> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage vault permissions using 1Password SDKs

export const Image = ({src, darkSrc, alt, width, border, height, round}) => {
  const classNames = ["mint-mx-4"];
  if (border) {
    classNames.push("mint-rounded-sm");
  }
  if (round) {
    classNames.push("mint-rounded-lg");
  }
  const style = {};
  if (width) style.width = typeof width === "number" ? `${width}px` : width;
  if (height) style.height = typeof height === "number" ? `${height}px` : height;
  return darkSrc ? <>
      <img src={src} alt={alt} className={[...classNames, "dark:hidden"].join(" ")} style={Object.keys(style).length > 0 ? style : undefined} />
      <img src={darkSrc} alt={alt} className={[...classNames, "hidden dark:block"].join(" ")} style={Object.keys(style).length > 0 ? style : undefined} onError={e => {
    e.target.src = src;
  }} />
    </> : <img src={src} alt={alt} className={classNames.join(" ")} style={Object.keys(style).length > 0 ? style : undefined} />;
};

If you have [1Password Business](https://1password.com/business-security) or [1Password Teams](https://1password.com/product/teams-small-business-password-manager), you can manage your team members' vault access at the group level.

We recommend authenticating with the [1Password desktop app](/sdks/concepts#1password-desktop-app) to manage vault permissions. Service accounts can only manage permissions for vaults created by the service account.

<Warning>
  Some vault permissions require dependent permissions. You must grant or remove all required dependent permissions or the operation will fail. The permissions available to you depend on your account type. See [1Password Business vault permissions](#1password-business-vault-permissions) and [1Password Teams vault permissions](#1password-teams-vault-permissions) for more information.
</Warning>

## Before you get started

Before you begin, [follow the steps to get started](/sdks#get-started) with a 1Password SDK. The examples on this page assume you have an initialized `client` instance. For example:

<Tabs groupId="sdks">
  <Tab value="go" title="Go">
    {/* markdownlint-disable MD046 */}

    ```go theme={null}
    package main

    import (
    	"context"

    	"github.com/1password/onepassword-sdk-go"
    )

    func main() {
    	// TODO: Initialize client using your preferred authentication method (see Overview > Get started)
    	client, err := onepassword.NewClient(context.Background(),
    	)
    	if err != nil {
    		panic(err)
    	}

    	// Your code here
    }

    ```
  </Tab>

  <Tab value="js" title="JavaScript">
    {/* markdownlint-disable MD046 */}

    <Tabs groupId="sdk-before-start-js">
      <Tab value="esm" title="ES Modules">
        ```javascript theme={null}
        import sdk from "@1password/sdk";

        async function main() {
          const client = await sdk.createClient({
            // TODO: Initialize client using your preferred authentication method (see Overview > Get started)
          });

          // Your code here
        }

        main().catch(console.error);

        ```
      </Tab>

      <Tab value="cjs" title="CommonJS">
        ```javascript theme={null}
        const sdk = require("@1password/sdk");

        async function main() {
          const client = await sdk.createClient({
            // TODO: Initialize client using your preferred authentication method (see Overview > Get started)
          });

          // Your code here
        }

        main().catch(console.error);

        ```
      </Tab>
    </Tabs>
  </Tab>

  <Tab value="python" title="Python">
    {/* markdownlint-disable MD046 */}

    ```python theme={null}
    import asyncio

    from onepassword import Client  # Also import DesktopAuth for desktop app authentication.

    async def main():
        # TODO: Initialize client using your preferred authentication method (see Overview > Get started)
        client = await Client.authenticate(...)

        # Your code here

    asyncio.run(main())

    ```
  </Tab>
</Tabs>

<Tip>
  See the examples folder in the 1Password [Go](https://github.com/1Password/onepassword-sdk-go/tree/main/example), [JavaScript](https://github.com/1Password/onepassword-sdk-js/tree/main/examples), or [Python](https://github.com/1Password/onepassword-sdk-python/tree/main/example) SDK GitHub repository for full example code you can quickly clone and test in your project.
</Tip>

## Grant vault permissions

<Tabs groupId="sdks">
  <Tab value="go" title="Go">
    Use the [`Vaults().GrantGroupPermissions()`](https://github.com/1Password/onepassword-sdk-go/blob/main/vaults.go#L144) method to grant vault permissions to all team members who belong to a specific group. This method requires the following:

    * `vaultID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * A slice of one or more [`GroupAccess`](https://github.com/1Password/onepassword-sdk-go/blob/main/types.go#L129) structs that each contain:
      * `GroupID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group.
      * `Permissions`: A bitmask of [vault permissions](#appendix-vault-permissions) to grant to the group. You can combine multiple permissions using the bitwise OR operator (`|`).

