Hi, I’m the admin of our family Bitwarden account. I invited my sister and her husband, who are phone-only users. To simplify things, I set up a collection for them to share passwords. I granted them “manage collection” access and gave myself “view items with hidden passwords” permission. I also tested giving myself no access rights. In both cases, I was still able to see the items, including passwords.
Did I do something wrong, or is the only way for my sister and her husband to set up their collection by logging in with their account on a browser?
Which interface/app were you using at the time? If you were using the Admin Console web app, then yes, you will be able to see all data in the organization vault for which you are the administrator. You can add one extra barrier to viewing passwords, by going to Settings > Organization info, and disabling (unchecking) the option “Owners and admins can manage all collections and items”. If you wanted to view the passwords, you would then need to first enter the Admin Console, and then re-enable the “Owners and admins can manage all collections and items” option.
If you were using a password manager app (Web Vault, desktop app, mobile app, CLI) or password manager browser extension, then the “view items, hidden passwords” permission should prevent you from viewing the passwords (although you can still autofill the password, and toggle the password visibility on the web form, if a visibility toggle is available).
If the issue was occurring while you were using a password manager app or extension, then I would suggest that you try synchronizing the vault, and/or logging out and logging back in.
The bottom line is that if your sister and brother-in-law wish to store shared password in the Family organization for which you are owner/admin, then they will need to trust that you don’t use your admin powers to view the contents of their shared collection.
The only alternative is for one of them to set up their own organization (perhaps a free 2-person organization) that is separate from the Family organization.
And if I understand you correctly, this setting “Owners and admins can manage all collections and items” can be enabled or disabled anytime. When enabled, I would see all the passwords in any collection?