Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Issue: Account Owner Permissions & Vaults
Firstly, I want to share that this issue/concern was raised by my company's infrastructure leaders and cybersecurity/information security leaders while discussing rolling out 1Password for our global...
Late to the party, but seeing Sergg 's reply; the way we solutioned that in one of my previous roles at another company was to retain a single 'owner' account (behind lock & key) and create various 'administrator' roles for everything else. We also instated specific 'team admins' to cater for their respective vaults/groups. Potentially when an elevated 'team admin' would leave and no committment was to be expected the 'owner' account details would be retrieved and used.
In a large organisation relying on team admins might not be the IT's most straight-forward approach but it does enforce the championship approach and self-awareness of security in the various teams. Also it prevents IT from having (mostly) anything to do with passwords in suchs vaults, while - using the reports and watchtower functionality still are at the grasp for IT to 'meta' monitor things.
While 'less ideal' I do think it ensures a better way of handling security within teams than having IT being responsible for everything. I do concur that an improved way should be available from 1Password, though one should challenge the way IT would 'want' to be involved with departmental passwords to begin with. (Especially given the side-note that IT can both access the 'recover user' and 'copy user's mail to another address' wich will give them full control of any users data - which in a family account is 'do-able' but cumbersome as one has to handle the mail-address as well. As a family admin I can start recovery but can not change their mail).
Hi Tom -- Thank you for your response. We want to be able to have our IT team leaders champion their own vaults, but the issue still remains that the "big brother" Owner account remains locked to "enabled" for every vault. I think the best solution is for 1Password to allow business/enterprise customers the ability to remove the "Owners" group from vault permissions. See the attached screenshot.
If 1Password doesn't want to make this a GA feature for business/enterprise accounts, this should be available to be unlocked through a special request process where the risk can be accepted. We would still want the Owner group to be on vaults that are not highly sensitive, so maybe giving only Owners the ability to remove the "Owners group" from a vault as long as there is another team manager assigned as the vault manager.
