Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Auditor Access (aka Global View-Only with no password access)
Hi All, tl;dr I'm hoping to be able to view all groups (with membership) and vaults (including both credentials and membership but WITHOUT being able to see/use passwords) for my entire organization...
UPDATE:
For anyone that may have this similar need of visibility, I wanted to provide an update from our own internal testing and from what we've been able to hear from 1Password sources. Thank you to the 1Password staff that got involved and helped answer questions!
This access is possible to get through a new group (we called it "Auditors"), that is provided view access to all vaults. This required a user in with Administrator privileges in 1Password add the group to each account and specify it has view access (without password access). For us, that wasn't feasible to do via the UI due to the number of vaults, so the administrator user had to do this via a script. And this same script needs to be rerun whenever an audit is performed to ensure that the group has access to any new vaults.
Same idea for groups.
There currently isn't a way to have an effective report of this same information, and there isn't a default/OOTB route to getting this level of access besides the custom group with permissions.
Hope this helps whoever might have this question.
I had 1 suggestion for 1Password staff - I may be wrong, but the use case I laid out in the original post seems like it would be a fairly common request from established organizations using 1Password. Since the "Owners" and "Administrators" groups are enabled by default and have elevated access, having 1 additional default group ("Auditors". And always added to new groups, similar to the Owners and Administrators groups) that only has this view access seems like it wouldn't introduce any additional risk. In fact, I believe it reduce risk by enabling Compliance teams to have a straightforward and standardized approach to managing 1Password, instead of:
- relying on individual group/vault managers, or
- getting too much access by being added to the Owners/Administrators groups, or
- letting 1Password be a black box and not being able to provide adequate assurance
Again, appreciate the responses from 1Password, and hope this helps someone.
Hi Simon,
I'd love to see this available, and would also like something similar for reporting. For example, there are people in the Cyber Security team who I'd like to be able to see ONLY the security reports, but no admin or other permissions to modify configuration. Likewise there are people in Change Management and Training who I'd like to be able to see the Usage Report, Adoption Report, and Insights.
Please add this if you can. Thanks!
Geoff.
