Currently, if a user is able to access a client's vault, they also have the ability to the client vault. Instead, separate out those two permissions so that users can decide which team members can view vs. manage client vault information.