Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Auditor Access (aka Global View-Only with no password access)
Hi All, tl;dr I'm hoping to be able to view all groups (with membership) and vaults (including both credentials and membership but WITHOUT being able to see/use passwords) for my entire organization...
UPDATE:
For anyone that may have this similar need of visibility, I wanted to provide an update from our own internal testing and from what we've been able to hear from 1Password sources. Thank you to the 1Password staff that got involved and helped answer questions!
This access is possible to get through a new group (we called it "Auditors"), that is provided view access to all vaults. This required a user in with Administrator privileges in 1Password add the group to each account and specify it has view access (without password access). For us, that wasn't feasible to do via the UI due to the number of vaults, so the administrator user had to do this via a script. And this same script needs to be rerun whenever an audit is performed to ensure that the group has access to any new vaults.
Same idea for groups.
There currently isn't a way to have an effective report of this same information, and there isn't a default/OOTB route to getting this level of access besides the custom group with permissions.
Hope this helps whoever might have this question.
I had 1 suggestion for 1Password staff - I may be wrong, but the use case I laid out in the original post seems like it would be a fairly common request from established organizations using 1Password. Since the "Owners" and "Administrators" groups are enabled by default and have elevated access, having 1 additional default group ("Auditors". And always added to new groups, similar to the Owners and Administrators groups) that only has this view access seems like it wouldn't introduce any additional risk. In fact, I believe it reduce risk by enabling Compliance teams to have a straightforward and standardized approach to managing 1Password, instead of:
- relying on individual group/vault managers, or
- getting too much access by being added to the Owners/Administrators groups, or
- letting 1Password be a black box and not being able to provide adequate assurance
Again, appreciate the responses from 1Password, and hope this helps someone.
1P_SimonH
Community Manager
Community ManagerThank you for your thoughtful and well-articulated post!
You’re raising an important use case that we hear from customers in compliance, security, and audit roles. While 1Password is designed with strict access controls to protect sensitive information, we understand the need for greater visibility into vault and group structures for oversight and review.
Some of what you’re asking touches on areas that would benefit from a deeper conversation, especially given the security model in place and how it aligns with your organization’s goals. We'd love to connect directly to understand your needs further and explore potential solutions or workarounds.
If you’re open to it, I’d be happy to follow up via your account’s Customer Success contact or help get the right folks looped in.
Thanks again for raising this. It’s a valuable conversation and something we’re actively thinking about as we evolve the platform.
Hi Simon,
Thanks for the reply! Having a deeper conversation sounds great - feel free to connect directly and we can continue the discussion!
I'm sure some of the conversation will be organization-specific, but I'm optimistically hoping to share back here any discovered solutions (as I couldn't find any previous post that was exactly what I was looking for).
