Give them each a bunkerUrl, set perms to each - should work. You can even set an npub of the user you shared it with - will group conns of that user in UI
Discussion
I'm not seeing permissions anywhere. Just the bunker URL and the npub sharing field.
Also, just to make sure I'm clear. The actual private key is stored on an nsec.app server somewhere right? And when you're "syncing" to a device you're just connecting that device with a new client-side keypair and giving it access?
First you generate bunker url, then paste it to app, then confirm connection in nsec.app - that's when you can alter requested permissions, and also after the connection is created you can edit the perms.
Server is only used for e2ee sync of keys encrypted with your password. Actual signing is done on the client. It's non custodial.
So each user ends up with the keys on their device?
No, you don't give your password to anyone, you just give users one or more bunker urls, each of those is a separate connection with a separate set of permissions.
And nsec.app on your devices will be woken up by push API when any app wants to access the keys. If all your devices are offline then it won't respond. For business use case I'd suggest trying our hosted version - install it on your office server/umbrel etc with docker and it will be always online.
Do you have docs on the docker setup?
There's only this: https://github.com/nostrband/noauth#running-hosted-version-with-docker