Disabling delete item option for the user

Is there any way to disable deleting (or just PERMANENTLY deleting) an item from the collection for the user but not for the Manager/Admin/Owner?

I just had a user wiping 99% of the company collection, because he “wanted to tidy up” his “no folder” folder… It’s ridicule name (it should be called “DEFAULT FOLDER” because is still a folder) for starters but also dumping ground for everything else INCLUDING company collections.

TBH, not his fault, but it’s a security issue for sure. I would be annoyed too seeing a LOOONG list of passwords on the opening screen after login in, so I’m not surprised that he wanted to “clean it up”.

Any ideas anyone?

Hi @sszymaniak - welcome! Sorry to hear about your recent incident.

If the person at the source of this issue is in the User role, can you not just restrict them to Read Only access if you don’t trust them?

Otherwise, this sounds like a policy issue, rather than software issue - that is, why did the user think it was their personal collection in the first place, rather than shared secrets?

Hi David,

Thank you for the reply. The main problem I see here is not having this option available in the policies. It’s a shame because it’s a serious security breach.

If the person at the source of this issue is in the User role, can you not just restrict them to Read Only access if you don’t trust them?

Yes, you can set them to “Read Only” but then they cannot update anything. You have the policy to stop deleting “Collections” by users, but not Collection’s “secret”, why?

This is not about trusting them or not, it’s about eliminating possible malicious security breaches. What stops the user from wiping out the entire collection in spite or by accident? Keep in mind: I’m talking about permanent delete, to be clear. It’s fine if they have a “move to bin” option, where things can be restored from. Love that part.

Why we cannot have another policy option for organisations to stop users from permanently deleting “secrets” from collections? I’m amazed that this is still not an option.

Second issue:

“Otherwise, this sounds like a policy issue, rather than a software issue - that is, why did the user think it was their personal collection in the first place, rather than shared secrets?”

I think you have shot yourself in the foot here. You do NOT expect users to be smart about it when the first thing they see is a long list of ALL “secrets” dumped in the front of them from the “no folder” folder?

Wouldn’t be a smart choice NOT to dump clutter straight into the screen after you log in unless you ACTUALLY clicked the “no folder” folder? It’s working as a DEFAULT folder, so why not name it that too? Sorry, but this is messy as hell.

I apologise for the tone of this conversation, but I don’t really think anyone of you is actually using Bitwarden in the corporate situation, because all those issues would be a long time gone. You would be spending more time making options for corporate users, than “fixing” some trivial issues. If that’s not the case, why bother to actually create a “corporate” account at all? There is not much here to make it a “corporate”, maybe the price bump.

Care to comment on that? Please

Regards
Slawomir

Hi!

I fully agree! Users should NOT be able to permantly delete passwords in a corporate environment. They should be able to update passwords (there is a pw history; why only limited to 5 entries??) and disable them (or remove them to a bin). However, they may NEVER be completely erased, except by an uber-global-organisation-admin.

… are there any plans to change this behaviour? If not, I’m afraid that I have overseen a showstopper in my software-selection process. Would really hate that, as I am a fan of (almost) everything else in BitWarden !!

Hi. Has there been any development on this issue?
I totally agree! Normal Users should not be able to permanently delete passwords in a corporate environment.
Any solution?

Thanks @joseleca this feedback has been passed along to the team.

So, we are over a year later…

The visibility of passwords is better, at least now I can say to my users “Do not delete anything with the company name on it”… Kudos here. Still, why we cannot have the option for All or Favourites visible on the first login screen? It would make life easier for users, not everyone like clutter.

I can see more options in the corporate Policy sections… you allow removing the “Send” option that no one use, enforcing autofill, yet still missing the “Permanent Delete for Users” option… or “Permanent Delete available only for Admins” - same thing.

However you want to call this, we need it, to safeguard the data.

Yes… but I’m also waiting for some kind of solution for several months… If this is will not be solved very soon, unfortunately I will can not renew and will start looking for an alternative to Bitwarden

Have you brought it up with your Bitwarden enterprise sale rep?

I just started using Bitwarden with an Enterprise client, and to my shock found that this option does not exist. Passwords need to be updated by users at times, and there is password history in case of an error. But any user with edit rights can delete a shared entry completely. What if there is a disgruntled employee, who acts on impulse? I see this as a huge oversight.

They only have time to activate a new policy for “Enable auto-fill” or “Vault timeout”… Like anyone cares about them…

I see this thread started in 2022, Is there an option for this yet? We are testing Bitwarden Enterprise in our organization, we just started setting up the permissions structure and this is a huge security concern. From either a malicious or just accidental standpoint, this could be a deal breaker for some organizations which is unfortunate especially for us since we do like the product so far but this complicates things.

You are OK with a disgruntled employee updating all your entries with fake data, but not with them deleting entries? If you give someone ‘write’ access, it really is no less risky than ‘delete’ access.

If users need write access, the real defense as I see it is to occasionally create an export, so that you can recover from user error (malicious or unintentional). This will also protect against administrator errors.

Absolutely.

As for the delete option, if you set up the collection to Read Only, they cannot specifically delete anything from it, but they cannot add/change it, either.

There is never a 100% sure way of fixing it, but backup is not optional. You need to export data to protect it. It’s a shame there is no auto-save (backup), but you can’t have everything, and you can do it manually.

you can mitigate fake data by looking at the history of the entry and reverting back but can’t undelete from permanent deletion. The goal is to mitigate risk since it cannot be eliminated.

If at this point I am still touching Bitwarden for manual backups/exports this might not be our solution.

Thank you all for your help.

Both “vault trash” and password history can be subverted by the disgruntled person changing the password on the website without recording it in Bitwarden. And IIRC the password history is not infinite so a bunch of fake changes could also do you in.

Honestly, there is no substitute for off-line backups. Not just for Bitwarden, but for everything, Bitwarden does have export capabilities in its CLI that could be used to automate the first half but you still need a human to throw the backup tapes into the fireproof vault.

Sounds like you should be self-hosting an on-prem server, and set up automated server backups.

You can also automate backups client-side, although there are certain caveats.