Flag items needing changes after revoking user access

My organization is increasingly using Bitwarden but faces an issue due to rotation of roles. When roles change, shared passwords are expected to be changed along with them, so as to effectively revoke access to systems even if those passwords had been copied elsewhere. This presents a logistical issue of tracking which items need to be or have been changed.

Bitwarden can help with this by flagging these items after access revocations. Examples of changes which usually cause access revocations:

  • Demoting user type or toggling off “access and modify all items”.
  • User leaving/removal from a group, collection, or organization membership.
  • Deleting a group or collection.
  • Removing a collection from a group.
  • Removing an item from a collection.

With enterprise auditing features, the flagging could specifically track items (or even fields) the user has actually accessed or used following the item’s most recent password change (or if they performed it).

Unflagging can be manual, or automatic after changing relevant passwords, TOTP keys and hidden field values.

Even at its narrowest, not all organizations are so paranoid, and they might desire to limit which collections or groups of users to track revocations, and possibly to track none.

(An "attention needed" flag could also be useful for a great many other possible features.)

Hi,

I know this doesn’t immediately solve your problem but the crux of the issue is sharing credentials in the first place.

Best practice is for each user to have their own, unique credentials and appropriate permissions assigned based on their role. Not only does this solve the issue of having to change passwords every time someone changes role, it also helps from a logging and monitoring perspective. You’ll have a complete audit trail of who has done what, as opposed to just seeing the same “admin” user everywhere in your logs.

Cheers,
Dan

1 Like

Absolutely true, sharing credentials (even with a password manager) is a last resort, with individual accounts the preferred means of dealing with access for all the reasons you list. Unfortunately, far too many services and systems don’t bother to provide that ability.

Another solution would be an authentication proxy/broker type of system, where users individually authenticate with an intermediary which itself retains credentials and session cookies. These almost eliminate the need for user-sychronized org password management altogether. They’re rarely aimed at small-mid organizations, or open source for that matter.

1 Like