Create DTS 1PW vaults and import passwords into COA 1PW

[adry-martinez]

This issue is to create DTS 1PW vaults for the DTS

• add new members from all DTS teams

[dianamartin]

5/20/24

Create Vaults

• [x] Created TPW DTS Vaults

• [x] Created TPW AMD Vault

Manage Access

• Send CTM SN to add accounts from this MS group
• Group used for SCIM?

Import PWs

• [ ] Frank Imports
  • [ ] API Accessible Secrets - TPW DTS | API Accessible Secrets (49) 5/20/24
  • [x] Dev Superadmin - TPW DTS | Administration (1) 5/20/24
  • [ ] Developers - TPW DTS Developers (102) 5/20/24
• [x] Diana Imports
  • [x] ATD Data & Tech - TPW DTS | Main - (165) 5/20/24
  • [x] Guest Share - TPW DTS | Guest Share (6)
  • [x] Knack Share - TPW DTS | Knack Share (81) 5/20/24

[frankhereford]

@dianamartin , @maccallump and I met this morning to discuss the on-going transition to the enterprise 1PW account.

Briefly recapping our meeting and my action items:

While Diana manages the use of the city's SCIM to create groups of users that will control both a enterprise 1Password account and to which vaults they have access, I agreed to work with the developers to try to weed out crufty entries from our vault.

Additionally, I am going to familiarize myself with the move/copy functionality so that when we do set a firm date for the switch over, I'm prepared to bring over the vaults that have been assigned to me. I am going to create a plan that is shared with our team so that we are sure to not get our secrets into a forked or split-brain type scenario, where we have edits both in the DTS and Enterprise vaults simultaneously.

Diana pointed out a gotcha in the UI that we need to keep in mind. Attached files (secured notes) in 1PW are not brought over my a copy or move operation (export pw), and they need to be given special care. The developers rely on these stored notes in a few places, namely for some PEM files containing cryptographic keys.

We discussed that we're hopeful to make the transition in pretty soon, ideally in this sprint or the next. Diana, please let me know if I missed anything or if there's anything else that I can do to help. Thanks!

[dianamartin]

@frankhereford You may have to download 1Password 8 desktop client to help with moving passwords in vaults. That's what I ended up doing. I also could only import/export using the desktop client v. the web one.

[dianamartin]

5/29/24

• I've been working on QA/QCing the old "ATD Data & Tech" vault
• [x] Manually added 1pw items that were not imported into my "COA Employee" vault
• [x] Finished QA/QCing

Edit by frank: I'm removing the picture of the secret entries from the public GH boards. I reviewed it, and there was nothing concerning per se, but it did include a lot of usernames and email addresses.

[dianamartin]

5/29/24

• Emailed Cedric W. about the group account creation

  Hi Cedric/team, I’m following up to see if the SCIM group: TPWdatatechnologyservices (resource account) was configured so that I can have my team having access to the new 1PW COA environment.

We talked about using either these groups: (they should have 31 members in them)

He replied 5/28/24

Hello, Diana. We’re reviewing AD to identify available Dynamic Groups, or the level of effort needed to build them. With only 31 members in your group, chances are we can get your team squared away in the coming days – barring any unforeseen pop ups or competing operational demands.

More to come shortly. -Cedric

[dianamartin]

5/30/2024

• Frank and I synced and he put a test pw in his "employee" vault and we tested if I could see it bc I have the 1PW Vault Admin role.
• I could NOT see his "employee" vault (so good news 👍🏽)
• I could only see the vaults that I created as an admin

[frankhereford]

I completed the migration on behalf of the developers today. The API and the Developer vaults have both been moved to the COA account and everything in the DTS vaults has been archived to help prevent people from mixing them up. 🏁