Looking for detailed documentation of vault permissions (their meaning and impact)

I would like to granularly set vault permissions, reflecting the complementary role and responsibility of our IT admins, team / project leaders and team members. Unfortunately, I couldn't find a detailed explanation of each permission setting and potential dependencies, beyond the documentation at https://support.1password.com/teams-admin-access-control/

I'm particularly interested in the impact of the nested structure of the permission values, e.g.:
What would it mean if I DON'T tick the "read", but I DO tick the subordinated permissions for "Reveal Passwords" and "View History"? How would this setting be different from ticking all three options?
The similar question would apply to the nested structure of the "Write" and "Export" permission settings.

Thank you,
Robert


1Password Version: 6.3.2
Extension Version: Not Provided
OS Version: 10.10.5
Sync Type: Not Provided

Comments

  • Hi @robert_ha! Welcome to the forum, and thanks for asking about this. :) There are a few levels to things here. First off, if you disable the main Read permission, you won't see the vault anywhere so you can't use any of the other permissions. Read allows you to actually see the vault in the main interface, and in the apps. Without that, you could see it in the Admin Console if you have the Manage permission. Otherwise everything is dependent upon Read being enabled. The sub-permissions of Read, and of Write, don't do anything without it.

    Once Read is enabled, quite a bit of possibility opens up. You don't need to enable the general Write permission if you want one of them to be available, for example. You can use the four granular ones instead. If you'd like to give the member or group editing permission on items, though, they need the main Write one enabled, as well as "Reveal password" because they would be able to see the password if they are editing the item. ;)

    In the case of Export, Print does what you'd expect and Send allows you to move an item or send it with one of the methods in the apps. The main Export permission allows you to export the whole vault from the apps, or just a few items.

    There's another level of things as well: Custom groups. You can give members special permissions by creating groups for them. Learn more in our custom groups guide.

    Hope that helps, and let us know if you have some more questions. :)

This discussion has been closed.