Can I share a login with only SOME team members?

zanthony

I'm evaluating 1password Teams, and a feature of the previous password tool I used doesn't seem to exist - or at least I can't figure out how to do it. I'd like to share a login with only SOME team members, e.g. 2 out of 3.

The context is that I work with a load of contractors, and often need to share access to a certain login with just some of them - not all of them.

I can see how to add logins to a Shared vault that all the members in the team can see. And it doesn't seem possible to share a login separately with individuals, as each instance then becomes disconnected, and a password update (for example) isn't noted across all the shared logins.

If I wanted to achieve this somehow in 1password Teams, how would I go about it?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Can I share a login with only SOME team members?

tomas_pionect

We've made multiple vaults for this purpose.
A vault can be shared with one or more groups and/or one or more individuals.
We just didn't share any vault with the team members group (that's would be everyone), every vault is manually configured.

Roman

Hi @zanthony - Pretty much what @tomas_pionect said: The best way to do this is to create a special vault for your purpose and just share it with the people who need access to it.

pminne

I'd like to chime in with this.
We have our credentials nicely stored in different vaults that more or less map to teams and subteams. In an ideal world, this would be all we need.
In reality however, there are dozens of scenarios where you need to share one login with one/two other people that are not a member of the vault. E.g. a backend engineer that helps out the devops team on a specific project. We don't want to share the entire devops vault in that case, but only that set of credentials that is required for the job.
Copying the credentials to his/her personal vault means you loose control over it. Setting up a separate vault would result in dozens of 'specific use case' vaults, which is not manageable.

My suggestion would be that the admin of a vault can share a login with an individual that is not a vault member. That login would then appear in the Personal vault of that person (for technical reasons you might have to create a 2nd personal vault that is manageable by the organization, but in that case the UI could simply present both vaults as one I guess).
The receiving user would see the login in the Personal vault (readable and/or writeable), with an indication that it is owned by the organization.
The vault the login originates from would show which credentials have been shared externally and with whom.

Bonus: set an expiration date on the sharing with individuals.
2nd bonus: vault admin gets notified of expiring shares so (s)he is triggered to reset the password if necessary.

I can't emphasize enough how much such feature would mean to us (and I assume many other companies). We love 1Password, but it's so frustrating we don't have an elegant solution for those non-standard scenarios, something we had in our previous password manager.

Thx for listening.
Meanwhile we cross our fingers :)

Frank

Hi @pminne - Thank you for reaching out to us. It's a great idea and I will definitely make sure to share this with the team. I appreciate you taking the time to send us some feedback on a feature that is important to you. I love the detailed explanation on how this would work :-) If you come across any additional features or have any questions, please feel free to contact us. We're always happy to help out and listen. Have a fantastic day!

robelkin

Absolute +1 for this one, the example that pminne has given is the main reason I haven't moved away from LastPass and on to 1password for our company password sharing. The assumption that to share a password with one person means that they need to have access to everything in a vault that they shouldn't see is a security flaw in my opinion.

Jacob

@robelkin It is now possible to send an item to members of your team. You can use this feature by enabling betas on your Team Settings page. To send an item, click the share icon and choose "Send a copy".

Let us know what you think! :)

robelkin

@Jacob does that sending create a copy then? And is that copy in their personal vault? Thinking through the cases of "we change the password" and "they leave the organisation"...

rickfillion

@robelkin:

It creates a copy into their personal vault (it'll show up once they login to the webapp, we're still working on accepting sent items from the native apps). If you change the original item, the change won't get automatically propagated to those people you sent a copy to. You would need to re-send the item if you'd like it to propagate.

Rick

robelkin

Thanks rick, that's what I thought and unfortunately breaks the security model for me. If someone leaves the company then they would still have access to logins that they should not have, forcing us to remember to change the logins for everything that a leaver had access to, and re-share again with everyone again (which would be challenging even with a list of people that I had sent a copy to).

Frank

Hi @robelkin - I'm glad @rickfillion was able to help out. Sorry for not having a better solution available at the moment but we're working on it. We appreciate your feedback and thank you for letting us know this is an important feature for you and the team.

Have a fantastic day :-)

rickfillion

Hi @robelkin,

Hrmmm... I wonder if maybe wires got crossed here. The item will show up in the person's Personal vault that belongs to the Teams account. If you were to remove that user, then the app will delete the Personal vault from all of their devices automatically, so that the person does not retain access to that login information.

At the end of the day though... there's no perfect system for this. A shared secret cannot be unshared. The only secure solution is to change the the passwords for accounts when something like that happens, regardless of how the share happened.

Rick

robelkin

@rickfillion Does indeed sound like we got our wires crossed, that's a bit better and I didn't realise about the different personal vaults. I do agree that once something has been shared it can't be unshared, this is a good point. However a possible solution to this would be some way to prevent the recipient from seeing/reading the shared password, and it can only be used via the apps/browser extensions so it is always autofilled and never shown to the user. That's a model I'd quite like, and something lastpass supports (that and sharing are possibly the only things I like about their product and use it mostly for these features, but everything else about it is not good!)

rickfillion

@robelkin,

It sounds like what you'd want in this case is to create another vault where people can be added to this vault without the "Reveal Password" permission. This permission is similar to the one you mentioned in that we do our best to not reveal the actual password to the user. They can use the item via the browser extension to login, but the apps should stop them from doing things that would let them see the actual value.

I recommend that you give that a try and see if it works out for you.

Rick

robelkin

@rickfillion ah, cool. Yeah, that is useful to know. Brings us full circle to the original "That person shouldn't have the logins for the whole vault" issue though! Combine those two features and we would be on to a winner! Otherwise rolling it out to non technical staff is going to be too confusing to them because they will just share and not add to a specific vault, so I need to prevent the worst case scenario from someone who just don't understand the security principles

rickfillion

@robelkin : yup. We'll have to think some more about that problem.

Rick

pminne

Checking in on this. Any chance we might expect something along the lines of what was suggested?
We're currently forced to set up 'occasional' vaults, and duplicate certain credentials and cross reference them in the notes. It's a pretty poor and dirty workaround which will get out of hand at some point.

Ben

Any chance we might expect something along the lines of what was suggested?

It is still definitely something we'd like to be able to do, but no promises. It will be a fairly large undertaking to make happen.

We're currently forced to set up 'occasional' vaults, and duplicate certain credentials and cross reference them in the notes. It's a pretty poor and dirty workaround which will get out of hand at some point.

Understood. It is something we'd like for our own team as well.

Ben

ShaunG

Is there any chance on the "send a copy" feature coming to Families? Or will that remain a Teams feature?

Ben

Features in beta are only available to 1Password Teams customers, but once tested it is possible this may come to 1Password Families as well.

Ben

a_blue_ball_of_yarn

I'm running into the same limitation, trying to create a schema that works for a few hundred people using Vaults just isn't working.

We're down to creating vaults which contain one or two credentials leaving us with hundreds of vaults to properly describe the expected access pattern of being able to give specific people access

In the past we've used Meldium where access was applied to specific credentials either by user or group

So, Team A or Individual Bob has X access to credentials foo and bar
This is very simple and quite easy to organize

If i need to provide temporary access to a credential, i can just grant it and remove it a later date

Vaults dont seem to be a good organizational choice for a business environment.

Are you guys working on some other approach to allow us to organize and describe access to our credentials? This may become a big enough problem for us that we'll have to migrate to another solution (which is a damn shame as we are quite happy with 1password in most every other way)

Frank

Hi a_blue_ball_of_yarn - Thank you for taking the time to write in. I appreciate the detailed feedback you sent over. We'll be happy to help out. Let's continue the discussion via email so we can get a better understanding of your use case. We look forward to hearing back from you soon. Have a great day!

ref: o/690

anserman

Actually, as an outsider and someone who is evaluating both 1Password and the other, I would appreciate it if you kept this "discussion" on here! I quite LIKE the examples that have been outlined because it helps to understand what implementing a password manager for a team will be like.

Frank

Hi @anserman - I'm happy to hear the forum and discussions have been helpful. When we're discussing account specific related questions, we have to move the conversation over to email so we don't run into sharing anything private here. We take your privacy and security seriously. I try my best to keep the conversation in the forum but if I feel we might run into sharing account information I have to continue the conversation via email. Sorry about that. I hope you continue to find the forum helpful and please feel free to reach out to us if you have a question or feedback. I'll be happy to assist :smile: Have a great day!

myoffe

I have a similar use case. I need to have credit card details sent to me. I need to use the details, and then erase the card details. So a sharing feature, that's controllable by the sharing party is a must in my opinion. LastPass (which I switched from) has this feature. In LP there's also control over who can reveal passwords, by the way.

Bonus points for automatic un-sharing after a set period of time :)

AGAlumB

@myoffe: That's kind of nonsense unfortunately. Not that you asking for that is nonsense, but rather that information that is shared cannot be unshared, strictly speaking: "the cat's out of the bag", as they say. 1Password Teams has the ability to restrict "reveal" permissions, and share single items, but there's nothing stopping the recipient — you or someone else — from copying the credit card information and saving it somewhere else, or using login credentials (without revealing them, mind you) and simply changing the password to one they know. So it's a practical/social problem rather than a technical one. We're introducing auditing features in 1Password Teams as well that can help administrators determine what information has been accessed, but we have to be realistic about the limitations here. Someone malicious can do a lot of damage when you give them sensitive information, and since you cannot remove it from their brains — organic or electronic — after the fact, it's important to be circumspect about what you share with whom.

myoffe

That's all true. However, there's a bigger chance of this information sticking around forever in my private vault or a piece of paper, rather than in an admin-controlled shared item, that's removed once its purpose has been fulfilled.

AGAlumB

Agreed. But the paper is not encrypted; everything in your 1Password vault is. We've designed 1Password with the assumption that the encrypted data will fall into the wrong hands, so we're relying on encryption and not permissions alone to control access to data. So it's important to keep in mind that once you've shared something with someone (which requires they have both access to the encrypted data and the keys to decrypt it), that can be snapshotted in a backup inadvertently. We just can't turn back time to unshare what has been shared, so it's important to change login credentials after revoking access to them since we should assume that they may still have the ones given to them in the fist place. :blush: