Breadcrumbs

Controlling Vault Sharing

When enabling vault sharing, two things need to be decided upfront: where shared vaults will be stored, and who in the organization is allowed to create and share them. Getting both right from the start prevents vault sprawl, keeps credentials within your controlled environment, and makes ongoing management significantly easier.

Choose Where Shared Vaults Are Stored

Shared vaults in Enpass Business are stored on your organization's cloud platform — Microsoft 365 or Google Workspace. The Vaults policy in the Admin Console controls which storage locations users are permitted to create and share vaults on.

To configure this:

  1. Navigate to Policies in the Admin Console.

  2. Under the Data section select Vaults.

  3. Adjust following policies.

Allow Users to Create and Share Additional Vaults on OneDrive

When enabled, users can create new business vaults on their OneDrive for Business storage and share them with colleagues. This can be useful when SharePoint or Teams channels are not available in your plan, or when users need separate vaults for organizing purposes only.

Recommendation: Keep this disabled unless needed. Allowing users to create vaults freely on OneDrive can lead to vault sprawl, making it harder to manage. It can also cause recoverability issues if a user's account is deleted — their OneDrive vaults may be lost along with it.

Allow Users to Create and Share Multiple Vaults on SharePoint Sites

When enabled, users can create and manage business vaults stored on SharePoint team sites. SharePoint vaults are ideal for department-level or project-level credential management, since access inherits from the SharePoint site's permissions model.

Recommendation: This is particularly useful for project-based teams that already use SharePoint for collaboration.

Allow Users to Create and Share Multiple Vaults on Microsoft Teams

When enabled, users can create and share business vaults directly within Microsoft Teams channels. This embeds credential management into your team's existing communication and collaboration hub.

Recommendation: Enable this if your organization relies heavily on Teams for day-to-day work.

Restrict Who Can Create and Share Vaults

Enabling sharing at the organization level gives every user permission to create and share vaults. In most organizations, this is too permissive. The recommended approach is to lock down sharing for the entire organization and grant it only to a designated group of administrators or vault managers. This keeps vault creation centralized, auditable, and aligned with your access management processes.

How to Set This Up

At the organization level — deny sharing for everyone:

  1. In the Admin Console, go to Policies.

  2. Under Data, select Vaults.

  3. Disable all storage location options for creating and sharing vaults (OneDrive, SharePoint, Teams, or Google Drive and Shared Drives depending on your platform).

  4. Save the policy.

This ensures no user can create or share a vault by default.

Create or locate a group for designated vault managers:

  1. In the Admin Console, go to Groups and locate the group of users who should be permitted to manage vault sharing — for example, Vault Admins or IT Managers.

The membership of identity provider synced groups is managed from your identity provider, not from the Admin Console.

  1. If no such group exists, create a new group and add the relevant users to it.

Apply a group policy override to allow sharing for that group only:

  1. Click the three-dot menu next to the group and select Override Policies.

  2. Under Data > Vaults, enable the specific storage locations this group should be allowed to create and share vaults on.

  3. Click Override to save.

Members of this group can now create and share vaults on the permitted storage locations. Everyone else in the organization remains restricted from creating or sharing vaults — but they can still access vaults that vault admins have shared with them.

Learn more about Managing Group Policies.

What This Looks Like in Practice

A common setup that works well for most organizations:

  • Organization-wide Vaults policy has all sharing options disabled.

  • A small Vault Admins group has an override allowing sharing on SharePoint Sites (Microsoft 365) or Shared Drives (Google Workspace).

  • Vault admins create shared vaults on behalf of teams and manage membership from the Enpass app.

  • All sharing is visible to administrators in the Vault Sharing view of the Admin Console.

This gives your organization the benefits of secure credential sharing while keeping full control over who can initiate it and where vaults live.

Things to Keep in Mind

Start strict, override selectively. It is much easier to open up permissions for specific groups than to lock things down after users have already created vaults in unexpected places.

Avoid OneDrive and My Drive for shared vaults where possible. Vaults stored in individual user storage are at risk of becoming inaccessible if that user leaves the organization. Team-based storage (SharePoint, Teams, Shared Drives) avoids this problem.

Keep the number of vault admin group members small. The fewer people who can create shared vaults, the easier it is to maintain oversight. Vault admins can manage access for their teams without every team member needing sharing permissions.

Review group overrides regularly. As teams change, make sure group memberships and policy overrides still reflect your current structure.

Next Steps

  • Monitoring Shared Vaults — Use the Vault Sharing view in the Admin Console to review shared vaults, identify inactive vaults, unshared vaults, and audit access permissions.