    ```go theme={null}
    // Grant group permissions to a vault.
    groupAccess := onepassword.GroupAccess{
    	GroupID:     groupID,
    	Permissions: onepassword.ReadItems,
    }
    err := client.Vaults().GrantGroupPermissions(context.Background(), vaultID, []onepassword.GroupAccess{groupAccess})
    if err != nil {
    	panic(err)
    }
    fmt.Println("Granted group", groupID, "permissions to vault", vaultID)
    ```
  </Tab>

  <Tab value="JS" title="JavaScript">
    Use the [`vaults.grantGroupPermissions()`](https://github.com/1Password/onepassword-sdk-js/blob/main/client/src/vaults.ts#L51) method to grant vault permissions to all team members who belong to a specific group. This method requires the following:

    * `vaultId`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * An array of one or more [`GroupAccess`](https://github.com/1Password/onepassword-sdk-js/blob/main/client/src/types.ts#L133) objects that each contain:
      * `group_id`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group.
      * `permissions`: A bitmask of [vault permissions](#appendix-vault-permissions) to grant to the group. You can combine multiple permissions using the bitwise OR operator (`|`).

    ```js theme={null}
    // Grant group permissions
    await client.vaults.grantGroupPermissions(vaultId, [
      { groupId, permissions: sdk.READ_ITEMS },
    ]);
    console.log(
      "Granted READ_ITEMS permissions to group",
      groupId,
      "on vault",
      vaultId,
    );
    ```
  </Tab>

  <Tab value="python" title="Python">
    Use the [`vaults.grant_group_permissions()`](https://github.com/1Password/onepassword-sdk-python/blob/main/src/onepassword/vaults.py#L155) method to grant vault permissions to all team members who belong to a specific group. This method requires the following:

    * `vault_id`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * A list of one or more [`GroupAccess`](https://github.com/1Password/onepassword-sdk-python/blob/main/src/onepassword/types.py#L245) objects that each contains:
      * `group_id`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group.
      * `permissions`: A bitmask of [vault permissions](#appendix-vault-permissions) to grant to the group. You can combine multiple permissions using the bitwise OR operator (`|`).

    The following example grants a group permission to read items in a vault.

    ```python theme={null}
    from onepassword import GroupAccess, READ_ITEMS

    vault_id = "your-vault-id"
    group_id = "your-group-id"

    # Grant group permissions in a vault
    await client.vaults.grant_group_permissions(
        vault_id=vault_id,
        group_permissions_list=[
            GroupAccess(
                group_id=group_id,
                permissions=READ_ITEMS,
            )
        ],
    )
    print(f"Granted group {group_id} permissions to vault {vault_id}")
    ```
  </Tab>
</Tabs>

## Update vault permissions

<Warning>
  Make sure to specify **all** the permissions the group should have in the vault. This method completely replaces all existing permissions.
</Warning>

<Tabs groupId="sdks">
  <Tab value="go" title="Go">
    Use the [`Vaults().UpdateGroupPermissions()`](https://github.com/1Password/onepassword-sdk-go/blob/main/vaults.go#L153) method to replace a group's existing permissions in a vault. This method accepts a slice of one or more [`GroupVaultAccess`](https://github.com/1Password/onepassword-sdk-go/blob/main/types.go#L140) structs that each contains:

    * `VaultID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * `GroupID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group.
    * `Permissions`: A bitmask of the complete set of updated [vault permissions](#appendix-vault-permissions). You can combine multiple permissions using the bitwise OR operator (`|`).

    ```go theme={null}
    // Update group permissions for a vault
    groupVaultAccess := onepassword.GroupVaultAccess{
    	GroupID:     groupID,
    	VaultID:     vaultID,
    	Permissions: onepassword.ReadItems | onepassword.CreateItems | onepassword.UpdateItems,
    }
    err = client.Vaults().UpdateGroupPermissions(context.Background(), []onepassword.GroupVaultAccess{groupVaultAccess})
    if err != nil {
    	panic(err)
    }
    fmt.Println(
    	"Updated group",
    	groupID,
    	"permissions to vault",
    	vaultID,
    )
    ```
  </Tab>

  <Tab value="JS" title="JavaScript">
    Use the [`vaults.updateGroupPermissions()`](https://github.com/1Password/onepassword-sdk-js/blob/main/client/src/vaults.ts#L59) method to replace a group's existing permissions in a vault. This method accepts an array of one or more [`GroupVaultAccess`](https://github.com/1Password/onepassword-sdk-js/blob/main/client/src/types.ts#L147) objects that each contains:

    * `vaultID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * `groupID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group.
    * `permissions`: A bitmask of the complete set of updated [vault permissions](#appendix-vault-permissions). You can combine multiple permissions using the bitwise OR operator (`|`).

