Using Company Vaults

Updated at December 19th, 2025

+ More

Table of Contents

What Are Company Vaults? Vault Roles Owner Recommended Best Practice: Assign at least Two Owners Editor Reader Share → Vault Conversion How This Works How to Convert a Share to a Vault (Step‑by‑Step) Important Notes How Vault Permissions Override Share Permissions Behaviors Across Platforms WebApp Browser Extension Mobile Apps Managing Vault Membership Accessing Vault Editing Editing Vault Membership Add Members Change Member Roles Remove Members Moving Items Into or Out of a Vault Security Considerations Summary

Company Vaults in Password Boss provide a centralized, access‑controlled space for storing and managing shared items across teams, departments, or the entire organization. Vaults simplify permission management, enhance security, and enable more structured collaboration than one‑off individual shares.

This article includes updates based on recent product enhancements, including Share → Vault conversion, Vault Owner capabilities, and how Vault permissions override individual share permissions.

What Are Company Vaults?

Company Vaults enable organizations to:

Store frequently used items (credentials, notes, keys) in one secure place.
Assign role‑based access to team members.
Maintain consistent visibility and permission behaviors across the WebApp, Browser Extension, and mobile apps.
Replace scattered individual shares with a centralized access model.

Vault Roles

Each member of a Vault is assigned one of the following roles.

Owner

Vault Owners have the highest level of control.

Vault Owners can:

View and edit all items in the Vault.
Add or remove items.
Manage Vault membership and assign roles (Owner, Editor, Reader).
Convert a Share into a Vault (when applicable).
Move items into or out of the Vault.
Remove other Owners (in multi‑owner configurations).

Vault Owners cannot:

Override Zero‑Knowledge restrictions.
Be removed by non‑Owners.

Recommended Best Practice: Assign at least Two Owners

To prevent lock‑outs and ensure continuous administrative coverage, it is strongly recommended that each Vault have at least two Owners. This protects the organization if:

An Owner leaves the company.
An Owner loses access to their account.
An Owner is unavailable during urgent access or membership changes.

Having multiple Owners provides redundancy and ensures smooth operational continuity

Editor

Editors can contribute to the Vault but cannot change its structure.

Editors can:

View all fields for all items.
Edit items.
Add new items to the Vault.

Editors cannot:

Change Vault membership.
Promote/demote members.
Convert the Vault or transfer ownership.

Reader

Readers have limited access.

Readers can:

View items and their details (if the Vault configuration permits password visibility).
Use autofill via the Browser Extension.

Readers cannot:

Edit items.
Add items.
Delete items.

Password Boss allows you to convert existing item Shares into full Company Vaults.

How This Works

Items previously shared individually become organized under a new or existing Vault.
The previous Share Owner becomes the Vault Owner.
Other share recipients become Vault members based on assigned roles.
Permissions now follow Vault roles, not individual share roles.

The conversion action is available directly inside the Share Center.

To convert a share to a Vault:

Open the Share Center from the left navigation menu.
Under Active Shares, locate the item you want to convert.
Select the three‑dot menu (⋮) on the right side of the share.
Choose Convert to vault from the dropdown menu.
Review the confirmation dialog carefully.
- “All original items from this share will be moved into the vault container.”
- “Any items from this share that also exist as clones in other shares will no longer be shared in those containers.”
- “Accounts that were invited as invisible will not be added to the vault.” These warnings are essential because they describe how shared data behaves once converted.
Select Accept to complete the conversion.

Key implications from this conversion process:

Items are moved, not copied—ownership and container structure change immediately.
Clone items in other shares lose sharing relationships and now inherit Vault‑level rules.
Invisible users are excluded from the Vault and lose access permanently unless manually re‑added later with a Vault‑appropriate role.

Additional Clarification for Invisible Users

Invisible‑permission users are intentionally not carried into the Vault because Vaults require explicit, role‑based membership. Invisible users cannot be auto‑migrated due to their restricted, non‑visibility‑based access model.

If Invisible users need continued access after a conversion:

Add them manually as Readers or Editors to the Vault.
Invisible‑style access does not exist inside Vaults; Vault permissions fully replace share permissions.

Important Notes

Conversion is a move operation — items now belong to the Vault.
Former share recipients do not automatically become Owners.
Emergency Access does not apply to Vault items.

When an item is part of a Vault, Vault‑level permissions control access.

Examples:

A user who previously had Editor access via a share may become a Reader if their Vault role is Reader.
Invisible‑share password restrictions continue if the Vault role is equally or more restrictive.
Vault membership changes immediately update item visibility and access across all platforms.

Behaviors Across Platforms

WebApp

Vaults appear in the left navigation.
Vault Owners see controls for membership, roles, and item movement.
Editors and Readers see only allowed actions.

Browser Extension

Items from Vaults appear with the same permission restrictions as in the WebApp.
Invisible‑type restrictions remain enforced.
Only permissible actions appear in the extension UI.

Mobile Apps

Vault items appear under the Vault section.
Role‑based visibility (password visible/hidden) matches WebApp rules.

Managing Vault Membership

Accessing Vault Editing

You can access Vault editing directly from the Vaults list view.

To open the Edit Vault panel:

Go to Vaults from the left navigation menu.
Under Active Vaults, locate the vault you want to manage.
Select the three‑dot menu (⋮) next to Your Permission.
Choose Change from the dropdown menu.

This opens the Edit Vault interface, where you can adjust roles, add or remove members, and modify Vault details.

Editing Vault Membership

The Edit Vault interface allows Vault Owners to manage users, groups, and their assigned roles directly.

Key elements:

A searchable Recipients & Permissions field where you can add users or groups by email or directory identity.
A list of Added Recipients, each with a configurable Permission dropdown.
Supported Vault roles include:
- Read (Reader)
- Editor
- Owner
Selecting a role from the dropdown immediately updates the user’s Vault access level.
A red remove (trash) icon allows Owners to revoke access entirely.

How to Edit Vault Membership:

Open the Vault you want to edit.
Select Edit Vault from the Vault actions.
Use the Search Recipient field to add new users.
For existing members, adjust their roles using the Permission dropdown.
Select Save to apply changes.

This interface ensures Vault Owners maintain complete control over access and permissions in a central, easy-to-manage location.

Add Members

Vault Owners can invite users and assign roles during or after invitation.

Change Member Roles

Adjust Reader → Editor → Owner as needed.
Changes apply instantly across platforms.

Remove Members

Removed members immediately lose access to all Vault items.

Moving Items Into or Out of a Vault

Items can be reorganized between personal space, shared space, and Vaults.

Owners and Editors can:

Move items into the Vault.
Move items out of the Vault (unless restricted by organizational policy).