1Password on Mastodon

To protect your privacy: email us with billing or account questions instead of posting here

Sharing and access design

Community Member
edited January 30 in Memberships

The 1Password design around Items, People and Vaults (Folders) seems to be a little counter-intuitive and inefficient. I would have expected Items:Vaults to be many:many just as Vaults:People is many:many. This would implicitly make Items:People also many:many.

Suppose I have a Families account with 5 members, call them M1 to M5. Ideally, I would like to create 1 shared vault (call them V1 to V5) for each Member with View & Edit access for that member and myself. Each item that needs to be shared with a member N gets dropped into vault V(N). But 1Password requires an Item to be in a single vault so if I need to share an item with M1 and M2, I need to create yet another vault/folder, say M1and2 and, worse, copy the item to that vault as well as any other vaults that need it. The number of vaults can quickly get out of hand! The ability to link items would have been a nice feature to avoid creating copies of an item but even that falls short because only items in the same vault can be linked.

In other words, a Vault appears to be a construct to hold items that have something in common (e.g. Travel Documents, Medical, Entertainment, etc.) which is sort of orthogonal to who has access to those items. I tend to think of items in terms of who has access, regardless of type of item.

Am I missing something?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided


  • Tertius3Tertius3
    Community Member

    Vaults are not a construct to hold similar items, they are not meant to be kind of folders. They probably were in the past with standalone vaults, but with family or team accounts, and with the possibility to organize items by tags, they are not like folders any more.

    Actually, they are a mechanism for access control (between different members) and visibility control (if you need to switch from one set of vaults to a different set to show/hide different items for autofill).

    For each combination of access, you can create an own vault and not need to duplicate any items. Yes, this will increase the amount of vaults. However, in a real family world, there would probably not too many combinations actually used.

    With 2 parents (p1 and p2) and 2 children (c1 and c2), you have the default shared vault for items for everyone to know. Additionally:
    1 vault for sharing items between the parents p1 and p2.
    1 vault for sharing items between parents and child c1
    1 vault for sharing items between parents and child c2
    1 vault for sharing items between childs c1 and c2
    If you have another child, you have 1 more vault.

    5 or 6 vaults is not too much, in my opinion.

    And it's possible you don't actually have items for all these cases. In most families, you will probably have one shared vault for the parents only, and for everything else that needs to be shared there's the default shared vault for all.

    But you don't ever need to duplicate items. If there is a new access pattern, create a vault for it and MOVE the corresponding item there. Not copy.

  • shhhshhh
    Community Member

    I use 7 accounts in my family plan. 4 are my immediate family. 3 are close friends. The access patterns you described work well for my immediate family but when I need to share some (not all) items with the other 3, the combinations start to get unwieldy. More fine grained ACL at the item:people level would be better in my opinion.


  • Tertius3Tertius3
    Community Member

    You're right, however it's not clear if not IT people understand more fine grained ACL. It might overwhelm them (and 1Password support) if you have sophisticated ACL management, probably also with groups and roles, which is the usual solution to that issue (or challenge). ACLs seem to be fixed for a vault, not dynamic like (for example) Windows ACLs ("AGDLP").

    In addition, if we look at the cloud infrastructure, a vault seems to be the thing where every items within is being encrypted with the same key and that is synced as a whole to client computers. Not individual items, but whole vaults. So the smallest thing you can attach ACLs to are vaults, not individual items.

  • shhhshhh
    Community Member

    ACLs at the file level (item in this case) can get very complicated with inheritance and such so looks like 1Password design simplified it by using a folder (Vault) as the lowest level of granularity. Support and ease of use is a valid consideration, good point.

    Thanks for the discussion.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file