1Password User Management Guide

• Model type: hybrid
• Description: 1Password uses a hybrid model combining fixed built-in groups (Owners, Administrators, Team Members, Security, Provision Managers) with custom groups available on Business and Enterprise plans. Vault access is controlled at the vault level with 13 granular permissions (e.g., view_items, create_items, edit_items, delete_items, export_items, manage_vault). Team-level permissions (e.g., Invite People, Recover Accounts, Create Vaults, Manage Settings) are assigned to groups. When a user has permissions both individually and via a group, the most permissive set applies.
• Custom roles: Yes
• Custom roles plan: Business (custom groups with configurable team-level and vault-level permissions); Enterprise adds further advanced policy controls
• Granularity: 13 vault-level permissions per user/group per vault. Team-level permissions assignable to custom groups. No item-level permissions (permissions are vault-scoped only).

1. Sign in to 1Password.com as an Owner or Administrator.
2. Select 'Invitations' in the sidebar.
3. Select 'Invite by Email' and enter the recipient's email address.
4. Select user type (Team Member or Guest) and send the invitation.
5. Invitee receives an email, follows the link to create their account and Secret Key.
6. Admin receives a notification email; confirm the new account from the Invitations page or via the confirmation link in the email.
7. After confirmation, assign the user to relevant vaults and groups.

Required fields: Email address, User type (Team Member or Guest)

Watch out for:

• New team members cannot access shared items until an Owner or Administrator explicitly confirms their account.
• Email invitations have no built-in expiry for team accounts, but Slack invitations expire after 5 days.
• Billing is prorated and charged within 48 hours of the invitee accepting the invitation, not when the invite is sent.
• If SCIM provisioning is active, manually suspending a user who is still in scope in the IdP may be overridden by the next SCIM sync. Temporarily disable SCIM provisioning before manual suspension.
• Password policies are not retroactively enforced; users who joined before a policy was set only need to comply when they next change their password or undergo account recovery.
• The Teams Starter Pack only supports email invitations; sign-up links and Slack invitations are not available on that plan.

• Can delete users: Yes
• Delete/deactivate behavior: 1Password supports both suspension (temporary) and permanent deletion. Suspension immediately logs the user out of all devices and blocks access; suspended users are excluded from billing. Permanent deletion removes the user and all their private data. Only Owners can permanently delete accounts; Administrators can only suspend. A policy setting allows suspended users to be auto-deleted between 1 and 180 days after suspension.

1. Sign in to 1Password.com as an Owner or Administrator.
2. Select 'People' in the sidebar.
3. Select the name of the team member to open their details page.
4. Select 'More Actions' → 'Suspend'.
5. Confirm the suspension. The user is immediately logged out of all devices.
6. To permanently delete: ensure the user is suspended, then select 'More Actions' → 'Delete' (Owner only).

Watch out for:

• Do not delete a user's account before ensuring their Employee vault is empty or its contents have been transferred to a shared vault; deletion is permanent and unrecoverable.
• If the user is managed by SCIM, deprovision them in the IdP first; otherwise the SCIM sync may re-activate the account.
• If a user is offline when suspended or deleted, their local 1Password data remains accessible until they next attempt to unlock 1Password while online.
• After deletion, passwords and tokens the user had access to in shared vaults should be rotated, especially if they were in the Owners or Administrators group.
• A user's free 1Password Families membership (included with Business) becomes read-only when they are suspended or deleted from the team account.
• Admins cannot complete permanent deletion; an Owner must perform the final delete step.

• Where to check usage: 1Password.com → Reports (sidebar) → Team Report or Overview Report. Shows active, suspended, and recovery-status users. Billing seat count visible at 1Password.com → Billing and Seats → Usage tab.
• How to identify unused seats: Use Reports → Team Report to see each team member's last login date and browser extension status. Filter by extension status to find members who have never activated the extension. Usage reports (Reports → Usage Report per team member) show last item access date within the past 12 months.
• Billing notes: Billing is prorated daily; a seat is charged from the day the invitee accepts their invitation. Suspended users are not billed. Active user count is calculated daily at 7:00 PM ET. Business plan bills per team member plus charges for guests beyond the 20 included. Annual billing is available; prorated credits are issued when users are removed mid-cycle.

