> ## Documentation Index
> Fetch the complete documentation index at: https://support.configview.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 1Password setup

ConfigView pulls 1Password data through **three separate credentials** that you create in your own 1Password account. Each one unlocks a different slice of data:

| Credential                     | Required for                                                  | 1Password plan                                   |
| ------------------------------ | ------------------------------------------------------------- | ------------------------------------------------ |
| **Events Reporting API token** | Sign-in attempts, item usages, audit events                   | Business or Enterprise                           |
| **SCIM Bridge bearer token**   | Users, groups, group membership, SCIM schema                  | Business or Enterprise with SCIM Bridge deployed |
| **Service Account token**      | Account info, vaults, vault items metadata, vault permissions | Business or Enterprise                           |

The credentials are intentionally separate because 1Password issues them through three different admin surfaces, each with its own scope. ConfigView can run with **any subset** — if you only have the Events Reporting API enabled, just create that one and enable only the Events scripts.

You will end up with **5 secrets** in ConfigView (`OP_EVENTS_HOST`, `OP_EVENTS_TOKEN`, `OP_SCIM_URL`, `OP_SCIM_TOKEN`, `OP_SERVICE_ACCOUNT_TOKEN`) when all three parts are complete.

***

## Part 1: Events Reporting API

Set up an Events Reporting integration so ConfigView can pull sign-in attempts, item usages, and audit events.

***

### Step 1: Create the Events Reporting Integration

1. Sign in to your 1Password account as an **Owner** or **Administrator** at [https://my.1password.com](https://my.1password.com)
2. Click **Integrations** in the sidebar
3. Under **Events Reporting**, click **Add Integration** and choose **Other**
4. **Name:** `ConfigView`
5. Pick which event streams to enable. ConfigView uses all three:
   * **Sign-in attempts**
   * **Item usages**
   * **Audit events**
6. Click **Add Integration**
7. Copy the **bearer token** that appears. You will not be able to see it again — store it somewhere safe.

> **Note:** The Events Reporting API requires a Business or Enterprise plan. If you do not see Events Reporting under Integrations, contact your 1Password account rep to confirm your plan tier.

***

### Step 2: Note your Events API host

The Events API host depends on your 1Password tenancy:

| Tenancy                     | Host                                                         |
| --------------------------- | ------------------------------------------------------------ |
| 1Password.com (US, default) | `https://events.1password.com`                               |
| 1Password.ca                | `https://events.1password.ca`                                |
| 1Password.eu                | `https://events.1password.eu`                                |
| Enterprise (custom)         | Use the host shown on your Events Reporting integration page |

Copy the host that matches your tenancy.

***

### Step 3: Add the Events secrets to ConfigView

1. Go to your ConfigView dashboard: `https://{companyname}.configview.com/admin/secret/`
2. Click **Add Secret** and create:
   * `OP_EVENTS_HOST`: the host from Step 2 (e.g. `https://events.1password.com`)
   * `OP_EVENTS_TOKEN`: the bearer token from Step 1
3. Click **Save**

***

## Part 2: SCIM Bridge

Set up SCIM Bridge access so ConfigView can pull users, groups, and group membership.

> **Skip this section if you do not have a SCIM Bridge deployed.** SCIM Bridge is an optional 1Password component used for IdP provisioning (Okta, Azure AD, etc.). If you have not deployed it, skip to Part 3.

***

### Step 1: Locate (or create) the SCIM bearer token

If your SCIM Bridge is already provisioning users from your IdP, a bearer token already exists. You can either reuse it or create a dedicated one for ConfigView.

**To create a dedicated token:**

1. Sign in to your SCIM Bridge admin UI (e.g. `https://scim.yourcompany.com`) using the recovery code
2. Click **Generate** to produce a new bearer token
3. Copy the token — store it somewhere safe

**To reuse the existing token:** retrieve it from wherever your IdP integration stores it (Okta admin, Azure AD enterprise app, etc.).

***

### Step 2: Note your SCIM Bridge URL

This is the public URL of your SCIM Bridge deployment, e.g. `https://scim.yourcompany.com`. No trailing slash; ConfigView normalizes it either way.

***

### Step 3: Add the SCIM secrets to ConfigView

1. Go to: `https://{companyname}.configview.com/admin/secret/`
2. Click **Add Secret** and create:
   * `OP_SCIM_URL`: your SCIM Bridge URL (e.g. `https://scim.yourcompany.com`)
   * `OP_SCIM_TOKEN`: the bearer token from Step 1
3. Click **Save**

***

## Part 3: Service Account (vault inventory)

Set up a 1Password service account so ConfigView can list vaults, items metadata, and per-vault permissions via the `op` CLI.

> ConfigView reads **metadata only** — item titles, tags, vault membership. It never reads or stores secret values from your vaults. To enforce this, scope the service account read-only and grant access only to the vaults you want inventoried.

***

### Step 1: Create the Service Account

1. Sign in to your 1Password account as an **Owner** at [https://my.1password.com](https://my.1password.com)
2. Click **Integrations** in the sidebar
3. Under **Service Accounts**, click **Create Service Account** (or **Other** → **Service Account**)
4. **Name:** `ConfigView`
5. Pick the vaults the service account should have access to. ConfigView will inventory exactly these — anything you don't grant remains invisible.
6. For each vault, choose the **Read Items** permission only.
7. Click **Create Account**
8. Copy the **service account token** (starts with `ops_...`). You will not be able to see it again — store it somewhere safe.

