Security and privacy

How vault permissions are enforced in 1Password accounts

Vault permissions are enforced in three ways. From strongest to weakest: cryptography, server policy, and client policy.

Vaults in 1Password accounts have twelve permissions which can be set for each team member and group. All permissions are securely enforced, but not all are enforced in the same way. To help you make informed choices about the security of your team, 1Password labels permissions according to their method of enforcement.

Cryptographically-enforced permissions

These are the strongest permissions available in 1Password accounts. Only those who hold the cryptographic keys to a vault can perform these actions:

  • View Items

Cryptographic permissions can’t be overcome with a backdoor or a software exploit; nothing short of breaking the encryption would work. Because no one but you has the encryption keys for your team, no one can bypass those restrictions.

Revoking read access to a vault is a server-enforced permission. Once read access has been granted to a vault, it can't be taken away cryptographically.

Server-enforced permissions

These are the strongest policy-enforced permissions in 1Password accounts. They are enforced by the 1Password accounts server rather than the 1Password apps:

  • Edit Items
  • Create Items
  • Move Items to Trash
  • Empty Trash
  • Import Items
  • Manage Vault

A team member who can read a vault has its cryptographic keys, but the server can still limit their actions in the vault. If they try to make changes without write access, the server will reject those changes.

Server-enforced permissions are safe. They’re used by almost all online services – sometimes as the only method of permission enforcement. But they aren’t mathematically guaranteed like cryptographically-enforced permissions. They could in principle be bypassed by us or someone who has access to our server.

Client-enforced permissions

These are the weakest policy-enforced permissions in 1Password accounts. They are enforced by the 1Password apps, rather than the the laws of mathematics or the 1Password server:

  • View and Copy Passwords
  • View Item History
  • Export Items
  • Copy and Share Items
  • Print Items

A team member who can read a vault has its cryptographic keys, but the client can still limit what they can easily see and do in that vault. For example, passwords will be concealed from them in the 1Password apps if they don’t have the View and Copy Passwords permission. However, the unencrypted data is still on their devices and could be extracted with some effort, like filling a password into a page and then revealing it on that page.

A team member who is determined can easily overcome client-enforced permissions on their own device, so they’re most valuable as simple safeguards for people you already trust. A team member has to act deliberately and intentionally to violate these restrictions. These permissions shouldn’t be relied on to prevent hostile behaviour or enforce trust.

Multiple levels of enforcement

Permissions are labeled according to their strongest level of enforcement. However, most permissions are enforced in multiple ways at the same time.

For example, read access is enforced by all three levels: cryptography, server, and client policy. Someone who doesn’t have read access to a vault doesn’t have its cryptographic keys. At the same time, the server won’t send them the encrypted data, and the client won’t ask for it. This adds extra layers of security.

But even if the client were to ask for the data, or the server were to send it, the permission is still enforced by cryptography. Thus the Read permission is cryptographically-enforced.

Published: