@rsberlo: Thanks for chiming in. Can you clarify what you imagine would be easier about (hypothetically) sharing a single item versus (actually) sharing a vault? Also, can you give a specific example where you "create a zillion vaults for individual passwords"? Even within fairly large companies the odds of never sharing data with the same person twice doesn't seem to be common, so I'm curious.
Maybe this is more relevant in mid-sized companies where people are wearing many hats. We are at about 200 employees.
Today for example, the Team A wanted to share edit access to our company wiki with someone from the Team B. We don't want to give Team B access to all the passwords in the Team A vault, obviously. And we don't want to duplicate the item into the Team B vault, which will then be out of sync for future password updates. So I ended up creating a vault specific to that one item, and shared it with the people team + 1.
Another example would be sharing a password between two individuals, where we have to create a "John/Susie" vault. This happens all the time, and to be frank, it's likely affecting our compliance as people are much more likely to bypass this process in favor of what's easy.
In some ways it's just the way people think. In the past (and probably still) people would send each other credentials in plain text via Slack, which we are obviously working hard to discourage. It seems there should be a secure replacement for this use case.
Hope this helps!
@rsberlo: I really appreciate it! Those are great examples.
I guess the question I have is then why doesn't sharing a vault work? It sounds like it's just a usability issue, honestly, and that making it easier to share vaults -- or create a shared vault automatically when the user tries to share (an) item(s) -- is really what is needed, not "item sharing"
If we can continue to use vaults for sharing, we keep the security and usability benefits of that. That last bit may sound absurd to you in your present situation, but hear me out:
Each vault is encrypted with unique "keys" which is how people in the team no not have access to things they should. I don't think there's no argument that that is a good thing. But the usability benefit is that it's really easy to tell who has access to a vault as a result. For example, let's say you're sharing a vault with Team A and Team B. By contrast, imagine if you had to keep track of who had access to individual items within that same vault instead. Suddenly it becomes more like trying to figure out inherited Unix permissions in nested directories, and, to be honest, that makes my eyes cross. I can't imagine that this is going to be easy for everyone on your team either, and just thinking about how to present that visually gives me a rash. In the "item sharing" future, are we going to have to view a vault's contents and scroll through long lists, sort by "person", etc. to figure this stuff out? It doesn't really scale, in a lot of ways, and it seems to me we'd just be trading one usability problem for another. So we need to consider the non-security ramifications of doing something like that as well. But it's a problem worth solving, and we'll keep brainstorming.
I love the idea of auto-creating a vault on sharing a single item! It could be an option in the sharing dropdown (share via 1Password).
The only issue here is that if the item is already in a shared vault, a solution is needed for this use case. Maybe the item is moved to a new vault that includes all individuals/groups with access to the former vault, with the new people added.