Grant and revoke vault permissions
With 1Password CLI, you can manage the permissions each user or group has in each vault, so that everyone has access to the items they need.
Some permissions require dependent permissions. On interactive shells, you can specify any permission, and 1Password CLI will ask you whether you want to add or revoke dependent permissions. If you're using scripts, or your shell isn't interactive, you must include dependent permissions in the command.
Learn what permissions are available for your account type.
Requirements
Before you can use 1Password CLI to manage vault permissions, you'll need to:
You can manage vault permissions if you're an owner, administrator, or if you have the manage_vault permission in a vault.
Grant permissions in vaults
Users
Use op vault user grant to grant a user permissions in a vault.
For example, to grant the user Wendy Appleseed permission to edit items and manage vault permissions in the Prod vault:
If the permissions you want to grant require dependent permissions to be granted alongside them, 1Password CLI will prompt you to grant those permissions:
To confirm which users have access to a vault and their current permissions:
Groups
Use op vault group grant to grant a group permissions in a vault.
For example, to grant the group IT permission to edit items and manage vault permissions in the Prod vault:
If the permissions you want to grant require dependent permissions to be granted alongside them, 1Password CLI will prompt you to grant those permissions:
To confirm which groups have access to a vault and their current permissions:
Revoke permissions in vaults
Users
Use op vault user revoke to revoke a user's permissions in a vault.
For example, to revoke the user Wendy Appleseed's permission to view items in the Prod vault:
If the permission you want to revoke requires dependent permissions to be revoked alongside it, 1Password CLI will prompt you to revoke those permissions:
To confirm that the user's permissions have been revoked:
Groups
Use op vault group revoke to revoke a group's permissions in a vault.
For example, to revoke the group IT's permission to view items in the Prod vault:
If the permission you want to revoke requires dependent permissions to be revoked alongside it, 1Password CLI will prompt you to revoke those permissions:
To confirm the group's permissions have been revoked:
Scripting
If you're using scripts to grant and revoke vault permissions, or if your shell isn't interactive, you'll need to include the --no-input flag and specify all dependent permissions in a comma-separated list after the --permissions flag.
For example, the allow_managing permission requires the allow_editing and allow_viewing permission. To grant the user Wendy Appleseed permission to manage vault permissions in the Prod vault:
To revoke allow_editing from a group that currently also has allow_managing granted in a vault: