Skip to main content
AccessOwl integrates with 1Password to provision and deprovision user access in your 1Password account.

Capabilities

Provisioning

AccessOwl creates user accounts and assigns them to the specified groups during access requests.

Deprovisioning

AccessOwl removes users from your 1Password account during access revocations.

Prerequisites

  • Membership in the Owners or Administrators group in your 1Password account, so you can invite the integration account and add it to the Administrators group.
  • If your organization enforces Unlock with SSO, you’ll need to exempt the integration account from it. See Unlock with SSO below.

Setup

1

Add 1Password in AccessOwl

Either add a new application or open Applications and click the +-symbol, then continue.
2

Invite the integration account

Follow the setup instructions in AccessOwl. You will be notified via Slack once the integration account’s initial setup is complete.
If your organization enforces Unlock with SSO, the integration account must be exempted from it before it can sign in. See Unlock with SSO.
3

Add the integration account to the Administrators group

Wait for the Slack notification indicating the initial setup is complete before attempting to add the integration account to the Administrators group. Then, in 1Password, confirm the new user and add it to the Administrators group so it can manage other users.
The integration account is added to the Administrators group because that group grants the permissions to invite, suspend, and remove people, and to manage group memberships, which AccessOwl uses to provision and deprovision access.
4

Add 1Password groups manually (optional)

If you plan to provision 1Password groups, add them manually under the application’s permissions in AccessOwl.
Groups do not automatically sync. If you can’t find your 1Password groups in AccessOwl, ensure you added them manually.

Unlock with SSO

If your organization enforces Unlock with SSO, the integration account can’t sign in until you exempt it. AccessOwl signs the integration account in with its own account password and Secret Key, and it can’t unlock through SSO the way a person does. While Unlock with SSO is enforced across your organization, the integration account gets blocked and provisioning can’t run. Have your 1Password account owner exempt the integration account from Unlock with SSO, so it keeps using the account password and Secret Key that AccessOwl manages while the rest of your organization stays on SSO. This is configured on your 1Password side at the organization level, so it isn’t something AccessOwl changes for you.

FAQ

New 1Password users must accept the invite and complete the setup before they can be assigned to a group. The integration account checks at regular intervals to detect when the invitation has been accepted.
Whenever a user’s 1Password invite expires, AccessOwl automatically reassigns the outstanding access request for additional user groups. Resend the invite manually and speak with the user to ensure they accept it.