> **Note:** If you want ConfigView to inventory **every** vault in your account, grant the service account access to all vaults. New vaults created after this point will not be visible until you explicitly grant the service account access to them.

***

### Step 2: Add the Service Account secret to ConfigView

1. Go to: `https://{companyname}.configview.com/admin/secret/`
2. Click **Add Secret**
3. **Secret name:** `OP_SERVICE_ACCOUNT_TOKEN`
4. **Secret value:** Paste the `ops_...` token you copied
5. Click **Save**

***

## Step 4: Enable the 1Password scripts in ConfigView

1. Go to: `https://{companyname}.configview.com/admin/cron/`
2. You should see **1password** in the list of available apps
3. Select the scripts you want to run. Each script depends on a specific credential — enable only what you have:

| Script                      | Credential      | Notes                                                     |
| --------------------------- | --------------- | --------------------------------------------------------- |
| **Sign-in Attempts**        | Events API      | Last 30 days of sign-in events                            |
| **Item Usages**             | Events API      | Last 30 days of item access events                        |
| **Audit Events**            | Events API      | Last 30 days of admin/governance actions                  |
| **Events Token Introspect** | Events API      | Validates token scope; safe to always enable              |
| **Users**                   | SCIM Bridge     | All directory-managed users                               |
| **Groups**                  | SCIM Bridge     | All directory-managed groups                              |
| **Group Members**           | SCIM Bridge     | Which users belong to which groups                        |
| **SCIM Service Config**     | SCIM Bridge     | SCIM endpoint capabilities                                |
| **SCIM Resource Types**     | SCIM Bridge     | SCIM resource schemas                                     |
| **SCIM Schemas**            | SCIM Bridge     | SCIM attribute schemas                                    |
| **Account**                 | Service Account | Account name, domain, plan                                |
| **Vaults**                  | Service Account | All vaults the service account can see                    |
| **Vault Items (metadata)**  | Service Account | Item titles, tags, created/updated — **no secret values** |
| **Vault Users**             | Service Account | Per-vault user permissions                                |
| **Vault Groups**            | Service Account | Per-vault group permissions                               |

4. Click **Save**

> **Note:** Group Members depends on Groups; Vault Items / Vault Users / Vault Groups all depend on Vaults. ConfigView wires these dependencies automatically — parent scripts always run first.

***

## Step 5: Verify

1. Go to: `https://{companyname}.configview.com/admin/status/`
2. Run the **1Password** health check
3. The corresponding sections should pass for whichever credentials you configured:
   * Events API: secret + token introspection
   * SCIM Bridge: secret + `/Users` and `/Groups` endpoints
   * Service Account: secret + `op whoami`

If a check fails:

* **Events API `401 Unauthorized`** — Token expired or revoked. Re-issue from Part 1 Step 1 and update the `OP_EVENTS_TOKEN` secret.
* **SCIM Bridge `connection refused`** — `OP_SCIM_URL` is wrong, or your SCIM Bridge is not reachable from the ConfigView satellite. Confirm the URL in a browser first.
* **Service Account `op` binary not found** — The `op` CLI is not installed on the satellite. Contact your ConfigView administrator (or support) to install it. The Events and SCIM scripts do not require the `op` binary.
* **Service Account `service account not authorized for this vault`** — Grant the service account access to that vault in 1Password (Part 3 Step 1), or accept that the vault will not appear in the inventory.

***

## Data Tables

Once the scripts run, the corresponding tables will be created in your database. All tables include a `run_at` column for historical tracking.

| Table                         | Source          | Key Columns                                                                      |
| ----------------------------- | --------------- | -------------------------------------------------------------------------------- |
| `onepassword_signin_attempts` | Events API      | uuid, category, type, country, target\_user\_email, session\_uuid, timestamp     |
| `onepassword_item_usages`     | Events API      | uuid, used\_version, vault\_uuid, item\_uuid, user\_email, action, timestamp     |
| `onepassword_audit_events`    | Events API      | uuid, action, object\_type, object\_uuid, actor\_email, session\_uuid, timestamp |
| `onepassword_introspect`      | Events API      | features (JSON), issued\_at, expires\_at                                         |
| `onepassword_users`           | SCIM Bridge     | scim\_id, user\_name, email, display\_name, active, groups\_json                 |
| `onepassword_groups`          | SCIM Bridge     | scim\_id, display\_name, member\_count                                           |
| `onepassword_group_members`   | SCIM Bridge     | group\_scim\_id, member\_scim\_id, member\_email                                 |
| `onepassword_scim_config`     | SCIM Bridge     | feature, supported, raw\_json                                                    |
| `onepassword_resource_types`  | SCIM Bridge     | resource\_id, name, endpoint, schema                                             |
| `onepassword_schemas`         | SCIM Bridge     | schema\_id, name, attributes\_json                                               |
| `onepassword_account`         | Service Account | account\_uuid, name, domain                                                      |
| `onepassword_vaults`          | Service Account | vault\_id, name, content\_version, items, type                                   |
| `onepassword_vault_items`     | Service Account | vault\_id, item\_id, title, category, tags, urls\_json, created\_at, updated\_at |
| `onepassword_vault_users`     | Service Account | vault\_id, user\_email, permissions\_json                                        |
| `onepassword_vault_groups`    | Service Account | vault\_id, group\_id, group\_name, permissions\_json                             |
