With 1Password CLI, you can manage the permissions each user or group has in each vault, so that everyone has access to the items they need.
Some permissions require dependent permissions. On interactive shells, you can specify any permission, and 1Password CLI will ask you whether you want to add or revoke dependent permissions. If you’re using scripts, or your shell isn’t interactive, you must include dependent permissions in the command.
Learn what permissions are available for your account type.
Requirements
Before you can use 1Password CLI to , you’ll need to:
You can manage vault permissions if you’re an owner, administrator, or if you have the manage_vault permission in a vault.
Grant permissions in vaults
Users
Use op vault user grant to grant a user permissions in a vault.
For example, to grant the user Wendy Appleseed permission to edit items and manage vault permissions in the Prod vault:
op vault user grant --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_editing,allow_managing
In order to grant [allow_editing,allow_managing], the permission(s) [allow_viewing] are also required.
Would you like to grant them as well? [Y/n]
op vault user list <vault>
Groups
Use op vault group grant to grant a group permissions in a vault.
For example, to grant the group IT permission to edit items and manage vault permissions in the Prod vault:
op vault group grant --group "IT" --vault Prod --permissions allow_editing,allow_managing
In order to grant [allow_editing,allow_managing], the permission(s) [allow_viewing] are also required.
Would you like to grant them as well? [Y/n]
op vault group list <vault>
Revoke permissions in vaults
Users
Use op vault user revoke to revoke a user’s permissions in a vault.
For example, to revoke the user Wendy Appleseed’s permission to view items in the Prod vault:
op vault user revoke --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_viewing
In order to revoke [allow_viewing], the permission(s) [allow_editing,allow_managing] are also required.
Would you like to revoke them as well? [Y/n]
op vault user list <vault>
Groups
Use op vault group revoke to revoke a group’s permissions in a vault.
For example, to revoke the group IT’s permission to view items in the Prod vault:
op vault group revoke --group "IT" --vault Prod --permissions allow_viewing
In order to revoke [allow_viewing], the permission(s) [allow_editing,allow_managing] are also required.
Would you like to revoke them as well? [Y/n]
op vault group list <vault>
Scripting
If you’re using scripts to grant and revoke vault permissions, or if your shell isn’t interactive, you’ll need to include the --no-input flag and specify all dependent permissions in a comma-separated list after the --permissions flag.
For example, the allow_managing permission requires the allow_editing and allow_viewing permission. To grant the user Wendy Appleseed permission to manage vault permissions in the Prod vault:
op vault user grant --no-input --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_managing,allow_editing,allow_viewing
allow_editing from a group that currently also has allow_managing granted in a vault:
op vault group revoke --no-input --group "IT" --vault Prod --permissions allow_managing,allow_editing
Learn more
