Forum Discussion

questbahlin's avatar
questbahlin
New Contributor
3 months ago

Best practice for user terminations?

Hi 1Password Community! Long time lurker first time poster here. We've been using 1Password Business at our company for a little under 3 years and love it.

Our team has been debating on how best to handle user terminations in the scope of 1Password. Currently all users are manually managed (we're not using SSO with AD or anything).

Two goals for user terminations:

  • Goal 1: restrict access so the terminated user cannot access their company 1Password data
  • Goal 2: no loss of any shared 1Password data

So far we've simply been disabling users' 1Password accounts when they leave the company, achieving Goal 1, and leaving their 1Password data intact to set the potential stage for Goal 2. We're thinking we might have to just spend some time setting up dummy accounts and learning/testing behaviors, but I thought I'd try to shortcut that process and ask you good folks of the community :)

The questions we have are:

  • If the user created a shared vault, how can we reappropriate ownership of that vault and its items to someone else? We don't want to lose the information/passwords in the shared vault.
  • If the user was a member of a shared vault and submitted items to it, are those items "owned" by the vault, or are they still tied to the user? (More specifically, if we delete a user's account, will all their submissions to a shared vault also be deleted?)
  • If the user didn't follow training and was saving data to their "Employee" vault instead of a correct vault location, what is the best way to access their account to get at this data? We do have access to the user's email and company phone after termination, so impersonation comes to mind, but we're not convinced that's the best option to use.
  • Are there any other things we should be considering when terminating a user from our environment?

Thanks for reading :)

2 Replies

  • Tom's avatar
    Tom
    Dedicated Contributor

    Hi questbahlin 1P_SimonH  :)

    1P_SimonH  one of the 1P team should take the second question as a whole and the 3rd question w.r.t. what if the user had 2FA enabled. When using 'codes' 2FA remains, not sure about if this dissipates when an admin recovers for a user. As for the fourth question, I never checked retention of the logging (in terms of length). Hopefully I took some of the 1P team burden away though :P
    As per the *) below - 'Bearded Will' (if he's still around at AB) and I had some banter and challenges in the past - feel free to adjust if vouchers are a global thing nowadays).

    Generic answer:
    While I'd take it you've properly (re)worded your onboarding statement clarifying that 1P Business/Team should only be used for company vaults and not ANY personal items (*hint*) - I'd surely (still) be hesitant to access or keep these around for long. Not sure on your company cancellation policy but the teams I was involved with some users also stored their company 401k or payment slips things (amongst other, even more personal) items still in their company vault as 'it was for the company' and 'used in company time'. If such accounts are not terminated on termination I'd recommend being careful to allow access to such vaults.

    As a prequel to your final question, if they are nice and just leaving or enjoying their 401k/pension, advise them that their family account is retained (but going read-only) and to add their credit card. If you are really fond of them (and using 1password.com and not .eu) you could buy them a voucher for advancing them some months of continued free usage. *)

    Back to answering the question(s) :)

    1) If the user created a shared vault, how can we reappropriate ownership of that vault and its items to someone else? We don't want to lose the information/passwords in the shared vault.

    My recent endeavour lead me to a position where one shouldn't self-create vaults -  but that will put more effort on your IT department. My previous team had an unused (or ... very limited used) owner-account that was given a proper (though memed) name to ensure everyone why it was there, but not to burden anyone. (Say we called it. cookie monster, which was less offensive than having 'why is John Jones also in my vault').
    I'd have to brush up my knowledge as I'm not an owner/primary admin in my current role, but you should be able to leverage 1P CLI with the 'vault' vs 'user' script (as an admin) to scan for these?

    2) If the user was a member of a shared vault and submitted items to it, are those items "owned" by the vault, or are they still tied to the user? (More specifically, if we delete a user's account, will all their submissions to a shared vault also be deleted?)

    To my best knowledge they are retained, as you 'hand them over' - but not sure how much of the history is retained. 1Password team; please add your thoughts

    3) If the user didn't follow training and was saving data to their "Employee" vault instead of a correct vault location, what is the best way to access their account to get at this data? We do have access to the user's email and company phone after termination, so impersonation comes to mind, but we're not convinced that's the best option to use.

    Align with the 'beware' clause I started with - but if you 'regain' control, most proper way is to indeed take over their e-mail and recover the account. Do note (again, beware) one might be able to 'alias' the actual mail used to some other account (so you don't have to 'access' their 'current' e-mail - which you may or may not be allowed by company rules OR Law restrictions). Back to the answer; recovery will sign them out everywhere (so it's VERY visible to the user - if they were still there) but you'll be able to re-enroll another secret key and go from there.

    4) Are there any other things we should be considering when terminating a user from our environment?

    Biggest thing is to remember your 'share' and 'copy' policies set to vaults + awareness that there is no safeguard against Chinese copying -  but that's for everything, not limited to 1password or even things in general. As a good practice, I'd advise you to keep close tabs with HR to be informed when someone is (starting to) leave - and schedule a (couple of) glances at their activities in the admin logging. If you do not have time to accommodate (and/or instant leave of the building required) -  it might be good to just share a copy of the activity with HR for them to check. In case if instantaneous leave and a privileged user, drop everything, block immediately and go through the logs. HR or the company legal team might reward you later!

     

  • 1P_SimonH's avatar
    1P_SimonH
    Icon for Community Manager rankCommunity Manager

    Hey questbahlin I'm late to this, but realized your question would be perfect for this group, so I bumped it over here!

    I'm going to tag some of our newest group members and put them on the spot. knoeblsn, Tom, karel_krupala, AriJ , RogueScholar, have you had to handle any of these scenarios? Any words of wisdom you can pass along?