The 1Password for Business OpenGraph extension lets you bring your 1Password ACL data into BloodHound's graph‑analysis framework. With this extension, you can:

• Model Your 1Password Estate Represent your business account as a graph of nodes—accounts, users, groups, vaults and every kind of item (logins, secure notes, cards, etc.)—each decorated with its own Font Awesome icon and color.

• Map Every Permission & Membership Capture all relationships with edges like OP_Contains, OP_MemberOf, OP_ViewItems, OP_ManageVault, OP_HasItem, OP_ManageGroups and OP_RecoverAccounts.

• Collect via the 1Password CLI Use the PowerShell script (Invoke-1PassHound) to wrap the op CLI, fetch Users, Groups, Vaults and Items from your local 1Password session, and emit a BloodHound‑compatible JSON file (1pass_<accountid>.json).

• Visualize & Analyze in BloodHound Once imported, you'll be able to:

  • Audit & Compliance: Verify who really has access to which vaults or items.
  • Incident Response: Trace potential exposure paths and remediate unintended permissions.
  • Security Reviews: Explore group memberships, vault structures and item distribution at a glance.

Whether you're auditing permissions, responding to incidents, or simply exploring your 1Password configuration, this extension brings clarity, control and rich visualization to your vaults and items.

1. PowerShell Prerequisite

   • Requires PowerShell 3.0+ on any platform where both PowerShell and the op CLI run.

2. Install the 1Password CLI

   • Follow the official guide to install op and ensure it's in your PATH: https://developer.1password.com/docs/cli/get-started/#step-1-install-1password-cli

3. Enable Desktop‑App Integration

   • Turn on the 1Password desktop‑app integration so the CLI can authenticate via your signed‑in app: https://developer.1password.com/docs/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration

     NOTE: You will only be able to collect information about Groups and Vaults that you have access to. There may be ways to reduce the necessary permissions, but for now we've only verified full visibility via an account in the Administrators group.

4. Authenticate

   • From your macOS or Windows PowerShell session, run:

     op signin <your-subdomain>

   • This exports an OP_SESSION_<account> environment variable that the collector uses.

5. Load & Run the Collector

   • In the repo root (where 1passhound.ps1 lives), dot‑source the script so its functions become available:

     . .\1passhound.ps1

   • Then execute the main function:

     Invoke-1PassHound

   • By default, this will emit a BloodHound‑compatible JSON graph named:

     1pass_<accountid>.json

6. Dependencies

   • No extra PowerShell modules are required—just built‑in cmdlets plus the op CLI.

7. Platform Support

   • Verified on macOS (PowerShell Core) and expected to work on Windows PowerShell 3.0+ (and PowerShell Core on Linux).

Below is the complete set of nodes and edges as defined in the model.

Nodes correspond to each object type (accounts, vaults, users, groups, and all item sub‑types).

Node	Icon	Color	Description
OP_Account	building	#5A8FDC	Top‑level account resource
OP_User	user	#F4CA70	A user belonging to an account
OP_Group	user-group	#FF8369	A group of users within an account
OP_Vault	vault	#6AE4A9	A vault/container that holds items
OP_Item	passport	#C04EA0	Abstract item resource (parent of specific item types)
OP_ApiCredential	code	#FFF6EB	An API key, token, or secret used by applications or services to authenticate against an API
OP_CreditCard	credit-card	#FFF6EB	A stored payment card record, including card number, expiration date, and billing details
OP_Document	file	#FFF6EB	An arbitrary file or document (PDF, Word, spreadsheet, etc.) attached to a vault
OP_Login	user-lock	#FFF6EB	A website or service login record containing a username and password pair
OP_Passport	passport	#FFF6EB	A secure note formatted for passport information (number, issue/expiry dates, etc.)
OP_Password	key	#FFF6EB	A standalone password entry, not tied to a specific login record.
OP_SecureNote	note-sticky	#FFF6EB	A free‑form secure note for storing text, URLs, or other free‑form data
OP_Server	server	#FFF6EB	Credentials for server access (SSH password, IP address, etc.)
OP_SoftwareLicense	key	#FFF6EB	A software license key or file, optionally with purchase/expiry metadata
OP_SshKey	terminal	#FFF6EB	An SSH key pair (public + private) for authenticating to servers
OP_WirelessRouter	wifi	#FFF6EB	Wi‑Fi network credentials (SSID, passphrase, encryption type)

NOTE: All remaining object types are subsets of the OP_Item Kind.

Edges capture every relationship; who contains what, membership, view vs. manage permissions, etc.

We welcome and appreciate your contributions! To make the process smooth and efficient, please follow these steps:

1. Discuss Your Idea

   • If you've found a bug or want to propose a new feature, please start by opening an issue in this repo. Describe the problem or enhancement clearly so we can discuss the best approach.

2. Fork & Create a Branch

   • Fork this repository to your own account.

   • Create a topic branch for your work:

     git checkout -b feat/my-new-feature

3. Implement & Test

   • Follow the existing style and patterns in the repo.

   • Add or update any tests/examples to cover your changes.

   • Verify your code runs as expected:

     # e.g. dot-source the collector and run it, or load the model.json in BloodHound

4. Submit a Pull Request

   • Push your branch to your fork:

     git push origin feat/my-new-feature

   • Open a Pull Request against the main branch of this repository.

   • In your PR description, please include:

     • What you've changed and why.
     • How to reproduce/test your changes.

5. Review & Merge

   • I'll review your PR, give feedback if needed, and merge once everything checks out.
   • For larger or more complex changes, review may take a little longer—thanks in advance for your patience!

Thank you for helping improve this extension! 🎉

Copyright 2025 Jared Atkinson

Licensed under the Apache License, Version 2.0
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Unless otherwise annotated by a lower-level LICENSE file or license header, all files in this repository are released under the Apache-2.0 license. A full copy of the license may be found in the top-level LICENSE file.