.svg)
Every Enpass Business user gets a vault by default called Primary Vault which tied to their work email. This is where all credentials issued to them by the organization are stored, one vault per user. For most organizations, this model alone is sufficient to meet common compliance and regulatory requirements, as each credential is owned and accessed by a single, identifiable user.
There are however situations where teams need shared access to the same credentials, for example shared service accounts or department-wide tools. For these cases, users can create additional vaults on the organization's chosen cloud platform (Microsoft 365 OneDrive, SharePoint, or Google Drive) and share them with specific teammates.
The Primary Vault cannot be shared. It is intended to be stay private. Security best practices recommend limiting sharing to only what a team genuinely needs.
Access Roles and Permissions
When sharing a vault, the manager assigns one of the following roles to each member:
|
Role |
What they can do |
|---|---|
|
Manager |
Full control — edit vault contents, manage members, change roles |
|
Write |
View and edit vault items, cannot manage members |
|
Read-Only |
View vault items only, no changes |
|
Autofill Only |
Same as Read-Only but password fields are hidden — autofilling via browser extension is the only way to use credentials |
How Access Is Granted
When a vault is shared, Enpass handles access transparently in the background. It verifies or grants the necessary storage permissions via Microsoft Graph API or Google Drive API, and then securely distributes the vault key to the recipient through Enpass Hub. The recipient's access always follows the permissions of the underlying storage platform — meaning if their storage access is revoked, they lose access to the vault regardless of their Enpass role. Both storage permissions and vault key authorization must be in place for a recipient to access a shared vault.
Cloud Storage Permissions
The vault file itself lives in your organization's cloud storage. A recipient must have the appropriate storage-level access before Enpass can share the vault with them. Enpass uses Microsoft Graph API or Google Drive API to verify and set these permissions where applicable.
|
Storage Location |
Required Storage Permission |
|---|---|
|
OneDrive for Business |
Enpass automatically grants Write or Read access via Microsoft Graph API |
|
SharePoint Site |
Member of the SharePoint site |
|
Microsoft Teams |
Member of the Teams channel where the vault is stored |
|
Google Drive (My Drive) |
Enpass automatically grants Write or Read access via Google Drive API |
|
Google Shared Drive |
Member of the Shared Drive |
Vault Key Distribution
Even with storage access, a recipient cannot read the vault without the vault's encryption key. Enpass Hub manages the secure and seamless distribution of vault keys using public-key cryptography (RSA-3072), so the key is never shared in plaintext. Only the intended recipient, holding the matching private key on their own device, can decrypt and open the vault. The access role assigned to each recipient is also stored on Enpass Hub and enforced by the Enpass app when the vault is opened.
Neither layer alone is sufficient — a recipient needs both.
For a full technical breakdown of how vault keys are distributed securely, see the Enpass Security Whitepaper.