Updated May 23, 2026
Key Takeaways
- Never share passwords directly - use a password manager with shared vault functionality to give access without revealing credentials.
- Scope access to the minimum required for the task - a social media VA does not need access to your billing accounts.
- Use role-specific permissions in tools that support them (Google Workspace, Slack, project management tools) rather than sharing admin accounts.
- Create an access log so you can revoke everything quickly if the relationship ends - do not rely on memory to track what you shared.
- Stealth Agents provides VAs who are accustomed to working in client tool environments with appropriate access controls from day one.
Setting up a virtual assistant with access to your tools and accounts is a security question as much as a logistics question. Done poorly, you expose credentials, create recovery problems, and have no clear way to revoke access when the relationship ends. Done correctly, it is a 30-minute setup that protects both parties.
The Core Rule: Never Share Passwords Directly
Sharing a password via email, Slack, or text creates three problems:
- The credential is now stored in a medium you may not be able to control or audit
- You cannot revoke access without changing the password and updating every place it is used
- If the communication channel is compromised, so is the account
The solution is a password manager with shared vault functionality. The VA uses the shared credential through the password manager app - they never see the actual password, and you can revoke access by removing the shared item.
Recommended options:
- 1Password Teams - Clean shared vault system, good audit logs, $4/user/month. Best overall for small teams.
- LastPass Sharing - Allows sharing individual items without revealing credentials. Adequate for small setups.
- Bitwarden Organizations - Open-source, generous free tier for organizations. Good option if cost is a constraint.
Setup: create a dedicated vault or collection for your VA, add only the credentials they need, and share that vault. When the relationship ends, remove their access from the vault.
Scoping Access by Role
The access a VA needs depends entirely on what tasks they are doing. Map tasks to minimum required access:
Administrative VA:
- Google Calendar (edit access to your calendar)
- Gmail or email client (read + compose, not delete or manage settings)
- Task management tool (Asana, ClickUp - editor access only)
- Shared Google Drive folder (not your entire Drive)
Social Media VA:
- Facebook/Instagram via Meta Business Suite (Page editor role, not admin)
- Twitter/X (contributor role if available, otherwise direct login via password manager)
- Canva or similar design tool (shared team access)
- Social scheduling tool (Buffer, Later - operator role)
Customer Support VA:
- Helpdesk platform (Zendesk, Freshdesk - agent role)
- Email alias (support@yourdomain.com - not your primary inbox)
- CRM (contact view and update, not admin or billing)
The pattern: give access to the function, not the account administration layer. A social media VA does not need admin access to your Facebook Business Manager - they need edit access to the specific pages they manage.
Google Workspace Setup
If you use Google Workspace, set up a shared account properly:
Email: Create a support alias (support@yourdomain.com or va@yourdomain.com) that the VA manages from their own inbox or a separate login. Do not give them your primary Google account.
Calendar: Share your calendar with edit permissions. This lets them create, modify, and delete events without accessing your email.
Drive: Share specific folders, not your entire Drive. Create a "VA Working Files" folder and share that. Add subfolders as needed.
Admin console: Never share your Google Workspace admin account. If you need the VA to perform admin tasks, create a separate admin account with only the required permissions.
Tools With Built-In Role Systems
Most modern business tools support user roles with different permission levels. Use them:
| Tool | VA Role to Use |
|---|---|
| Asana | Member (not Admin) |
| ClickUp | Member (not Owner/Admin) |
| Slack | Member (not Admin/Owner) |
| Notion | Editor (not Admin) |
| HubSpot | User with specific object permissions |
| Shopify | Limited staff account with specific sections |
| WordPress | Editor (not Administrator) |
Adding the VA as a user rather than sharing your admin login is always better - it creates an audit trail, allows individual permission control, and makes revocation clean.
Building an Access Log
Create a simple document that tracks every access point you have granted:
| Tool | Access Method | Level | Date Granted | Date Revoked |
|---|---|---|---|---|
| Gmail alias | Direct login via 1Password | Compose/read | 2026-01-15 | - |
| Asana | User account | Member | 2026-01-15 | - |
| Meta Business Suite | Page editor role | Editor | 2026-01-20 | - |
This log serves two purposes:
- You know exactly what to revoke when the relationship ends
- You can audit access at any time without relying on memory
Keep the log in a document only you can access, not in a shared folder.
Access Revocation Checklist
When a VA relationship ends, work through the log systematically:
- Remove from password manager vault
- Remove from Google Workspace (or revoke alias login)
- Remove from project management tool
- Remove page roles from Meta Business Suite
- Remove from CRM
- Remove from Slack workspace
- Remove from any other tool accounts
- Change any passwords that were shared directly (if any slipped through)
- Review recent account activity for any tools with sensitive data
Running through this list immediately when the relationship ends is far easier than trying to reconstruct it six months later.
The Security Balance
Over-restricting access creates friction that reduces the VA's effectiveness. Under-restricting creates real security exposure. The right balance: minimum necessary access, granted through proper sharing mechanisms, tracked in a log, and revocable at any time.
A VA who has what they need to work effectively within a clearly scoped access structure is both productive and low-risk. The setup takes less time than most people expect.