About the “Owners and admins can manage all collections and items” organization setting

In my opinion, the “Owners and admins can manage all collections and items” setting is mostly cosmetic.

Because with it unset, I, as an admin of the organization, will not be able to access items in a collection where I do not have explicit access permissions.

This is on any bitwarden client.

But I can always export the organization vault, and those items that I supposedly should not have access to, will be there in the export.

And, if I’m an owner and do not want to bother navigating through an export to access them, I will always be able to turn on that setting, access them in any way I want from the admin console and turn off that setting again.

So, effectively, an admin of the organization will always have, at least, read access to all items in the organization vault; and an owner will always have full access to them.

Given that, I find that setting not only being mostly cosmetic, I find it also to be a bit misleading.

If you are in a large enough organization to worry about this, you probably ought to have a segregation between your user vault and your admin vault/account.

In other words, you would have two vaults, [email protected] that has all of your personal vault entries and is a user in the organization. And you would have a second account, e.g. [email protected] that holds the owner/admin role.

If you wanted to get really fancy, you could have someone else hold the TOTP for kpris+admin so that it is necessary to get peer approval to login to the privileged account.

1 Like

This I find very interesting…

I don’t find it to be a matter of organization size. As user credentials are so sensitive, the fact that someone has access to all shared items might be undesirable in several scenarios.

And that org setting (“Owners and admins can manage all collections and items”), appears to be a step in that direction.

But, in my opinion it falls very short of it.

A family organization is what was going through my mind as the likely exception.