Company Vault Structures?

I'm looking for examples on a vault architecture structure for a whole company where you have departments and various levels of staff that need different access to shared passwords. For example, an Operations team might have a shared vault, but managers would have a need to access different shared passwords than a casual labour worker.

The only way I can see this working is having separate Operations Managers, Operations Staff, and Operations Causal vaults, which would obviously become difficult to manage and maintain across a large company. Any suggestions here?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hello @joelmarc,

    If your company needs to share passwords based on employee roles or access levels you can create groups that match those roles and give the whole group access to a vault: https://support.1password.com/create-share-vaults-teams/#manage-access

    Here's a simple example of how that would look:

    Company has 3 roles. Customer Service, Sales, and Management. You create three groups with the appropriate people in them.

    Managers will have access to all vaults. Customer Service will have access to a CS shared vault. Sales will have access to a Sales shared vault.

    CS Team Shared Vault Sales Shared vault
    Managers X X
    CS X
    Sales X

    When you create these shared vaults you will give the Managers group full permission on both vaults. The CS team will get view, create, and edit on their shared vault. The Sales team will get view, create, and edit on theirs as well.

    Now all you need to do to maintain this is keep the groups up to date (which can be automated if you are using OKTA through our SCIM bridge: https://support.1password.com/scim-okta/)

    Hopefully that example answers some of the questions you had. Please let us know if you need any more information or if we can help in any way.

  • joelmarc
    joelmarc
    Community Member
    edited October 2018

    Thanks @jin_dhaliwal That is helpful, but I was looking for more granular permissions. Using your example, if only certain CS team members needed access to the full CS Vault, and other CS members only needed access to specific passwords in the CS Vault, everyone in CS would see everything. The only way I can see restricting shared passwords to individuals within a team is to create separate vaults for the CS team, which isn't ideal but will work.

  • Ah I see what you mean. Any set of passwords you want to restrict to a group needs their own vault. One thing you can do is have tiered sets of passwords with ever increasing access restrictions:

    Ex: You have three vaults like this
    CS managers, CS team leads, CS team member

    CS managers would have access to all three vaults and all passwords
    CS team leads would have access to team leads vault and team members vault
    CS team members would only have their vault

    It would need to be broken into sub groups, but this way you don't have to have duplicate passwords in vaults!

This discussion has been closed.