    ```js theme={null}
    // Update group permissions
    await client.vaults.updateGroupPermissions([
      {
        vaultId,
        groupId,
        permissions: sdk.READ_ITEMS | sdk.CREATE_ITEMS | sdk.UPDATE_ITEMS,
      },
    ]);
    console.log(
      "Updated group",
      groupId,
      "permissions to MANAGE_VAULT on vault",
      vaultId,
    );
    ```
  </Tab>

  <Tab value="python" title="Python">
    Use the [`vaults.update_group_permissions()`](https://github.com/1Password/onepassword-sdk-python/blob/main/src/onepassword/vaults.py#L181) method to replace a group's existing permissions in a vault. This method accepts a list of one or more [`GroupVaultAccess`](https://github.com/1Password/onepassword-sdk-python/blob/main/src/onepassword/types.py#L269) objects that each contains:

    * `vault_id`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * `group_id`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group.
    * `permissions`: A bitmask of the complete set of updated [vault permissions](#appendix-vault-permissions). You can combine multiple permissions using the bitwise OR operator (`|`).

    The following example updates a group's permissions in a vault to give the group permission to read items, create items, and update items in the vault.

    The following example updates a group's permissions in a vault to give the group permission to read items, create items, and update items in the vault.

    ```python theme={null}
    from onepassword import CREATE_ITEMS, GroupVaultAccess, READ_ITEMS, UPDATE_ITEMS

    vault_id = "your-vault-id"
    group_id = "your-group-id"

    # Update group permissions in a vault
    await client.vaults.update_group_permissions(
        group_permissions_list=[
            GroupVaultAccess(
                vault_id=vault_id,
                group_id=group_id,
                permissions= READ_ITEMS | CREATE_ITEMS | UPDATE_ITEMS,
            )
        ],
    )
    print(f"Updated group {group_id} permissions to vault {vault_id}")
    ```
  </Tab>
</Tabs>

## Revoke vault permissions

<Tabs groupId="sdks">
  <Tab value="go" title="Go">
    Use the [`Vaults().RevokeGroupPermissions()`](https://github.com/1Password/onepassword-sdk-go/blob/main/vaults.go#L161) method to completely remove a group's access to a vault. This method requires the following:

    * `vaultID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * `groupID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group whose permissions you want to revoke.

    ```go theme={null}
    // Revoke group permissions from a vault.
    err = client.Vaults().RevokeGroupPermissions(context.Background(), vaultID, groupID)
    if err != nil {
    	panic(err)
    }
    fmt.Println("Revoked group permissions from vault", vaultID)
    ```
  </Tab>

  <Tab value="JS" title="JavaScript">
    Use the [`vaults.revokeGroupPermissions()`](https://github.com/1Password/onepassword-sdk-js/blob/main/client/src/vaults.ts#L66) method to completely remove a group's access to a vault. This method requires the following:

    * `vaultID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * `groupID`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group whose permissions you want to revoke.

    ```js theme={null}
    // Revoke group permissions
    await client.vaults.revokeGroupPermissions(vaultId, groupId);
    console.log(
      "Revoked group",
      groupId,
      "permissions on vault",
      vaultId,
    );
    ```
  </Tab>

  <Tab value="python" title="Python">
    Use the [`vaults.revoke_group_permissions()`](https://github.com/1Password/onepassword-sdk-python/blob/main/src/onepassword/vaults.py#L204) method to completely remove a group's access to a vault. This method requires the following:

    * `vault_id`: The [unique identifier](/sdks/concepts#unique-identifiers) of the vault.
    * `group_id`: The [unique identifier](/sdks/concepts#unique-identifiers) of the group whose permissions you want to revoke.

    ```python theme={null}
    vault_id = "your-vault-id"
    group_id = "your-group-id"

    # Revoke a group's permissions in a vault
    await client.vaults.revoke_group_permissions(
        vault_id=vault_id,
        group_id=group_id,
    )
    print(f"Revoked group {group_id}'s permissions in vault {vault_id}")
    ```
  </Tab>
</Tabs>

## Appendix: Vault permissions

The permissions available to you depend on your account type: [1Password Business](#1password-business-vault-permissions) or [1Password Teams](#1password-teams-vault-permissions).

### 1Password Business vault permissions

In 1Password Business, all vault permissions have a hierarchical relationship in which narrower permissions require broader permissions to be granted alongside them.

For example, to grant the narrower permission `DELETE_ITEMS` you must also grant the broader permissions `EDIT_ITEMS`, `REVEAL_ITEM_PASSWORD`, and `READ_ITEMS`. This is because you cannot delete items unless you can also view and edit them.

Similarly, to revoke a broader permission like `READ_ITEMS`, any narrower dependent permissions like `DELETE_ITEMS` that have already been granted must also be revoked.

| Permission             | Description                                                                                                                                                         | Required dependencies                                       | Integer |
| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | ------- |
| `READ_ITEMS`           | View items in the vault.                                                                                                                                            | None                                                        | 32      |
| `CREATE_ITEMS`         | Create items in the vault.                                                                                                                                          | `READ_ITEMS`                                                | 128     |
| `REVEAL_ITEM_PASSWORD` | View and copy concealed password fields in the vault.                                                                                                               | `READ_ITEMS`                                                | 16      |
| `UPDATE_ITEMS`         | Edit items in the vault.                                                                                                                                            | `READ_ITEMS`,  `REVEAL_ITEM_PASSWORD`                       | 64      |
| `ARCHIVE_ITEMS`        | Move items in the vault to the Archive.                                                                                                                             | `READ_ITEMS`, `REVEAL_ITEM_PASSWORD`, `UPDATE_ITEMS`        | 256     |
| `DELETE_ITEMS`         | Delete items in the vault.                                                                                                                                          | `READ_ITEMS`, `REVEAL_ITEM_PASSWORD`, `UPDATE_ITEMS`        | 512     |
| `UPDATE_ITEM_HISTORY`  | View and restore item history.                                                                                                                                      | `READ_ITEMS`, `REVEAL_ITEM_PASSWORD`                        | 1024    |
| `IMPORT_ITEMS`         | Move or copy items into the vault.                                                                                                                                  | `READ_ITEMS`, `CREATE_ITEMS`                                | 2097152 |
| `EXPORT_ITEMS`         | Save items in the vault to an unencrypted file that other apps can read.                                                                                            | `READ_ITEMS`, `REVEAL_ITEM_PASSWORD`, `UPDATE_ITEM_HISTORY` | 4194304 |
| `SEND_ITEMS`           | Copy and share items.                                                                                                                                               | `READ_ITEMS`, `REVEAL_ITEM_PASSWORD`, `UPDATE_ITEM_HISTORY` | 1048576 |
| `PRINT_ITEMS`          | Print the contents of items in the vault.                                                                                                                           | `READ_ITEMS`, `REVEAL_ITEM_PASSWORD`, `UPDATE_ITEM_HISTORY` | 8388608 |
| `MANAGE_VAULT`         | Grant and revoke access to the vault, change permissions for others, and delete the vault. This permission doesn’t include any item viewing or editing permissions. | None                                                        | 2       |
| `NO_ACCESS`            | Grants a group access entry to a vault without any permissions in it.                                                                                               |                                                             | 0       |

### 1Password Teams vault permissions

1Password Teams includes three broad permission levels made up of collections of the [granular vault permissions](#1password-business-vault-permissions) available in 1Password Business. You'll need to grant or revoke all the permissions for the desired permission level.

The permission levels have a hierarchical relationship. To grant `Allow editing`, you must also grant the permissions included in `Allow viewing`.

| Permission     | Description                                                                                                                           | Includes permissions                                                                                                         |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
| Allow viewing  | View items in a vault, view concealed passwords and copy them to the clipboard.                                                       | `READ_ITEMS`, `REVEAL_ITEM_PASSWORD`, `UPDATE_ITEM_HISTORY`                                                                  |
| Allow editing  | Create, edit, move, print, copy, archive, and delete items in the vault. Requires the `Allow viewing` permission level to be granted. | `CREATE_ITEMS`, `UPDATE_ITEMS`, `ARCHIVE_ITEMS`, `DELETE_ITEMS`, `IMPORT_ITEMS`, `EXPORT_ITEMS`, `SEND_ITEMS`, `PRINT_ITEMS` |
| Allow managing | Grant and revoke access to the vault, change permissions for others, and delete the vault.                                            | `MANAGE_VAULT`                                                                                                               |
