Add and remove team members
Requirements
Before you can use 1Password CLI to add and remove team members, you'll need to:
Turn on automated provisioning with 1Password CLI
To get started, an owner or administrator must visit the Provisioning settings page on 1Password.com and select Turn On CLI Provisioning. This will create a Provision Managers group with the permissions needed to provision and confirm team members, as well as recover accounts. The person who created the group will be added to it.
Manage who can provision team members
By default, the owner or administrator who created the Provision Managers group is the only person added to it. If other team members need to be able to provision users, use op group user grant to add them to the group.
For example, to add Wendy Appleseed to the Provision Managers group:
To see a list of everyone in the Provision Managers group:
Add team members
To invite people to your team, use op user provision with the team member's name and email address.
For example, to invite Wendy Appleseed to join your 1Password account:
The person will receive an email invitation to join the team. After they've accepted the invitation, a member of the Provision Managers group can confirm them.
Confirm team members
Anyone who belongs to the Provision Managers group can confirm new team members with op user confirm or on 1Password.com.
With op user confirm
To confirm a team member on the command line, use op user confirm with their name or email address. To confirm all unconfirmed team members, include the --all flag.
For example, to confirm Wendy Appleseed:
To confirm all pending users:
On 1Password.com
To confirm a team member on 1Password.com:
- Sign in to your account on 1Password.com.
- Select People in the sidebar.
- Select the name of any team member with the Pending Provision status.
- Select Confirm or Reject.
If you don't see the option to confirm or reject a team member, ask your administrator to add you to the Provision Managers group.
Remove team members
To remove someone's access to vaults and items, you can suspend or delete their account.
Suspend an account temporarily
Use op user suspend to suspend a team member temporarily.
Include the --deauthorize-devices-after flag, followed by the number of seconds, minutes, or hours (for example, 600s, 10m, or 1h) to set the time after suspension to deauthorize the suspended team member's devices. If unspecified, their devices will be deauthorized immediately.
For example, to suspend Wendy Appleseed temporarily and deauthorize her devices after 10 minutes:
You can reactivate a suspended user with op user reactivate.
Remove an account permanently
Use op user delete to permanently remove a team member's access to vaults and items and delete all of their data from the account.
For example, to remove Wendy Appleseed: