Groups can be used to create custom access controls for individual vaults. This is often important for separation of duties, and also allows internal teams to securely manage data-intensive workflows. Groups can be created and managed by all account admins (users in your account with the admin role and higher). Groups can be associated to multiple users, and multiple vault. Each vault added to a group can be given a specific permission level. Users within a group can be given one of two roles (excluding the admin role):
- Member: The default role. Group members are given access to all the associated vaults.
- Maintainer: People with the maintainer group role may edit the group’s name, description and visibility, as well as add and remove account users from the group.
Groups can also be visible or secret. Visible groups can be seen by all account members, and secret groups cannot. Users will soon be able to “request to join” any visible group in your account. Hidden groups are useful for hiding teams with sensitive names or people, such as those used for working with external partners or clients.
Note: People in your account with admin roles implicitly have admin-level permissions for all groups in your account. Only account admins (and members, if enabled) may create groups.
The following table outlines the permissions granted to group roles:
|View a visible group in your account||✓||✓||✓||✓|
|View a hidden group in your account||✓||✓||✓|
|Edit a group's name, description, or visibility||✓||✓|
|Delete a group||✓||✓|
|Add a vault to a group||✓||■|
|Remove a vault from a group||✓||✓|
|Add a member to a group||✓||✓|
|Remove a member from a group||✓||✓|
|Promote a member to maintainer||✓||✓|
|Demote a maintainer||✓||✓|
■ If you are a maintainer of the group and you have admin permission on the vault.