Forum Discussion

billshk13's avatar
billshk13
New Contributor
26 days ago

Vault and user permissions

I would like to see the 1Password manager work as follows:

For a shared vault, I would like to see it work where whichever member of the shared vault added an item to the shared vault that they can make that item have permissions where the other members cannot move the item out of the shared vault. 

I know that the shared vault can have the permissions of all those that are shared in it to be set for 'Allow viewing' but then that would not allow them to create new items for the share (and I assume to not be allowed to move one of their items to the shared vault). I would like to see a shared vault be accessible by everyone who is allowed to see it, and in some cases, be able to edit some items but maybe not all the items. So having a vault wide permission does not satisfy this need, it needs to also have item permissions as well, at least when inside a shared vault.

I am looking to be able to have the items have separate permissions from the vault so that whoever moves an item to the shared vault can make it viewable but not movable. I would like to see a shared vault act like every item in it is owned (controlled) by the user that moved it there. This would prevent an issue where if someone wanted to move an item that doesn't belong to them out of the shared vault and into their own private vault, effectively stealing the item from everyone else. So, in a sense, whoever moves an item into the vault would be the only one (besides the accounts admin) allowed to move it out of the shared vault.

I cannot see any way to prevent this at this time unless I am missing something because as I stated, if I give a user view only permissions, they cannot add (move) items into the shared vault, correct?

1 Reply

  • Tom's avatar
    Tom
    Dedicated Contributor

    FWIW I've shared a comparable statement with the 1P project team for my current employer about this. Not specifically per item, but to answer your question, 'copy' is different from 'edit' but comes with 'share' by default. We have a couple of vaults where everyone may add/edit but we opted against delete and move. Which is fine, but this also disallows 'duplicating'. These require 'copy' which unfortunately includes 'share'.

    So to add to your request, besides granularity in 'which' itmes (which you see mto be requesting) I'd like to add more differentiation between 'move' and 'duplicate (within vault)' as well.

    To highlight, if you allow 'move' it ticks the 'copy and share' above it: (this is from vault grants screen in the web ui).