Like any good admin (cough), I am making my way through the 1Password for Teams documentation and pushing the buttons as I go. There appears to be a worrying number of discrepancies between what is said in the manual and what the application actually does. Would other users and/or AgileBits gurus care to comment on the following?
▸ The manual repeatedly states that the Shared vault (sometimes also called the Everyone vault) cannot be altered. This appears to be incorrect, as it is possible to remove all users and all groups (all but Owners that is) from the vault, essentially making it disappear from everybody's apps, including the administrator. Is this known and expected behaviour? Personal vaults use a custom view in the Web App, one that makes it clear no permission changes can take place, but the Shared vault displays the same settings as any ordinary vault. Allowing it to be completely hidden from everyone, including administrators all the while forbidding its deletion seems a bit strange.
▸ The notion of Groups appears to be fuzzy. It is currently possible to remove all groups but Owners from a Vault and to set the Owners to "Manage Only" so that, from the perspective of Groups, nobody has read or write access to the vault. Yet, it is then possible to add users to that vault, so that a user belonging to group X has access to a vault even if group X is forbidden from accessing it. Is this expected? If so, what is the point of Groups in the first place?
▸ The manual states that removing a user from a vault results in their being "unable to access any passwords that you change in that vault or any new data that you add to it." This implies that users retain access to a frozen version of the vault they have been removed from. However, in my experience, as soon as a user is removed from a vault, the vault disappears from the client applications. Poof! What is the expected behaviour of this feature?
▸ The manual makes no mention of web sessions that I could find, and yet, I see multiple instances of the same browser listed in my "Authorised Devices." For example, I now have three static icons for the same Chrome browser right how, alongside my OS X and iOS apps. How does one destroy old web sessions and how come they accumulate?
▸ Conversely, I find I am sometimes logged out of the 1Password for Teams web app for no reason. Some sessions last a few minutes, others a matter of a few seconds, even with sustained activity. In this instance, things break horribly: instead of being cleanly taken back to the login page, I notice that buttons stop working or vault icons are no longer displayed. Only a clear-cache-force-reload dance brings proper functionality back.
▸ The manual implies that all members of the Recovery Group can recover any other account. For example, user X with access to no vaults whatsoever (except their own Personal vault) would be able to help an account owner or account administrator regain access to their account, including its full contents and management features. In effect, account recovery ignores all access rights and any team member can help any other team member regardless of their respective position on the access rights hierarchy. Is this actually the case, or am I mis-reading the docs? For example, I see no way to add the Recovery group to any particular vault, so I assume it always has access to all vaults (as far as being able to recover them, that is).
▸ Worryingly, the manual states that a member of the Recovery Group should be able to initiate account recovery from their Admin Console. Yet, my non-Admin user who belongs to the Recovery Group has no such access. So how can this user initiate account recoveries without access to the Admin Console?