Share single passwords

We're testing Teams out, and can't figure out how to share a password with one or two users rather than to an entire vault. How do we do that?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1

Comments

  • FrankFrank

    Team Member
    edited March 2017

    Hi @mike_22 - Congrats on the Teams account :-) Great question and I have two answers here -

    You have he ability to create as many vault as you need. You can add the item you wish to share in a new vault then just add the specific member of the team to that vault so they can access the data.

    Do you have the beta features enabled? If not, log into the Teams account, click on the Teams account name in the upper right hand side > Select "team settings" from the drop down menu > Click on the beta tab then enable.

    Once the beta features have been activated, select the item you wish to share, then click on the share icon (arrow pointing up) > Select "send a copy" and choose the team member from the list.

    I hope this helped and let us know if you have any additional questions. Enjoy the rest of your day!

  • Hi Frank, the vault option isn't feasible, but the second option looks better. But the "copy" part of the second option is worriesome. If I share a password that way, and then change/update it, will the person I shared it with get the updated version?

    An example of why vaults aren't feasible: lets say we have a working group of 10 software developers. Rarely, if ever, will we have passwords that need to be shared with all 10 people in that group. Much more commonly I have a password and need to share it with 1 other person in the group; another password I need to share with 3 other people; another that I need to share with 2 other people, etc. Each of us in the group would end up with a ridiculous amount of vaults for each combination of people we need to share different passwords with, which would make password management a nightmare for us.

  • FrankFrank

    Team Member
    edited March 2017

    Hi @mike_22 - I completely understand and thank you for sharing your use case with me :+1: I would then recommend giving the "send a copy" option a try. You're correct, it's only a copy of the item and any changes will not sync over to the original item. This would be hard for us to implement due to the potential for sync conflicts if an item is moved across to multiple vaults. At this time, it's only a copy of the original item. I appreciate the constructive feedback and for letting us know this is something you would like to see in the future. Sorry for not having a better answer at the moment and let us know if you have any additional questions.

  • That's too bad, we really liked our initial look at 1password. The ability to share passwords to different individuals is a basic feature we definitely need, and all other password managers we've tried (including the one we use now) have it. With 100+ people in the company, our VPs would go nuts if I told them they couldn't share passwords in this manner. We'll check back in the future, I hope this feature is on your roadmap.

  • FrankFrank

    Team Member

    Hi @mike_22 - I appreciate the quick reply back. If it's ok with you, I'm going to have one of my colleagues on our Sales Team reach out to you to discuss this further. We look forward to speaking with soon :-)

  • We are in a similar boat. Looking for something better than LastPass (can't wait for them to get good UI). Sharing an item while maintaining the ability to centrally edit it and yank it back, no matter where that item lives it a requirement for us.

    RE: "This would be hard for us to implement due to the potential for sync conflicts if an item is moved across to multiple vaults."

    The crytpo stuff is hard. Items are just rows in the database. I know I'm simplifying it, but symbolic linking items (to use Un*x parlance) is done by Keeper Security and I'm sure others, and I don't think they are smarter than you.

  • ssorokassoroka 1Password Alumni

    Hey @quickdraw6906,

    Unfortunately, it's not quite that simple. Having a reference to the database row is only part of the answer, you also need to have the right keys to decrypt the data, otherwise it's useless. We don't have any of the keys to hand out (and we don't want them; our security is based on this idea), so we need to make sure you know how to decrypt the items you're given access to. Normally decryption is managed per-vault, and not per-item, so we've got some things to solve before this can be a thing. Regardless, we're aware of this use case and it's something we're working on solving for you.

    Hope this helps shed some light on the situation.

    Cheers,
    Steven

  • I enabled Beta features to give this a shot and don't see the options you showed in your screen capture, @Frank. The only option is "duplicate" and I'd like the "Send a copy" option. I can see on the screen where I enabled Beta features that sending a copy is listed. What else do I need to do? Thanks!

  • I've not got a Teams trial yet but intend to do so and this is something that I would also like to see be available at a more granular level.

    I get that it's likely not trivial to implement.

    Thing is it's exactly the kind of thing that will put some businesses off, just whether it's enough to justify changing it I guess :)

  • brentybrenty

    Team Member

    I enabled Beta features to give this a shot and don't see the options you showed in your screen capture, @Frank. The only option is "duplicate" and I'd like the "Send a copy" option. I can see on the screen where I enabled Beta features that sending a copy is listed. What else do I need to do? Thanks!

    @fastspotstacy: You'll only have that "Send Copy" option if you have the appropriate permissions to do so, specifically "Send".

    I've not got a Teams trial yet but intend to do so and this is something that I would also like to see be available at a more granular level. I get that it's likely not trivial to implement. Thing is it's exactly the kind of thing that will put some businesses off, just whether it's enough to justify changing it I guess :)

    @musicwallaby: What do you mean? Change what?

  • @brenty I was able to get my permissions upgraded to Owner shortly after posting this. Voila! The option is there :) Thanks!

  • @brenty sorry, meant whether the number of people for whom its a big deal has enough financial impact to get it changed :)

    Customer says "We'll have 100k seats if you can do this" and maybe it gets done kind of thing..

  • brentybrenty

    Team Member

    @brenty sorry, meant whether the number of people for whom its a big deal has enough financial impact to get it changed :) Customer says "We'll have 100k seats if you can do this" and maybe it gets done kind of thing..

    @musicwallaby: Ah, gotcha. We're happy to listen to all of our customers, but certainly the more a change can benefit the more we're likely to consider it. :)

  • brentybrenty

    Team Member

    @brenty I was able to get my permissions upgraded to Owner shortly after posting this. Voila! The option is there :) Thanks!

    @fastspotstacy: Awesome! Thanks for letting me know! Sounds like you should be all set, but we're here if you need us. :chuffed:

  • @brenty can you keep me posted if the per-item sharing feature ever becomes a thing?

  • brentybrenty

    Team Member

    @tonyx: As mentioned previously, this is a beta feature in 1Password Teams. There's no guarantee that it will see a final release, or apply to all account types.

  • @brenty are you talking about "send as a copy" or something else? I do have 1Password for Teams - how do I get access to this feature?

  • brentybrenty

    Team Member

    @tonyx: Beta features have to be enabled by the administrator:

    https://start.1password.com/settings/beta

    Cheers! :)

  • Just wanted to add my voice here, since my team is running into this exact same issue now and it seems like there's no good solution. Having good security practices isn't very useful if the only way we can give one person access to client data is to give everyone in their group access. The point is to give access on a need-to-know basis. The vault system doesn't seem to quite support that, which is really disappointing. I think we'll have to close our 1Password team account since there's no good solution. :(

  • brentybrenty

    Team Member

    @noah_cplx: I'm not sure I understand your comments in the context of this discussion. For example, 1Password Business (and Teams) has had custom groups and per-user sharing for a long while. Can you tell me what you're trying to do exactly, and what hasn't worked for you? Perhaps we can find a solution. :)

  • @brenty Sure, I'd be thrilled if there was a solution I was unaware of.

    Basically the use case is this: we have a store of private customer information. This is 100+ items, so making a vault for each would be quite cumbersome. However, we do not want to give all employees access to all private customer data (add them all to the vault). We only want the employee assigned to that client's account to have access to their private data. In the past (and with other software), we've simply granted access to the individual item (private data), to the individual employee who needs access to it.

    From what I can tell, the only way to accomplish this with 1Password is to create either A). A vault for every single employee, which would make things incredibly disorganized, or B). Make a vault for each individual client. Both of those solutions would be tedious to implement and not very well organized at all.

    An ideal organization system would be:
    All Employees Vault - Shared with everyone
    Executive Employees Vault - Share with C-level team
    Private Customer Data Vault - Shared with the security officer by default, and then items shared individually with the account manager on a need-to-know basis.

