Feature Request: Selective Access to Vault Items for Team Members

We have vaults for each team within our department: AppDev, Service Desk, Network Engineers, Server Engineers, etc. We are running into issues where the support matrix for some systems requires that triage handled by service desk requires them to check basic things before escalating. They need to gain access to credentials managed by the system owner and those credentials exist in a different vault.

Currently, the process is for the person needing the credential to have someone with access to the vault where it is stored send them a copy from the web interface.

Proposed Solution: Selective access to items in a vault for other team members. Similar to inviting a guest to a single item, this would allow vault managers to grant access to individual items without the other team member needing access to the entire vault. This could be accomplished with a one-time temporary link that shows the password to the other team member or places the password into a dynamically created vault "Shared with Me", or something else. Ultimately, we need a way to:

  1. Solve the problem that doesn't require granting unnecessary access to an entire vault when only a single item is needed.
  2. Does not result in multiple copies of a password (that could become outdated if not all are updated at the same time)

1Password Version: 7.3.705
Extension Version: Not Provided
OS Version: Windows 10 1903
Sync Type: Not Provided


  • BenBen AWS Team

    Team Member

    Hi @rwsmith_scf

    Thanks for the feedback on this. It is definitely not an uncommon problem, and is something we'd like to find a way to address the need. There are some real challenges, both from a security modeling perspective, and a UI perspective, though. We're doing some brainstorming internally as well as gathering feedback via posts like this. I can't make any promises at this stage but we are hopeful we can offer something in this regard in the future.


  • We have something similar: A team of developers share one vault. Some items are with shared credentials, like basic auth URLs. Some items have personalized credentials and so they can't share that with the team. But every member has that item with the same URL in their personal vault - which is bad in case the URL changes and every developer has to get that item/url up to date.

    I suggest, that every item in a vault can have shared sections (groups). Those have to be easily to identify to not share personal stuff by accident. With that you can have a shared Item like "Server A" with url https://example.org and a personalized group of information like the credentials (username, password, ...).
    Maybe the personal vault can store something like a shadow-item of that which strores the group and references the entry in the shared vault.

  • BenBen AWS Team

    Team Member
    edited August 2019

    I think that is a slightly different and more complex use case than what the OP was talking about, @sja; but very interesting thought none the less. That sounds like an even more challenging UI problem to solve, but I do really like the idea. It sort of comes back to the idea of customizable templates, but on a more micro level. I'll pass the thoughts on to the rest of the team the next time we're brainstorming around this sort of problem.

    Thanks for sharing. :)


    ref: internal/b5book#1001

This discussion has been closed.