Sharing and permission of single item in vault

NEO_
NEO_
Community Member
edited April 2019 in Business and Teams

Hello

I tried out LP for our team of 15-20 people but I didn't like it so ran over here to 1P instead. I do like what I see but I find the sharing a bit confusing.

I can share a vault and have permissions on that and those permissions are inherited down to the children in the vault. But I cannot set permissions of single items in a vault that overrides/complements inherited permission?

I'm thinking that I want a vault of all our systems and servers on the internal network. I want to set specific user permissions on individual servers and workstations so that only certain people can access certain machines. In my mind this feels like basic management but it doesn't seem like it's possible, or?

It looks like I have to make copies of items and pass along amongst the team members. Meaning that it'll eventually will be a mess with items in team members vaults with outdated login credentials, and not only that... I cannot revoke access to an item. I guess there's some logic there since once something is shared it's more or less compromised and I should change the password at source if member leaves the company. But in a year or two after passing items around I no longer have an idea of whom that has what? I cannot filter on persons to see what have been shared with them so that I easily can change passwords at affected systems?

What am I missing here? Isn't the whole idea of sharing items that one admin can update them centrally and the update is instantly available amongst the team members? And also easily see what member that have, or at any given time have had, access to an item?

So is it correct that the smalest entity that can be shared and that I have control of permissions over is a vault? I cannot have vaults/groups in vaults with other permissions?

Cheers and thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @NEO_: Thanks for getting in touch, and for checking out 1Password in the first place! :)

    I can share a vault and have permissions on that and those permissions are inherited down to the children in the vault. But I cannot set permissions of single items in a vault that overrides/complements inherited permission?

    That is correct. Since 1Password's security is enforced using encryption, each vault is encrypted using unique keys. In order to give someone access to an item in the vault, they would need to have that vault's encryption keys. We could have "permissions" enforce them only accessing a specific item in our client, but that would be "security theater", as they would have the keys to decrypt anything in the vault anyway, and could do that outside of our app if they wanted.

    I'm thinking that I want a vault of all our systems and servers on the internal network. I want to set specific user permissions on individual servers and workstations so that only certain people can access certain machines. In my mind this feels like basic management but it doesn't seem like it's possible, or?

    You're not wrong, but I doubt that all (or, perhaps, any) of that is enforced cryptographically, but rather by the server simply by saying "no" to requests if someone isn't on the "guest list". And just like party crashers can find a way to sneak in when they're not invited, it is often possible for people to get access to things they should not if security is enforced only by policy and not by math. So 1Password is fundamentally different in that sense.

    It looks like I have to make copies of items and pass along amongst the team members. Meaning that it'll eventually will be a mess with items in team members vaults with outdated login credentials, and not only that... I cannot revoke access to an item. I guess there's some logic there since once something is shared it's more or less compromised and I should change the password at source if member leaves the company. But in a year or two after passing items around I no longer have an idea of whom that has what? I cannot filter on persons to see what have been shared with them so that I easily can change passwords at affected systems?
    What am I missing here? Isn't the whole idea of sharing items that one admin can update them centrally and the update is instantly available amongst the team members? And also easily see what member that have, or at any given time have had, access to an item?

    You make good points. The reality is that there is no way to undo someone knowing a secret you've entrusted them with, so you will really need to change a password for an account you've shared with someone anyway, regardless of whether or not you can "revoke" the method you originally used to share it with them. You should assume that they know it, or at the very least they could have made a copy of it themselves elsewhere. That's why sharing a vault is best, because you'll have a record of what was shared there, who accessed them and when, and even changes that were made over time:

    Create reports in 1Password Business

    Then an admin can remove someone from the vault and go through and change the passwords for accounts as needed, so that person will not have access to those accounts going forward.

    So is it correct that the smalest entity that can be shared and that I have control of permissions over is a vault? I cannot have vaults/groups in vaults with other permissions?

    That's correct. I guess the question is, how do you think it would help you to be able to set permissions over individual items in a vault conceptually? How would that be easier than setting permissions for different vaults? Either way, you'd need to manage that, and management is the hard part, so I don't think it would save you any work, even in theory. On the other hand, setting up a vault to share with someone has the following benefits in 1Password today:

    • Cryptographically secure: no one without the vault keys can access anything in it.
    • One time setup for the manager: if you're sharing Vault X with Person Y, even "for a single item" initially, you don't need to worry about setting up anything else to share additional items with them -- you just save more in that same vault.
    • Zero setup for the recipient: the shared vault automatically shows up in their account on all their devices.

    I went into a bit more detail in the discussion here, including information on the beta "Send a copy" feature in 1Password Business:

    Share single passwords

    The "Send a copy" feature is best for admins to send user-specific login credentials -- say, a company email account for the person being onboarded. Sharing vaults is best for things that are not specific to an individual, for the reasons I mentioned above.

    I hope this helps. If you have any other questions specific to using 1Password within a company, please reach out to business@1password.com so we can assist. :)

  • NEO_
    NEO_
    Community Member

    Hello

    I do understand what you say, and I do appreciate the answer. Thanks. But, have patience with me... I'm not yet fully on board here. =)

    What's the reason not every item is cryptographically secure? I mean, with the app I login with one password and see everything I have access to. So for the user it wouldn't be noticeable? Is there something on the server side prohibiting it?

