Allow User to *add*, but *not* edit or delete to an Organisation/Collection

Hey all

After having a discussion with Bitwarden(BW) support a feature I think would be useful was found to be missing from the platform’s featureset.

As BW is currently setup users in an Organisation(Org) have either unlimited access, add, edit, delete, or very limited access such as not even being able to view passwords.

In my own use case I am just a home user with a single Org, but for me having the ability to nominate users who can add, but not edit or delete existing data in the Org would be useful to me.

Broadening the idea to a large company with an Org allowing an admin to select users with the ability to add data to vaults would be a way of securely capturing data while ‘in the field’ or even ‘wfh’ and avoids handling sensitive data in insecure ways before an admin/manager/power user can enter it later. The data protection benefits of this seem to be obvious. Admins and Managers could switch on and off the facility for a user(s), to prevent abuse of the ability.

Not allowing the user to edit or delete INCLUDING any data they add-once they add it and save it they no longer can edit or delete it-protects the integrity of the Org data that already exists.

Coming back to my own domestic use case, I have several users who would be of poor IT skills, and giving them unlimited access to an Org with shared details that may not be reliably backed up elsewhere could be catastrophic if they mash ‘ctrl-A and delete’. :smiley: This would also apply to a large business with multiple collections and Orgs where giving the wrong user edit powers would be potentially devastating.

Having the ability to add data to an Org would be a nice middleground between allowing users too much access, as it seems to be now, or too little where that access is of little use.

This is a feature I have settled on seeking from my own situation, but I hope I’ve given a rationale why it would be useful beyond just this domestic user.

1 Like

Thanks for the feature request! Expanding custom roles is definitely on the team’s radar :+1:

3 Likes

Great to hear! It is a bit lacking as it is currently setup, and the ‘custom’ area hasn’t much in the way of customisation for general access controls.

It turns out that expanding this feature is not on the radar for users and will only be available to Enterprise users from December onwards, according to an email I have received.

Bitterly disappointed and it will make me reassess before my renewal comes around next Spring.

Thanks for the feedback, I’ve passed it along to the team :+1:

We have a team that would also would like a feature very similar to this. We would like for certain team members to be able to edit passwords as well but not delete.

Additionally, we would like the capability to keep anyone less than an admin out of the trash. This would prevent a disgruntled individual who did have delete privileges from going in and emptying the trash out as well, making anything since the last back up unrecoverable.

1 Like