Manage vault permissions using 1Password SDKs
If you have 1Password Business or 1Password Teams, you can manage your team members' vault access at the group level.
We recommend authenticating with the 1Password desktop app to manage vault permissions. Service accounts can only manage permissions for vaults created by the service account.
Some vault permissions require dependent permissions. You must grant or remove all required dependent permissions or the operation will fail. The permissions available to you depend on your account type. See 1Password Business vault permissions and 1Password Teams vault permissions for more information.
See the examples folder in the 1Password Go, JavaScript, or Python SDK GitHub repository for full example code you can quickly clone and test in your project.
Grant vault permissions
- Go
- JavaScript
- Python
Use the Vaults().GrantGroupPermissions() method to grant vault permissions to all team members who belong to a specific group. This method requires the following:
vaultID: The unique identifier of the vault.- A slice of one or more
GroupAccessstructs that each contain:GroupID: The unique identifier of the group.Permissions: A bitmask of vault permissions to grant to the group. You can combine multiple permissions using the bitwise OR operator (|).
Use the vaults.grantGroupPermissions() method to grant vault permissions to all team members who belong to a specific group. This method requires the following:
vaultId: The unique identifier of the vault.- An array of one or more objects that each contain:
group_id: The unique identifier of the group.permissions: A bitmask of vault permissions to grant to the group. You can combine multiple permissions using the bitwise OR operator (|).
Use the vaults.grant_group_permissions() method to grant vault permissions to all team members who belong to a specific group. This method requires the following:
vault_id: The unique identifier of the vault.- A list of one or more
GroupAccessobjects that each contains:group_id: The unique identifier of the group.permissions: A bitmask of vault permissions to grant to the group. You can combine multiple permissions using the bitwise OR operator (|).
Update vault permissions
Make sure to specify all the permissions the group should have in the vault. This method completely replaces all existing permissions.
- Go
- JavaScript
- Python
Use the Vaults().UpdateGroupPermissions() method to replace a group's existing permissions in a vault. This method accepts a slice of one or more GroupVaultAccess structs that each contains:
VaultID: The unique identifier of the vault.GroupID: The unique identifier of the group.Permissions: A bitmask of the complete set of updated vault permissions. You can combine multiple permissions using the bitwise OR operator (|).
Use the vaults.updateGroupPermissions() method to replace a group's existing permissions in a vault. This method accepts an array of one or more GroupVaultAccess objects that each contains:
vaultID: The unique identifier of the vault.groupID: The unique identifier of the group.permissions: A bitmask of the complete set of updated vault permissions. You can combine multiple permissions using the bitwise OR operator (|).
Use the vaults.update_group_permissions() method to replace a group's existing permissions in a vault. This method accepts a list of one or more GroupVaultAccess objects that each contains:
vault_id: The unique identifier of the vault.group_id: The unique identifier of the group.permissions: A bitmask of the complete set of updated vault permissions. You can combine multiple permissions using the bitwise OR operator (|).
Revoke vault permissions
- Go
- JavaScript
- Python
Use the Vaults().RevokeGroupPermissions() method to completely remove a group's access to a vault. This method requires the following:
vaultID: The unique identifier of the vault.groupID: The unique identifier of the group whose permissions you want to revoke.
Use the vaults.revokeGroupPermissions() method to completely remove a group's access to a vault. This method requires the following:
vaultID: The unique identifier of the vault.groupID: The unique identifier of the group whose permissions you want to revoke.
Use the vaults.revoke_group_permissoins() method to completely remove a group's access to a vault. This method requires the following:
vault_id: The unique identifier of the vault.group_id: The unique identifier of the group whose permissions you want to revoke.
Appendix: Vault permissions
The permissions available to you depend on your account type: 1Password Business or 1Password Teams.
1Password Business vault permissions
In 1Password Business, all vault permissions have a hierarchical relationship in which narrower permissions require broader permissions to be granted alongside them.
For example, to grant the narrower permission DELETE_ITEMS you must also grant the broader permissions EDIT_ITEMS, REVEAL_ITEM_PASSWORD, and READ_ITEMS. This is because you cannot delete items unless you can also view and edit them.
Similarly, to revoke a broader permission like READ_ITEMS, any narrower dependent permissions like DELETE_ITEMS that have already been granted must also be revoked.
| Permission | Description | Required dependencies | Integer |
|---|---|---|---|
READ_ITEMS | View items in the vault. | None | 32 |
CREATE_ITEMS | Create items in the vault. | READ_ITEMS | 128 |
REVEAL_ITEM_PASSWORD | View and copy concealed password fields in the vault. | READ_ITEMS | 16 |
UPDATE_ITEMS | Edit items in the vault. | READ_ITEMS, REVEAL_ITEM_PASSWORD | 64 |
ARCHIVE_ITEMS | Move items in the vault to the Archive. | READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEMS | 256 |
DELETE_ITEMS | Delete items in the vault. | READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEMS | 512 |
UPDATE_ITEM_HISTORY | View and restore item history. | READ_ITEMS, REVEAL_ITEM_PASSWORD | 1024 |
IMPORT_ITEMS | Move or copy items into the vault. | READ_ITEMS, CREATE_ITEMS | 2097152 |
EXPORT_ITEMS | Save items in the vault to an unencrypted file that other apps can read. | READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEM_HISTORY | 4194304 |
SEND_ITEMS | Copy and share items. | READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEM_HISTORY | 1048576 |
PRINT_ITEMS | Print the contents of items in the vault. | READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEM_HISTORY | 8388608 |
MANAGE_VAULT | Grant and revoke access to the vault, change permissions for others, and delete the vault. This permission doesn’t include any item viewing or editing permissions. | None | 2 |
NO_ACCESS | Grants a group access entry to a vault without any permissions in it. | 0 |
1Password Teams vault permissions
1Password Teams includes three broad permission levels made up of collections of the granular vault permissions available in 1Password Business. You'll need to grant or revoke all the permissions for the desired permission level.
The permission levels have a hierarchical relationship. To grant Allow editing, you must also grant the permissions included in Allow viewing.
| Permission | Description | Includes permissions |
|---|---|---|
| Allow viewing | View items in a vault, view concealed passwords and copy them to the clipboard. | READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEM_HISTORY |
| Allow editing | Create, edit, move, print, copy, archive, and delete items in the vault. Requires the Allow viewing permission level to be granted. | CREATE_ITEMS, UPDATE_ITEMS, ARCHIVE_ITEMS, DELETE_ITEMS, IMPORT_ITEMS, EXPORT_ITEMS, SEND_ITEMS, PRINT_ITEMS |
| Allow managing | Grant and revoke access to the vault, change permissions for others, and delete the vault. | MANAGE_VAULT |