  • brentybrenty

    Team Member

    @noah_cplx: Not as tedious as you might think. ;) Definitely Check out what we're doing with the beta CLI app, and reach out to the team at [email protected] to learn more about what we're doing with SCIM and automation. :)

  • @brenty I'm sorry, what is SCIM?

    I appreciate the response, but I'm not sure I understand you. Your suggestion is to create separate vaults for every user and then use CLI tools to make sharing passwords to each user less awkward?

    That feels like abusing the current architecture a bit. I'd prefer to use a tool whose architecture supports this use-case natively, rather than learning a CLI toolset to work around the issue. I'm sure that'd be valuable for people who can't switch away from 1Password though.

    Or maybe I'm misunderstanding your suggestions?

  • rickfillionrickfillion Junior Member

    Team Member

    Whether SCIM or CLI automation is a fit for your problem really depends on how your organization is structured. If for example you have a directory service like Azure ActiveDirectory and in that directory you're already representing those 100 customers and who has the right to interact with each customer, then it might actually be a great fit to replicate that structure to 1Password.

    If you don't already have that structure, then the replication is probably going to be a lot of work.

    We'd love to work with you to figure out how best to integrate 1Password into your workflow. Our business team is quite good at figuring out how best to accomplish things. I recommend giving them a shout by emailing [email protected] and giving an overview of what you'd like to achieve.

    Rick

  • also running into issues with this.

    I love 1password personally.

    I really want to start using it at my company.

    However, given our use case (which appears very similar to noah_cplx) all of the potential solutions here are woeful.

    CLI tools - I don't want to have to ask anyone in our organisation to learn how to use the command line, or require someone to setup services on their laptop/computer so that they don't have to. Indeed, this is one of the major advantages of cloud services. They can be deployed to a user's machine by simply saying "go here, download/login, et voila! you're done".

    Reading the comments from the 1password team, I don't understand the insistence that the product already achieves a certain outcome, in the face of customers (and potential customers) telling them that it doesn't. If we really want to get technical, if a user doesn't think a product does something, it doesn't, and it is up to the product to address that. This is part of what separates good, and bad, products (and product design) (though, I will acknowledge that sometimes you do have to "teach" your users, but from reading these comments, it really doesn't look like that is required here).

    rantover (I'm sorry, I just really love 1password, and am super disappointed that I can't use it with our team because of its limitations here).

    For clarity, our use case:
    1. Be able to share individual passwords on a need-to-know basis, that when changed by an authorised user, these changes are propagated to all users that the password has been shared with.
    2. An easy interface to view all passwords/user access (one interpretation of this would be a list of users that can be drilled-into that then displays passwords that they have access to, and allows easy revoking/granting access).

    To summarise the above, we are looking for a tool that facilitates central management of passwords.

    Again, for clarity, I am not looking to "shard" password management by vault. By definition this requires everyone in that vault to have the same access requirements. For us, this basically never happens, even on the same team.

    To be really clear, even if we said "all our Engineering Leads require the same access to deploy etc", there are some Engineering Leads that also require access to web analytics tools and data analysis tools (but they are not full-blown data science team members, and thus don't require access to the "data-science vault"). Creating a special vault for these exceptions, leads to a proliferation of vaults that becomes terribly complex.

    For example:
    Vault 1 Team A
    pass1
    pass2
    pass3

    Vault 2 Team B
    pass4
    pass5
    pass6

    Now, let's get someone from Team A access to pass4. We could reorganise everything to ensure future password changes were synced by using the following strucutre:

    Vault 1 Team A
    pass1
    pass2
    pass3

    Vault 2 Team B
    pass5
    pass6

    Vault 3 Team A2 + Team B
    pass4

    Thus, every time someone needs access to a password, it requires us to restructure things. If we simply copied pass4 to a new vault, then any changes made would need to be manually propagated across vaults. This sucks. Because humans are fallible. And someone will eventually forget to do so, and this will lead to wasted time rectifying the issue, that shouldn't have even been an issue in the first place.

    Of course, please, if I have misunderstood anything, please please please let me know, I'd absolutely love to find a way to use 1password for my company.

  • brentybrenty

    Team Member

    @seanbarry: Thanks for sharing your thoughts and experience. I get where you're coming from with regard to the CLI app. I rather like it, but I am not a command line guru myself. But honestly, most of the feedback we've gotten in this area is from people who want to automate this stuff, so that's not only part of the mindset we're coming from with our comments here, but also a big part of why the CLI app exists in the first place. So it's really interesting and illuminating to get a different perspective. The difficultly that you pointed to with your comments regarding "the product already achieves a certain outcome" is that it's true people; it's just that not everyone wants to take the same path to accomplish the same goal. So I apologize where we're kind of talking past each other at times. I guess there's some unconscious assumption of context based on our conversations with many others.

    I agree with you wholeheartedly that it would be great to have a solution to the problem(s) you present here. It's not simple though. That's fine, as we rather like solving these kinds of problems. But in spite of the time and effort that necessarily has to go into building something like that, the real challenge is making the result something that seems simple and intuitive to users. It really helps to get a clear sense of what different people are looking for though, and examples like you gave in the context of a team workflow. I'm sorry we don't have something that will fill this need for you now, but if and when we do I think we're all better off if it's something we can all be happy with. And I think it's worth taking the time needed to achieve that. I hope we'll have better news for you and others in this areas in the future.

  • I’m coming from LastPass. They do this. So, this is a much needed feature. What about having a tag system and just sharing by tag or allow an item to live in multiple vaults?

  • brentybrenty

    Team Member

    As I understand it, that's because data is not kept in separate vaults, only different "folders". 1Password vaults are each individually encrypted so that they can be shared only with specific people, being enforced cryptographically rather than using only permissions. You can absolutely share a single item, and there are two ways to do this, just not in the sense you're suggesting:

    a. Share an item on an ongoing basis, by putting it in a vault which the other person has access to (can be done with any group 1Password.com account: 1Password Families, 1Password Teams, 1Password Business).

    b. Share an item on a one-time basis, by using the Share option in the item's details on 1Password.com, which places a copy of it in the target user's Personal/Private vault (can be done only with a 1Password Teams/Business account which has this beta feature enabled).

    We'd definitely like to offer more flexibility in the future though, provided it can be done in a way that is both secure and user-friendly. Thanks for the feedback! :)

  • Yes, I understand that there are some technical challenges. However, this is probably the most important thing to address going forward because creating multiple vaults is not only tedious and time consuming, but creates an organizational problem for keeping track of who has access to which items and why.

  • rickfillionrickfillion Junior Member

    Team Member

    However, this is probably the most important thing to address going forward because creating multiple vaults is not only tedious and time consuming, but creates an organizational problem for keeping track of who has access to which items and why.

    We agree that this is an important thing for us to be able to do. It's not that we think this is a terrible idea, it's that a good solution to this problem doesn't fit within the bounds of how 1Password is currently designed. We have some really interesting ideas for how to solve this, but no clear path on how to go from where we are today. It's a super fun problem though, and one that many of us here would love to see solved.

    I want to touch on the currently available "solutions" though...

    There's the option of creating a vault, putting the item(s) in said vault, then sharing that vault with a people or groups. And then there's the option of "Send a copy" which is in beta and only available in our webapp.

    They serve different purposes, and I use both for different reasons. And think that there's room for the in-between of sharing an item, but I disagree that it'd make keeping track of who has access to what any easier. With vaults, you get to name them and give them a purpose. If there's a vault called "1Password.com Development", then it's really easy to look at who has access and decide if they should still be there. And in doing so, I'm making the decision about all items within that vault. I would really hate to have to audit each item individually to make sure that they aren't shared with people they shouldn't be. It's possible that for some people they'd prefer that, but I sure wouldn't.

    Rick

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file