Every app in a manually managed environment carries a coordination cost, and 1Password surfaces several that compound over time. New team members cannot access shared items until an Owner or Administrator explicitly confirms their account after invitation acceptance - a two-step flow that is easy to miss at scale.

Suspended users are excluded from billing, but the active seat count is calculated daily at 7:00 PM ET, so timing of suspension relative to billing cycles matters. Identifying unused seats requires navigating to Reports → Team Report and cross-referencing last login dates and browser extension activation status; there is no automated idle-seat alert.

Permanent account deletion is Owner-only - Administrators can only suspend - creating a bottleneck in offboarding workflows. If SCIM is active, manually suspending a user who remains in scope in the IdP may be overridden by the next sync cycle.

The most consistent friction reported by 1Password administrators centers on the Owner role's unrestricted vault access. Owners can add themselves to any vault at any time with no native alerting or guardrails - a documented limitation that cannot be restricted even by vault-level permissions.

Community threads flag this as a separation-of-duties concern, with one post noting that 'due to this lack of permission granularity, our IT teams do not feel comfortable using shared vaults.' A related gap is the absence of native email alerts when users are added to or removed from a vault.

Permissions are vault-scoped only; there are no item-level permissions, so restricting access to individual items within a shared vault is not possible. The SCIM Bridge deployment model also draws consistent complaints for adding operational overhead compared to cloud-native SCIM implementations.

Common complaints:

• SCIM Bridge deployment adds operational complexity compared to native cloud SCIM; requires self-hosting and ongoing maintenance.
• Need to maintain and update SCIM Bridge separately from the main 1Password service.
• SSO and SCIM require separate IdP application configurations.
• Owners cannot be restricted from accessing or adding themselves to any vault; no native alerting or guardrails exist for this escalation path, which is a documented separation-of-duties concern.
• No native email alerts notify Owners or Administrators when a user is added to or removed from a vault.
• Permissions are vault-scoped only; there are no item-level permissions, making it impossible to restrict access to individual items within a shared vault.
• Administrators must be explicitly added to a vault to view its contents; being in the Administrators group does not grant automatic view access, which surprises new admins.
• Only Owners can permanently delete user accounts; Administrators can only suspend, creating a dependency on Owner availability during offboarding.
• If a user is offline when suspended or deleted, their local vault data remains accessible until they reconnect, creating a window of continued access.
• Manually suspending a SCIM-managed user requires temporarily disabling SCIM provisioning to prevent the IdP from re-activating the account.

Representative quotes (verbatim):

1Password account 'Owners' have full permission to manage ANY vault and their vault access cannot be restricted.

• 1Password Community forum post, verified community complaint thread (https://www.1password.community/discussions/1password/issue-account-owner-permissions--vaults/151841)

Due to this lack of permission granularity, our IT teams do not feel comfortable using shared vaults.

• 1Password Community forum post, verified community complaint thread (https://www.1password.community/discussions/1password/issue-account-owner-permissions--vaults/151841)

Every app in your stack has a provisioning cost, and 1Password's is shaped by two structural constraints: the confirmation-required invitation flow and the Owner-only permanent deletion step. Manual administration is viable for teams under roughly 50 users or organizations that have not yet deployed an IdP.

Above that threshold, those constraints plus the absence of idle-seat alerts create meaningful operational drag. The Business plan's SCIM Bridge requirement - self-hosted, separately maintained, with a paired scimsession file and bearer token - means that even automated provisioning carries infrastructure overhead.

Teams with strict separation-of-duties requirements should note that the Owner role's unrestricted vault access is a documented, unresolvable limitation within the product's current permission model.

Guest seats are billable once a user reaches active, awaiting confirmation, or recovery status, and upgrading a guest to a team member consumes a full paid seat - both worth auditing before headcount changes.

Bottom line

1Password gives administrators a capable console for day-to-day user and vault management, but several structural constraints accumulate at scale: the two-step invitation confirmation, Owner-only permanent deletion, vault-scoped-only permissions with no item-level granularity, and the self-hosted SCIM Bridge requirement on Business plans.

The Owner role's ability to self-add to any vault without alerting is a documented limitation with no native workaround, which is the most frequently cited concern in the admin community.

Organizations that need clean separation of duties, automated idle-seat detection, or a fully cloud-managed provisioning pipeline will find gaps that require process controls or third-party tooling to close.