Team Group Permissions

I'd like to give certain employees the ability to invite new people to 1password and to use vaults that they create/manage within their own group. It looks likes because Invite/Remove team members is combined into the same role, they can delete my user account. Is there a way to prevent this? Or will you consider separating those permissions out?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @blakedotme,

    Good questions. Have you considered using the invite URL instead of inviting specific people? They would still need to be confirmed by an admin before they could become part of the team, but that might help a bit.

    I think this is the first request I've seen to have us split apart the Invite & Remove permissions into two permissions. Technically I'm pretty certain that that could be done. It's something we'll have to consider.

    I assume that the overarching issue here is that your team is starting to be relatively large and you'd like to start delegating some responsibilities to smaller groups? This is a problem that we're actively working on trying to make better.

    I would love to hear your thoughts on what you've got in mind beyond the invite issue if you've got other use cases in mind.

    Rick

  • blakedotme
    blakedotme
    Community Member

    Hi @rickfillion,

    The invite URL is an option, but waiting for an Admin for approval will slow things down as they're busy running the business. Imagine the Agilebits CEO having to approve every new user who joins your 1password team :)

    Our long term goal would be able to create groups around certain projects with an admin (scoped to the group) who can manage vaults and invite users to our team and add/remove them from the group. Removing their ability to remove owners would be sufficient enough for our purposes.

    Some users will be external partners/vendors who won't share our domain so the invite URL method would need manual intervention from an Admin adding a domain to the whitelist each time. At this point, it would be easier to have the admin send out the invite which brings us back to square one.

    I guess one option would be for us to create a new 1password team and making certain team members Admins there, but then we have to deal with managing multiple teams.

    I have about a dozen users in my org who could be using this service, but I don't have the bandwidth to send out invites and chase people down to accept them before they expire, then confirm them. Hence my need to delegate this task to someone else.

    Thanks!

  • Thanks for elaborating on that. In our case it's not the CEO that does the confirming/approving of new users, but our sysadmin. I get where you're coming from, though. :)

    This is definitely something that we're trying to figure out how to make better. I'm going to share this feedback with the rest of the team, and hopefully we can find ways of to make this easier for you one day.

    Rick

  • blakedotme
    blakedotme
    Community Member
    edited June 2017

    You're spot on, we're trying to delegate to a sysadmin, but in our mind they shouldn't be able to remove the CEO's account. And they definitely shouldn't be able to access the administrative vaults which have credentials to ADP (payroll), banking, etc..

    I appreciate you guys taking a look into this!

  • Yeah, I get that. Though you should be able to setup vault permissions such that the sysadmin can't get into the administrative vaults. If you're having trouble with that we can help you out.

    Rick

This discussion has been closed.