miketheautomater

Folders can only be created via the system wide API key, same goes for adding Password Lists from a Template to the folder.
 
We need a way via API to add folders, add password lists from template, add/modify/remove password list permissions and have the API user NOT be able to read/change any passwords in existing password lists.
 
We tried the Windows Integrated Auth API, unfortunately to be able to see if the folder already had a password list required us to give that API user View permissions on the Password List Template or Password List which also allows them to view any password records in that list.  As a large organization, we try our best to follow the least privilege model including API users.

Please add TOTP secret key change history to Passwords. Please add audit logging for when the TOTP secret key is revealed/viewed/copied (just like passwords are)  
This is important because in a system with 700+ users, if someone accidentally edits the TOTP secret key or removes it, there is no way to recover it and you might be permanently locked out of an account, if that account does not have any other 2FA methods configured.  Some enterprise systems like Microsoft Entra do not issue TOTP one-time account recovery codes.
 
When users share passwords that have TOTP enabled on them, the TOTP secret key could be copied to a different authenticator app.  Since the TOTP secret key is sensitive it should be treated like a password from an auditing and who knows it perspective.