My colleague who is a regular user in our Bitwarden Organization wanted to know if another colleague of us could access the item she created in a collection. It was unclear how to see, as a regular user, who has access to an item and/or collection?
For me as an admin I can find out but it is rather cumbersome too. My steps now were:
Log in
Manage organization
Manage collections
Open the gear icon thingie, note which individual users have access to the collection
close that popup
Click on the collection name to open a different popup, note which user groups have access to the collection
Optionally (if you donât know it by heart) go to the user group and see who has access
A lot of steps to see the effective access to a collection (item). And only available as an admin.
TLDR: How can you see the effective access to a collection (item) as a regular organization member?
EDITED, taken from later post: in for example Lastpass, I can open a shared item and see the effective (direct or inherited) access to it, for both âgroupsâ and individual users. I guess Iâm looking for a similar feature in Bitwarden.
Hey @jeroenheijmans, the best practice is to use groups and collections (along with nested collections) to see at a glance who is part of what group and thus which collection, allowing for scalability So rather than focusing on what individual users have access to, organizing vault items into user groups. Let me know if that helps!
Teams and Enterprise Organizations can designate access to Collections based on user Groups, rather than individual users. Group-Collection associations provide a deep level of access control and scalability to sharing resources. One common Group-Collection methodology is to create Groups by Department and Collections by Function, for example:
Thanks for the prompt reply! I didnât know about nested collections so TIL and thatâs useful on its own already!
I already use groups, but how does that allow my regular user colleague to easily view who has access to a collection? She can currently not click on any button or get any popup to see which groups have access to a collection (let alone effective rights).
For example, in Lastpass, if I open a shared folder I can view the access rights and see a mix of groups and individual users that have been given access (either directly or through inheritance) to an item or folder (their concept of collections).
Great questions! What naming conventions are you using to create your collections? Instead of trying to manage single passwords, itâs best to think about which collection a password should belong to.
My naming convention indicates the functional part of our org it belongs to.
To make it concrete, in this case we had:
a collection called Office Management
in that collection an item called Front Door Alarm Code
several user groups amongst which an Everyone group (weâre a ~30 people org)
The primary, regular user(s) -a non-admin- of that collection wanted to check, without having to call an admin in the org, whether the Everyone group had access to that collection.
In her UI there seemed to be no way to check effective access to a collection. And even as an admin it takes several steps (outlined in the original post) to double check things.
Thanks again for your time, replies, and questions.
If this is beyond the scope of connecting with the admin, it sounds like you may want a Manager or Custom type for this user. Check out the User Types and Access Controls Help Center article and let me know if that answers your question.
Manager
Access shared items in assigned Collections
Add, edit, or remove items from assigned Collections (unless Read Only)
Assign Users to Collections
Assign User Groups to Collections
Create or delete Collections
Custom
Allows for granular control of user permissions on a user-by-user basis, see Custom Role.
Iâd still would love for any user to be able to see what the effect is of adding an item to their collection. However little access they have: if you can manaage an item, you should be able to unambiguously see which user groups and individual users have access to that item. Without having to call an admin or create custom roles. So perhaps thatâs a feature request?
HoweverâŚ
Regardless of that, even I as an owner of the organization, cannot easily see the effective access to an item or a collection. Right? I have to take all the steps in my original post to see who effectively can access an item or collection? Similar to Lastpass (I think?), or also a file/folder on a Windows share where I can just open a fileâs properties and see which individual users and groups have access to that file or folder.
The âUserâ type doesnât provide visibility into group and collection management. For users to see which groups have access to which collections requires an elevated user type.
But is there any more convenient way (than described in original post with the steps) for elevated users types to then see the effective rights to a collection?
To clarify, when I (an owner of the org) am about to create a new item in a collection might think âHmm, who could access this if I create it?â and would expect to do something like this:
Probably I expected something like that to be there, but it just isnât? (I now understand that this wonât be there for a non-elevated user either way.)
Thanks again for your continued replies, much appreciated!!
@bw-admin, is this feature on the roadmap? Would be usefull for users who can add/edit passwords to a collection to be able to know who is going to have access to that password
So rather than focusing on what individual users have access to, organizing vault items into user groups. Let me know if that helps!
