it's been fine in my testing. I'd like to hear how it goes for you too. :)

  • Thank you, @penderworth! :) Can you confirm which access privileges the custom recovery group must have? Does it need access to the individuals vaults or is it enough to check Recover Accounts?

  • JacobJacob

    Team Member

    @francoisjoseph You're welcome! They should only need the Recover Accounts permission. There's no need for vault access or anything like that. :)

This discussion has been closed.