How can regular users see who which colleagues or groups have (effective) access to an item or collection?

My colleague who is a regular user in our Bitwarden Organization wanted to know if another colleague of us could access the item she created in a collection. It was unclear how to see, as a regular user, who has access to an item and/or collection?

For me as an admin I can find out but it is rather cumbersome too. My steps now were:

  • Log in
  • Manage organization
  • Manage collections
  • Open the gear icon thingie, note which individual users have access to the collection
  • close that popup
  • Click on the collection name to open a different popup, note which user groups have access to the collection
  • Optionally (if you don’t know it by heart) go to the user group and see who has access

A lot of steps to see the effective access to a collection (item). And only available as an admin.

TLDR: How can you see the effective access to a collection (item) as a regular organization member?


EDITED, taken from later post: in for example Lastpass, I can open a shared item and see the effective (direct or inherited) access to it, for both “groups” and individual users. I guess I’m looking for a similar feature in Bitwarden.

Hey @jeroenheijmans, the best practice is to use groups and collections (along with nested collections) to see at a glance who is part of what group and thus which collection, allowing for scalability :+1: So rather than focusing on what individual users have access to, organizing vault items into user groups. Let me know if that helps!

Teams and Enterprise Organizations can designate access to Collections based on user Groups, rather than individual users. Group-Collection associations provide a deep level of access control and scalability to sharing resources. One common Group-Collection methodology is to create Groups by Department and Collections by Function, for example:

1 Like

Thanks for the prompt reply! I didn’t know about nested collections so TIL and that’s useful on its own already!

I already use groups, but how does that allow my regular user colleague to easily view who has access to a collection? She can currently not click on any button or get any popup to see which groups have access to a collection (let alone effective rights).

For example, in Lastpass, if I open a shared folder I can view the access rights and see a mix of groups and individual users that have been given access (either directly or through inheritance) to an item or folder (their concept of collections).

Great questions! What naming conventions are you using to create your collections? Instead of trying to manage single passwords, it’s best to think about which collection a password should belong to.

1 Like

My naming convention indicates the functional part of our org it belongs to.

To make it concrete, in this case we had:

  • a collection called Office Management
  • in that collection an item called Front Door Alarm Code
  • several user groups amongst which an Everyone group (we’re a ~30 people org)

The primary, regular user(s) -a non-admin- of that collection wanted to check, without having to call an admin in the org, whether the Everyone group had access to that collection.

In her UI there seemed to be no way to check effective access to a collection. And even as an admin it takes several steps (outlined in the original post) to double check things.

Thanks again for your time, replies, and questions.

If this is beyond the scope of connecting with the admin, it sounds like you may want a Manager or Custom type for this user. Check out the User Types and Access Controls Help Center article and let me know if that answers your question.

Manager

  • Access shared items in assigned Collections
    Add, edit, or remove items from assigned Collections (unless Read Only)
  • Assign Users to Collections
  • Assign User Groups to Collections
  • Create or delete Collections

Custom
Allows for granular control of user permissions on a user-by-user basis, see Custom Role.

1 Like

Hmmmmm…

I’d still would love for any user to be able to see what the effect is of adding an item to their collection. However little access they have: if you can manaage an item, you should be able to unambiguously see which user groups and individual users have access to that item. Without having to call an admin or create custom roles. So perhaps that’s a feature request?

However…

Regardless of that, even I as an owner of the organization, cannot easily see the effective access to an item or a collection. Right? I have to take all the steps in my original post to see who effectively can access an item or collection? Similar to Lastpass (I think?), or also a file/folder on a Windows share where I can just open a file’s properties and see which individual users and groups have access to that file or folder.

Hope that makes sense?

The ‘User’ type doesn’t provide visibility into group and collection management. For users to see which groups have access to which collections requires an elevated user type.

1 Like

That’s understandable.

But is there any more convenient way (than described in original post with the steps) for elevated users types to then see the effective rights to a collection?

To clarify, when I (an owner of the org) am about to create a new item in a collection might think “Hmm, who could access this if I create it?” and would expect to do something like this:

Probably I expected something like that to be there, but it just isn’t? (I now understand that this won’t be there for a non-elevated user either way.)

Thanks again for your continued replies, much appreciated!!

Hey @jeroenheijmans, thanks for clarifying! We are working on a UI refresh that includes improved collection visibility for Owners/admins.

Cool!

Love using the product so far, looking forward to any improvements in this regard.

1 Like