Best practice for user terminations?
Hi 1Password Community! Long time lurker first time poster here. We've been using 1Password Business at our company for a little under 3 years and love it.
Our team has been debating on how best to handle user terminations in the scope of 1Password. Currently all users are manually managed (we're not using SSO with AD or anything).
Two goals for user terminations:
- Goal 1: restrict access so the terminated user cannot access their company 1Password data
- Goal 2: no loss of any shared 1Password data
So far we've simply been disabling users' 1Password accounts when they leave the company, achieving Goal 1, and leaving their 1Password data intact to set the potential stage for Goal 2. We're thinking we might have to just spend some time setting up dummy accounts and learning/testing behaviors, but I thought I'd try to shortcut that process and ask you good folks of the community :)
The questions we have are:
- If the user created a shared vault, how can we reappropriate ownership of that vault and its items to someone else? We don't want to lose the information/passwords in the shared vault.
- If the user was a member of a shared vault and submitted items to it, are those items "owned" by the vault, or are they still tied to the user? (More specifically, if we delete a user's account, will all their submissions to a shared vault also be deleted?)
- If the user didn't follow training and was saving data to their "Employee" vault instead of a correct vault location, what is the best way to access their account to get at this data? We do have access to the user's email and company phone after termination, so impersonation comes to mind, but we're not convinced that's the best option to use.
- Are there any other things we should be considering when terminating a user from our environment?
Thanks for reading :)
