Allow lower level users (like Admin? Manager?) to create and manage Collections that the Owner can see, but not open to view the details of the login creds, cards, etc.
Use case:
I wanted to subscribe to a Premium Family account for me, my wife, my daughter and her husband. We all share a few login creds (global Collection). My daughter and her husband have other login creds they share but my wife and I should not have access to (like their bank and credit card accounts). Same scenario for my wife and me. Since someone has to be the owner of the family org, that person can see every login cred in every Collection in the family org.
Thanks for your consideration.
Respectfully,
Dave in TN
dh024: I was not aware there could be more than one owner in a Premium Family org. I didn’t see that mentioned in any of the marketing or Support articles I read. Thanks for the heads up. I will explore this further with the 2-person free family org. I’m testing with now. Thanks again for the idea and strategy.
dh024: I tried the strategy of setting up 2 users as Owners, each creating a Collection, and trying to restrict the other owner from viewing and using the other Owner’s Collection. This did not work. Both Owners could view and use the Collection the other Owner created. Thanks for the idea.
I still believe this would be a good enhancement to the BW system. Hopefully it will be considered in the future.
Hi @DaveinTN - if you want to hide collections so the different owners can’t see it, follow the advice here (I posted this in your other thread, but you may have missed it):
If you want to do more than this - that is, make the collection entirely inaccessible between owners, then you will have to create a second organization (e.g., the two-person free organization that Kent mentioned). My apologies if I confused “not see” with “not access” collections in your intent.
dh024: thanks for confirming what I tested and experienced. As Owner of the Family Org, when I use Web Vault, I can view/access any login in any Collection (but not the logins in the individual Personal Vaults). I have suggested a separate free 2-person family org. to my daughter and son-in-law for their logins they need to share, while using my Premium Family org. for sharing logins between us all and for encrypted file transfers.
I appreciate all your help while I was testing and exploring how we could use the BW system.
Best regards,
-Dave
I think this is a valid feature request. There should be a way for others in my family organization to share passwords with each other, without me having access.
That being said, I’m really hoping that Bitwarden adds a way to share passwords outside of organizations, because there are so many legitimate use cases for maintaining ownership of a password, and sharing it with people who would not naturally be in an organization together.
As a family/business, it’s a liability to have one account able to access all entries of all collections.
I’m not sure exactly how other services do it, but I could imagine:
A role which is able to create collections. Any role above that also can create collections.
Owners can enable/disable private collections. When disabled, all collections must have all owners checked under accessible users. When enabled, the only restriction is that at least one user must have full access. It does not have to be the creator.
This would allow me to create collections for my parents to use without me having access and without me having to physically control their device for them.
Perhaps in a technical sense it would be easier to have the restriction that private collections must require the creator to have full access (assuming they must generate a key on creation)
Anywho, this feature gets my vote, but it might actually be easier for my parents to just use the “share individually owned passwords” feature…?
Just FYI, we discussed switching from LastPass Enterprise to Bitwarden Enterprise, and “Admins have access to all collections and their items” was a deal breaker…
So just bumping this thread to let anyone interested know that.
Just signed up (and paid) for a family account for 6 of us. Moving from LP.
Discovered that BW mandates that I, as the owner, will always have access to all of their logins. This is a non-starter. 6 of us, 6 accounts… for its faults, LP let you have separate datasets then only share what you wanted.
My parents eventually just accepted the fact that I’d have access.
Just last week my brother and his wife talked about wanting to get started with password managers, I told them I had 2 slots open in my family plan, but they were turned off by me being able to see everything.
Bitwarden has become such an amazing piece of software. My nerd crush honeymoon phase is over, but man it’s a work horse for my family and I.
Would love to upgrade to a family account and take advantage of the features there (+ support a great product), but the lack of access control configuration that would handle this use case is a blocker.
@mour, I agree this is needed.As the org owner, I would prefer not to have access to (or even know about) collections I’m not a part of.
In the meantime, you can create a family org to support Bitwarden and access premium features without using collections. I don’t think you can disable collections, but you could provide full disclosure to family members and discourage the use of collections until Bitwarden adds better privacy/security to collections.
Emergency Access and TOTP are two premium features worth the price in my opinion.
You probably already know this, but I wanted to clarify for others reading the thread. The organization owner can only see what members add to a collection in your organization (not their whole vaults). If they’re wanting to share passwords between just the two of them, they can create a collection outside the family plan.
All that being said, I still agree Bitwarden should change things so family members can create collections and share without the Family owner having access to all collections within the organization.
TBH, I wish they would fix sharing so that it isn’t organization centric. I liked Lastpass’ sharing methods where you could share any vault item with any other LastPass customer. You didn’t have to move the password outside your vault, to an org/collection.
I’m a systems administrator and I plan on implementing the self-hosted paid version of bitwarden in the company. The issue is that, as I and my team will be the ones responsible for creating and manging an organization for each department, if said departments have shared accounts stored in their organization vault, I would be able to see each and every password in the organization vault.
There have been many people suggesting the use of personal vaults, but from a management standpoint, that isn’t feasible since, if the password changes everyone that has that entry in their vault has to change it, creating a scenario where some will have the right credencials and others wont, especially in a big department.
Another option would be to create the organization, assign the head of the department as the owner and then remove myself from said organization, but that creates another problem. I don’t want to have someone other than sysadmins managing organizations, both from a security and knowledge standpoint, as they, in my way of seing things, shouldn’t have to know how to run an organization, due to the fact that they may have dificulties in doing so or have other more important things to do.
This should be something configured only by sysadmins, so that the end user doesn’t need to worry about anything other than using the software.
This is preventing us from switching to bitwarden, as it infriges on the basics of users privacy policies.
Hi @gcorreia thanks for sharing and welcome to the Bitwarden community!
The Collection permissions item on the roadmap Bitwarden Roadmap - Feature Requests - Bitwarden Community Forums represents new work the team has in store so stay tuned.
At the same time, we hear from many companies who due to unplanned or inadvertent staff changes, are thankful that Admins have the ability to view those credentials.
Soon Bitwarden will offer both options.
