Skip to main content

Manage vaults using 1Password SDKs Beta

The Vaults class provides methods for managing vaults in 1Password. The SDK can only get information about vaults that the authenticated user or service account has access to.

If you have 1Password Business or 1Password Teams, you can manage your team members' vault access at the group level.

Requirements

To use this feature, you'll need to install the 1Password SDK from the beta branch:

Get a vault overview

You can use Vaults.GetOverview to retrieve high-level metadata about a specific vault.

The following example uses the vaultID variable to specify the unique identifier (ID) of the vault to fetch.

Get vault details

You can use Vaults.Get to retrieve the complete object for a specific vault.

The following example gets the full details for the vault you fetched in the previous step.

Manage vault permissions

Managing vault permissions requires 1Password Business or 1Password Teams.

caution

Some vault permissions require dependent permissions. You must grant or remove all required dependent permissions or the operation will fail. The permissions available to you depend on your account type. See 1Password Business vault permissions and 1Password Teams vault permissions for more information.

Grant vault permissions

You can use Vaults.GrantGroupPermissions to grant team members who belong to a group permissions in a vault. Every member of the group receives the same permissions.

First provide the unique identifier for the target vault, then pass a list of one or more GroupAccess objects.

Each object represents a group and the permissions it should receive in the vault, and must include the unique identifier for the group and a permissions value.

Update vault permissions

You can use Vaults.UpdateGroupPermissions to replace a group's existing permissions in a vault.

Provide a list of updates you want to make. Each object must contain three pieces:

  • The unique identifier for the group whose permissions you want to change.
  • The unique identifier for the target vault where you want to update the group's permissions.
  • The complete set of updated permissions the group should have in the vault.
caution

Make sure to specify all the permissions the group should have in the vault. This method completely replaces all existing permissions.

Revoke vault permissions

You can use Vaults.RevokeGroupPermissions to completely revoke a group's permissions in a vault.

Provide the unique identifier for the target vault and group. All team members in the group will have their permissions in the vault revoked.

Appendix: Vault permissions

The permissions available to you depend on your account type: 1Password Business or 1Password Teams.

1Password Business vault permissions

In 1Password Business, all vault permissions have a hierarchical relationship in which narrower permissions require broader permissions to be granted alongside them.

For example, to grant the narrower permission DELETE_ITEMS you must also grant the broader permissions EDIT_ITEMS, REVEAL_ITEM_PASSWORD, and READ_ITEMS. This is because you cannot delete items unless you can also view and edit them.

Similarly, to revoke a broader permission like READ_ITEMS, any narrower dependent permissions like DELETE_ITEMS that have already been granted must also be revoked.

PermissionIntegerDescriptionRequired dependencies
READ_ITEMS32View items in the vault.None
CREATE_ITEMS128Create items in the vault.READ_ITEMS
REVEAL_ITEM_PASSWORD16View and copy concealed password fields in the vault.READ_ITEMS
UPDATE_ITEMS64Edit items in the vault.READ_ITEMS, REVEAL_ITEM_PASSWORD
ARCHIVE_ITEMS256Move items in the vault to the Archive.READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEMS
DELETE_ITEMS512Delete items in the vault.READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEMS
UPDATE_ITEM_HISTORY1024View and restore item history.READ_ITEMS, REVEAL_ITEM_PASSWORD
IMPORT_ITEMS2097152Move or copy items into the vault.READ_ITEMS, CREATE_ITEMS
EXPORT_ITEMS4194304Save items in the vault to an unencrypted file that other apps can read.READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEM_HISTORY
SEND_ITEMS1048576Copy and share items.READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEM_HISTORY
PRINT_ITEMS8388608Print the contents of items in the vault.READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEM_HISTORY
MANAGE_VAULT2Grant and revoke access to the vault, change permissions for others, and delete the vault. This permission doesn’t include any item viewing or editing permissions.None
NO_ACCESS0Grants a group access entry to a vault without any permissions in it.

1Password Teams vault permissions

1Password Teams includes three broad permission levels made up of collections of the granular vault permissions available in 1Password Business. You'll need to grant or revoke all the permissions for the desired permission level.

The permission levels have a hierarchical relationship. To grant Allow editing, you must also grant the permissions included in Allow viewing.

PermissionDescriptionIncludes permissions
Allow viewingView items in a vault, view concealed passwords and copy them to the clipboard.READ_ITEMS, REVEAL_ITEM_PASSWORD, UPDATE_ITEM_HISTORY
Allow editingCreate, edit, move, print, copy, archive, and delete items in the vault. Requires the Allow viewing permission level to be granted.CREATE_ITEMS, UPDATE_ITEMS, ARCHIVE_ITEMS, DELETE_ITEMS, IMPORT_ITEMS, EXPORT_ITEMS, SEND_ITEMS, PRINT_ITEMS
Allow managingGrant and revoke access to the vault, change permissions for others, and delete the vault.MANAGE_VAULT

Was this page helpful?