How do we prevent one team from accessing another team's vault entries?

There are two things to consider:

1) Make sure to restrict access to the vault from the Management API.

2) Any node.js proxy will still be able to access the vault entry provided that they know the vault name and the entry name. When you access the vault from a node.js proxy you have to specify the organization and the vault name.

One approach is to:

1) Create separate team roles and each role has access to its respective team's vault. Each team should know their teams vault name. The vault name could be a hashed value or a hash value that is appended to a readable vault name. It is really important in this case to restrict the API developer's right to list all vaults and list all vault entries. This will prevent someone one from discovering the available vaults.

2) The only way to access the value from Apigee vault is through a Node.js proxy. So you also have to limit the accessibility of API proxy via RBAC (role based access control). This will prevent someone from viewing the vault name from the Edge UI.