    My problem with the current approach is that it goes from user centric to "item" centric, or rather "group of items centric". I will continue to use item as the name of an entity in a vault, not sure what the proper nomenclature is in 1P. As it is now I have to micro manage groups of people and departments with vaults and I need to make duplicates of some items and put in multiple vaults. It feels like it gets unnecessary messy and complicated and I don't really have a birds view where I easily see who that have access to what.

    If I instead could freely share any item with any user I could;
    1. Use vaults as a first method of grouping and organising with the permissions on it

    1. Possibly use sub-vaults/groups as second line of organising.

    2. As a third line share an item in a vault/sub-vault with a user that doesn't have permissions to any of the parents.

    3. See a report for users in some sort of spreadsheet with all the items he/she have access to, with breadcrumb to the items location. And this with checkboxes/trashcans so I easily could disable stuffs for a user.

    4. See a report for an item anywhere in the system and see who that have access to it, with similar control as in point

    Typical usercase would be that I have a group for Tech people where 2-3 people should have access to all systems/passwords, this is set on vault level. But then there's one junior that should have access to only two of the computers in that vault. If I just could share those with the juniors, without duplicating them it would get less messy and more organised.

    I'm honestly not really sure how to share our stuffs within the team right now. Feels like there will be a TON of vaults and loads of duplicates. Will have to poke around more and see what I can come up with.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @NEO_: Likewise, thanks for your reply. I guess my point is that if we just changed the term "vault" to "item", 1Password already works the way you seem to be suggesting with regard to sharing: you'd still need to setup sharing for any item; that's how it works now with vaults, but with the added benefit of not needing to setup sharing again to give someone access to something new in most cases, since it can just be saved to the vault which is already shared with them. :)

    I'm not suggesting that items are not cryptographically secure; rather, they are, but 1Password works with vaults as the unit for encrypting data. Certainly we could have it use different keys for each item, but that has scaling issues, not only technically but also with regard to UI and human beings.

    So again, if you simply read "item" when I say "vault", nothing actually changes for you with regard to sharing and you get to think about "items" instead of "vaults", but you get the added benefit of not needing to setup sharing anew each and every time, because 1Password uses vaults for sharing instead of single items).

    It would be much more difficult to manage if ever single item needed to have its permissions and/or cryptographic keys managed separately for whomever you intend to share it with. Certainly you may need to share a vault to give someone access to a single item sometimes, but the rest of the time sharing the vault cuts down on work you'd need to do to share others.

    Also, you can view reports for people and vaults in 1Password Business, as I mentioned above. This feature would be much more difficult to work with if each individual item had its own permissions, etc. :)

    As for your example,

    Typical usercase would be that I have a group for Tech people where 2-3 people should have access to all systems/passwords, this is set on vault level. But then there's one junior that should have access to only two of the computers in that vault. If I just could share those with the juniors, without duplicating them it would get less messy and more organised.

    It sounds like you want to be able to only make two "sharing" actions here:

    1. Grant a "tech" group access to some data
    2. Grant "junior tech" access to a subset of that data

    I really think we're getting unnecessarily hung up on "item" and "vault" semantics here, and I'm sorry about that, as what you're trying to do is already possible, just not using the terms you might have chosen yourself. Using vaults as the sharing mechanism today, you can accomplish your goal in two steps:

    1. Share a "Tech 1" vault with your tier one IT staff -- groups are great for this
    2. Share a "Tech 2" (or similar) vault with both tier one and less senior IT staff

    I think groups is probably the way to go if you have a structure in place, but otherwise you could simply grant individual staff access to vaults as appropriate. Whether we call it "vault sharing", "item sharing", or just "sharing" the result is the same. :)

  • NEO_
    NEO_
    Community Member

    Hello

    Thanks. Yes, I got that approach suggested by the business support or sales too. Think that will work.

    Thanks! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah excellent! Glad to hear it. If there's anything else we can help with, just let us know. Have a great weekend! :chuffed:

  • komale
    komale
    Community Member

    Hi Brenty,

    i don´t think this really helps.

    "Share a "Tech 1" vault with your tier one IT staff -- groups are great for this
    Share a "Tech 2" (or similar) vault with both tier one and less senior IT staff
    I think groups is probably the way to go if you have a structure in place, but otherwise you could simply grant individual staff access to vaults as appropriate. Whether we call it "vault sharing", "item sharing", or just "sharing" the result is the same. :)"

    This helps only when you have to share 2 or 3 items. When you share more items you need "item sharing"!

    ex.
    Vault 1 (500 items)- Developer Team
    Vault 2 (200 Items) - IT-Team

    Now we have to share 20 Items from VAULT 2 with Developer Team, IT- Team and maybe with 3 other Teams.
    Also we need to share 5 Items from VAULT1 with 4 other Teams.

    How you can do this? Only item sharing right?

    Best
    Patryk

  • @komale,

    No, in that case we'd recommend splitting those items out into separate vaults, and sharing those vaults with the appropriate groups. E.g. perhaps instead of having the 20 items from VAULT2 in the "IT-Team" vault they should be in a separate "IT-Team Shared" vault which is then shared with Developer Team, IT-Team, etc.

    Ben

  • komale
    komale
    Community Member

    Sorry but this doesn´t work in real world. We have already 50 Vaults and a lot of Groups. Sometimes you need to share only 1 or 2 Items from 1 Vault. with different Groups. You cant create everytime new Vaults. Sorry.

  • That's just our recommendation, @komale. Of course you are welcome to set it up however works best for you.

    Ben

This discussion has been closed.