multi-user vault processes

Hi,
Thanks for getting vault into trunk!
I have a few questions.

  1. If we have multiple users that need to edit an encrypted vars file, is there any way to avoid distributing a shared key amongst all them?
    Is there any kind of LDAP plugin envisioned for the future that would allow --ask-vault-pass to have acls without a separate key distribution solution?

  2. Is there a way to separate out the ability to edit a sensitive file vs run a playbook that depends on it?
    Let me give a specific use-case example of what we might like to accomplish assuming we have to distribute keys:
    a. A team leader creates a vars file with sensitive info. Only she can edit the file.
    b. Other team members are given the vault key to add to a secure keys directory or add to the commandline to enable them to run the playbook using the vaulted file. They cannot use the key to open/edit the sensitive vars file.

  3. Is there/will-there-be any way to handle nested security levels?
    Suppose you had an openstack deployment and wanted a whole team to be able to access that cloud with an openstack_creds.yml file. But only the sysadmin should be able to run a playbook agains a host vm in that cloud. The restriction of only one key per ansible-playbook command would seem to prevent this:
    ansible-playbook - i hosts site.yml --ask-vault-pass key-to-play-in-cloud
    ansible-playbook -i hosts site.yml --ask-vault-pass key-to-administer-vm