Torii integrates with 1Password and syncs the user list and the user's status and last authentication date. The last authentication date can be seen on 1Password's dashboard in the Reports -> Team Report page.

Integration

In order for Torii to pull sign-in info from 1Password, you will be asked to provide a Master Password and Secret Key of an administrator.

We suggest creating a dedicated administrator user for the integration which has no access to any secrets or vault data and only has permissions to read/take actions on users, groups, and vaults.

Actions

Torii allows taking actions such as inviting, suspending, removing users, and managing vault access.

Inviting a user to 1Password

This action is available only to accounts with a 1Password Business Subscription.

The process of inviting a user is:

1. Use the action from Torii to invite users to your 1Password account.

2. 1Password will send an email to the users asking them to complete their registration.

3. A 1Password account owner needs to confirm each user on 1Password's website.

Granting access to vault(s)

Users can be added to selected vaults.

If a user already has access to the vault, no action will be taken. If a user is part of a group that already has access to the vault, the user will not be added directly to the vault.

Revoking access to vault(s)

Users can be removed from selected vaults.

Note that if a user has access to the vault via group membership, that access will not be revoked.

It is recommended to remove users from groups in order to revoke all vault access.

Vaults & Groups Visibility

When selecting vaults or groups in Torii actions, you may notice that only a subset of your organization’s vaults or groups is available.

Why does this happen?

Torii can only display vaults and groups that the administrator user used to connect the integration has access to in 1Password.

How can I see all vaults and groups?

• Make sure the integration is connected using a user that has access to all relevant vaults and groups.
• If needed, update the permissions of the integration user in 1Password to include access to additional vaults or groups.

Note: This behavior is determined by 1Password permissions and ensures that Torii only interacts with resources the connected user is allowed to access.

Vault Management Permissions Error

Q: I received the following error:

A: This error occurs because the 1Password account used to connect the integration does not have the specific permission required to manage access to that vault.

In order for Torii actions to grant or revoke vault access, the connected user must have the Manage Vault permission for the relevant vault.

Here is how vault management permissions work in 1Password:

• Owners – Members of the Owners group automatically have Manage access to all vaults in the account (except for private employee vaults). This permission is permanent.
• Administrators – Admins often have Manage access by default, but this is not guaranteed. When a vault is created, the creator can choose to exclude Administrators. Additionally, an Administrator can accidentally remove their own Manage permission from a vault.
• Specific Users – Regular users can manage a vault only if they were explicitly granted the manage_vault permission by someone who already has it.

To resolve this issue, ensure that the user whose credentials are used for the integration has both:

• Access to the vault
• The Manage Vault permission on that vault