My organization is increasingly using Bitwarden but faces an issue due to rotation of roles. When roles change, shared passwords are expected to be changed along with them, so as to effectively revoke access to systems even if those passwords had been copied elsewhere. This presents a logistical issue of tracking which items need to be or have been changed.
Bitwarden can help with this by flagging these items after access revocations. Examples of changes which usually cause access revocations:
- Demoting user type or toggling off “access and modify all items”.
- User leaving/removal from a group, collection, or organization membership.
- Deleting a group or collection.
- Removing a collection from a group.
- Removing an item from a collection.
With enterprise auditing features, the flagging could specifically track items (or even fields) the user has actually accessed or used following the item’s most recent password change (or if they performed it).
Unflagging can be manual, or automatic after changing relevant passwords, TOTP keys and hidden field values.
Even at its narrowest, not all organizations are so paranoid, and they might desire to limit which collections or groups of users to track revocations, and possibly to track none.
(An "attention needed" flag could also be useful for a great many other possible features.)
- Persistent tagging of items flagged in reports.
- Changing passwords after enacting stronger password generator enterprise policies.
- Changing passwords after temporary sharing.
- Changing passwords for account credentials sent to you by another Bitwarden user.
- Changing passwords after unsharing.
- Password/card/identity/etc expiration warnings.