Team Vault access

patrickgib

When I add a new user to the team, it shows 0 vaults. When I click on the Manage button, underneath the main team vault, it says "Everyone in your team can view and edit items in this vault." but the checkbox is not checked and I can toggle its state.

Do I need to manually activate this vault for each new person or not? It's really unclear, and the wording underneath it contradicts the interface.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

@patrickgib: You shouldn't have to, but it does depend on how you have things setup. Do you maybe have different group permissions configured that would apply to this user? I apologize if this is a silly question, but after they were invited and setup their account, were they confirmed by an admin so that their account is active? Also, keep in mind that while normal members will automatically get access to their own Personal/Private vault and shared vaults (again, depending on your setup), Guests will only have access to a single vault you explicitly share with them. Let me know what you find!

patrickgib

Hi, @brenty: I don't think things are set up in any way where all users wouldn't have access to the Team Vault. But with each new person I add, I go through the same, confusing toggle whose function contradicts what is written below.

Lars

@patrickgib -- Thanks for the animation! :) The way things work is that users can either have direct access to a resource (vault), or they can have it by virtue of their membership in another group. If you have granted the Team Members group access to a particular vault, then any member of that group (which is everyone) would have access to it, without specifically having to toggle their access on/off. You should be able to verify this either by yourself or with the help of a teammate. Let us know if you have any problems.

patrickgib

Okay, I guess that makes sense. Though from a UI point of view, if the person is a member of a team (Team Members in this case), and that team has access to a particular vault, it's confusing to present this toggle which I presume has no effect on the person's access to this vault. If it was checked and greyed out, it would be more clear of this implicit access. I end up checking it each time anyway because I'm not sure, and I'd rather just play it safe, and I don't know whether or not to trust what's written below the vault name or not.

john_m

@patrickgib Actually, it can make a difference, depending on how you set things up. As Lars said, a person can be granted access to a vault in two ways; either via a group membership (such as the "Team Members" group), and directly (by adding that person to the "People" section of a vault's permission settings).

Different permissions can be set on both types of access for the same person; so for example, "Team Members" might only be given "Allow Viewing" permissions on a vault, allowing them to view but not edit the contents of a vault... while the "People" section of a vault's permissions might grant a specific member of the "Team Members" group "Allow Editing" permissions on that same vault.

This is why we separate group membership and direct vault permissions when looking at an account member's profile page in the administrator console. To fully audit the list of vaults a given account member has access to, take the list of vaults in the "Vaults" section of their admin console profile page, and add to it the list of vaults from each group they're a member of as well (you can click the group name on their admin profile page to be taken directly to that group's configuration page).

I hope that helps to clear things up! :+1: