Disabling delete item option for the user

Is there any way to disable deleting (or just PERMANENTLY deleting) an item from the collection for the user but not for the Manager/Admin/Owner?

I just had a user wiping 99% of the company collection, because he “wanted to tidy up” his “no folder” folder… It’s ridicule name (it should be called “DEFAULT FOLDER” because is still a folder) for starters but also dumping ground for everything else INCLUDING company collections.

TBH, not his fault, but it’s a security issue for sure. I would be annoyed too seeing a LOOONG list of passwords on the opening screen after login in, so I’m not surprised that he wanted to “clean it up”.

Any ideas anyone?

Hi @sszymaniak - welcome! Sorry to hear about your recent incident.

If the person at the source of this issue is in the User role, can you not just restrict them to Read Only access if you don’t trust them?

Otherwise, this sounds like a policy issue, rather than software issue - that is, why did the user think it was their personal collection in the first place, rather than shared secrets?

Hi David,

Thank you for the reply. The main problem I see here is not having this option available in the policies. It’s a shame because it’s a serious security breach.

If the person at the source of this issue is in the User role, can you not just restrict them to Read Only access if you don’t trust them?

Yes, you can set them to “Read Only” but then they cannot update anything. You have the policy to stop deleting “Collections” by users, but not Collection’s “secret”, why?

This is not about trusting them or not, it’s about eliminating possible malicious security breaches. What stops the user from wiping out the entire collection in spite or by accident? Keep in mind: I’m talking about permanent delete, to be clear. It’s fine if they have a “move to bin” option, where things can be restored from. Love that part.

Why we cannot have another policy option for organisations to stop users from permanently deleting “secrets” from collections? I’m amazed that this is still not an option.

Second issue:

“Otherwise, this sounds like a policy issue, rather than a software issue - that is, why did the user think it was their personal collection in the first place, rather than shared secrets?”

I think you have shot yourself in the foot here. You do NOT expect users to be smart about it when the first thing they see is a long list of ALL “secrets” dumped in the front of them from the “no folder” folder?

Wouldn’t be a smart choice NOT to dump clutter straight into the screen after you log in unless you ACTUALLY clicked the “no folder” folder? It’s working as a DEFAULT folder, so why not name it that too? Sorry, but this is messy as hell.

I apologise for the tone of this conversation, but I don’t really think anyone of you is actually using Bitwarden in the corporate situation, because all those issues would be a long time gone. You would be spending more time making options for corporate users, than “fixing” some trivial issues. If that’s not the case, why bother to actually create a “corporate” account at all? There is not much here to make it a “corporate”, maybe the price bump.

Care to comment on that? Please :grinning:

Regards
Slawomir

1 Like