Can you make shared logins and other items read only?

Options
markbot
markbot
Community Member
edited May 2023 in Families

Dear 1Password Helpers,

(Forgive me it this question has been answered elsewhere, but I couldn't find it.)

OK, let's say I have a login in my Private Vault, and I decide to make it Shared.

Well, that's easy to do and a great feature.

BUT -- as far as I can tell, the people with whom I sharing the login can not only edit it, they can delete it altogether -- even from my Vault.

That would make for a long day.

So, Question:

Is it possible for me to Share it, but do so as a read only item for others to see and use, but not modify or delete?

I guess this implies that there would be "ownership" of an item.

(And if not, perhaps a feature to add in future versions.)

Thanks folks,

-markbot
Lower 48

1Password Version: 8.10.6
Extension Version: Not Provided
OS Version: macOS various
Browser:_ Not Provided

Comments

  • ag_josephine
    ag_josephine
    Options

    Hi @markbot,

    Everyone with access to a vault can view, print, and copy the items in it. When you first share a vault with someone, they can also create, edit, archive, and delete the items in it.

    If you allow someone to manage a vault, they can change the vault’s name and description, or delete the vault - this permission doesn’t include any item viewing or editing permissions.

    To manage access to a vault on 1Password.com:

    1. Log into the account through your browser at 1Password.com.
    2. Click Vaults in the sidebar, then click the name of the vault you want to manage.
    3. Click the gear icon to the right of the person’s name and choose the permissions you want them to have.

    I've also included an article on How vault permissions are enforced in 1Password accounts, for some extra information. 🙂

  • markbot
    markbot
    Community Member
    Options

    Hi josephine,

    Thank you for your reply.

    OK, so anyone with access to a shared vault can create, edit, archive and delete the items.

    I would say that this is not good. I like the power of a shared vault, but I wish that there was some way of making certain items "read only," such that the people I'm sharing with can't modify or delete the item.

    Perhaps you could add that to the customer "wish list?"

    Couple more questions —

    1. What does the "Service Account Access" switch (on 1Password.com) mean?

    2. Just below that, it reads:

      "This vault doesn’t have any permissions to edit."

      Now I'm confused -- what are the permissions which can be edited?

    -markbot

  • GreyM1P
    GreyM1P
    Options

    @markbot

    I like the power of a shared vault, but I wish that there was some way of making certain items "read only," such that the people I'm sharing with can't modify or delete the item.

    Permissions are enforced on a vault level, rather than per item, because then they can be enforced cryptographically. We much prefer to be able to enforce things using encryption instead of an allow/deny list.

    As such, you could remove certain people's Edit permission for the Shared vault so that the family member in question has read-only access, with others having full read/write access. Here's an example:

    For this family's Shared vault:

    • Wendy can do whatever she wants with this vault and its contents
    • Sam can do whatever he wants with the items in the vault, but can't change settings for the vault itself, like adding or removing people or deleting the vault
    • Elliott can view items, but he can't make any changes to anything

    Permissions are per person, per vault. Think along the lines: "I would like [family member] to be able to [do this] in [this vault]."

    If there are some items you'd like a family member to be able to edit, and some you'd rather they didn't, you can do that if the items are in separate vaults. One vault would have "Allow Editing" turned on for that family member, and the other wouldn't.

    You can add as many vaults as you want to your account so you can make this as granular as you like: Create and share vaults.

    1. What does the "Service Account Access" switch (on 1Password.com) mean?

    Short answer? Nothing for most people.

    Service Accounts can be thought of as bot users of your 1Password account. They'll usually be used by businesses and larger teams to manage things using automation. If you haven't set up a Service Account, then that switch doesn't do anything. If you have, then turning that switch off essentially says "only humans may enter" and a Service Account can't use that vault.

    1. Just below that, it reads: "This vault doesn’t have any permissions to edit." Now I'm confused -- what are the permissions which can be edited?

    Your Private vault has hardcoded permissions – only you can view and edit it – and those permissions can't be changed. This is to prevent a Family Organizer (or an Administrator on a Business or Team account) from granting themselves access to someone else's Private vault. By hardcoding these permissions, you can always be assured that your Private vault is just that.

    Any items that are to be shared with someone else go into shared vaults, where you can customise who can do what with each vault.

    I hope that helps clear that up, but happy to take any questions. :)

This discussion has been closed.