What permissions does the browser extension request?

All browser extensions must request certain permissions to access browser functionality. This page describes the permissions that the 1Password SaaS Manager extension requests, and why it requests them. 

You can review the SaaS Manager extension in full on the CRXcavator site:

https://crxcavator.io/report/igjpcenkahclnlkcldhphacgmfilbefd

If you are a customer, or potential customer, and require access to the unminimized source code then please contact saasmanager@1password.com.

Chrome permission warnings

Chrome flags certain permissions when you install the extension.

Read and change all your data on all websites - scripting

The scripting permission is used to:

• detect click actions in the browser on login buttons, in order to report actual login access, rather than just browsing activity (and thereby avoid false-positives);
• examine the email address entered during a login process in order to verify if a company email address is being used, and therefore data should be tracked;
• detect if MFA codes are being used.

Display notifications - notifications

The notifications permission is used to show a message to users if they are not logged in to the extension. Without this a user might not be aware if they are not logged in correctly and the extension had stopped reporting.

Know your email address - identity.email

Deployment at scale to all employees by the IT team is difficult if each user has to login to SaaS Manager. This permissions lets the extension read the email address of the user who is logged in to Chrome or Edge. SaaS Manager then issues an access token with minimal rights to allow the extension to submit data using the user's identity.

Manage your apps, extensions, and themes - management

SaaS Manager has the ability to report back other extensions installed on the user's browser which requires the 'management' permission in order to get the names of the installed extensions.

Communicate with cooperating native applications - nativeMessaging

If a user isn't logged in to their browser (e.g. Chrome where Microsoft Entra ID is the primary IdP, Edge where Google Workspace is used, or on Firefox) we provide a small executable (the browser helper) which returns the current logged in macOS or Windows user to the browser extension. This avoids users having to login to the SaaS Manager extension directly themselves. The communication between the two is managed using the Native Messaging protocol which requires this permission.

Other permissions

The extension requests other permissions which are not flagged by Chrome.

alarms

The extension submits data to the SaaS Manager servers on a periodic basis. To do this, the extension registers itself with the browser alarms API so that it can perform actions on a schedule.

cookies

Cookie access is required as part of the login process to detect when a user logs in to app.trelica.com or eu.trelica.com in a browser tab. Cookie access is scoped by the browser to the 'Host permissions' which is set to https://*.trelica.com/*, so the extension only has access to cookies on trelica.com domains.

identity

The extension originally had support for using OAuth to login, which requires this permission to get a redirect URL as part of the OAuth protocol. This has been deprecated in the extension and the permission is being dropped from v1.3.76 onwards.

storage

The extension needs to store information about URL matching rules, general settings, and user activity before it is processed and sent to the SaaS Manager servers. The benefit of this is that information can be processed as much as possible on the user's machine, minimizing information sent to SaaS Manager.

tabs

This is needed to access the URLs the user is browsing to as part of the application detection process, and also to access the 'favicon' URL, so we can display an appropriate icon in the UI.

Host permissions

Permissions for https://*.trelica.com/* are required so that we can return data to the SaaS Manager servers (otherwise there would be an error due to a cross-origin request). This also restricts cookie access to the trelica.com domain.