✅ MSP Provider- Restrict Item to Organization Only (Security Issue)

I recently reviewed that Provider Portal and Setup and I’m definitely not comfortable with the access controls at this level.Example -Service Users- Accessing banking logins for clients? Service Users- Accessing Accounting Master Passwords for clients. (Really even the provider admin shouldn’t have access to any of these)

I realize it’s a work in progress so here is a quick solution that will solve most issues.

Allow items to have restricted to organization checkbox, available to organization owner accounts.
These items would not be able to be moved, deleted or accessible by provider accounts.

This ability would be contingent on an owner being setup for the client organization.

Now obviously this can be worked around by Provider setting up a new owner user on the account, but this should be clearly logged with who did it already. And this paper trail should be sufficient for now, until better controls are available a the provider level.

@Jon_Maurer for visibility :slight_smile:

I just started working on BitWarden and even with Enterprise licensing it does not feel like an enterprise product. With Passwordstate, and end user can setup their own private password list and master admins cannot see the contents by default. There is a procedure whereby a master admin could take ownership of the list if the person left the company, but it is a process. And there is an audit trail of it. I don’t see right now how BitWarden could be acceptable for use in organizations without proper segmentation of rights.

I am also seeing that if an entry is made in a vault in a sub-organization, that entry is visible to the master admin in their primary vault view. I could understand visibility into a target item by drilling into the organization or by doing some sort of an extended search, but if by default it appears inside of the primary vault, this is not acceptable from a security perspective.

Hi @QPCSecurity,

By default, items that are added to Bitwarden are in the Personal/Individual Vault. Only items with the cube icon next to them are shared (as part of a collection) with any admins or other users.

This seems to be a stop-gap procedure. I would have some of my clients having to check the “Restrict password to organization” to all passwords, so that puts more work on the client just to use us as the manager of the system? By default, passwords should be invisible to the provider unless the client organization deems it to be visible. This is how our current solution we are migrating from operates. The items are invisible to us unless the client ‘shares’ the password with us, then it appears in their client organization space. I would modify this suggestion that this “feature” is on by default via an enterprise policy and clients would have to uncheck the box to show us (the MSP) the password

+1 For this feature.
An MSP operator should not have access to managed Org. items at least on a content level.

2 Likes

Thanks for the feedback all! The team is looking closely at improvements in this space :+1:

Ugh. Our adoption of Biwarden stops dead in the water over this issue. Its literally a showstopper. There’s no way we can roll this out with my team having access to sensitive client data like credit cards, bank accounts, online banking sites, logins to systems with PII, and so on. Is there a workaround?

Thanks, the team is working on this one, thanks for your patience!

Any updates? I am in the same boat. I want to provide enterprise to all our clients and can’t as it stands because of this.

@bw-admin can you give us an update on this situation? Are you how close on implementing this feature?

Hi @bw-admin

We’re currently hoping to roll-out the Bitwarden Enterprise offering to clients interested in jumping onboard the ‘Password Manager’ train; however, this security/visibility issue is presenting as somewhat of a roadblock when discussing with clients directly.

Could we get an update on the progress on this feature development?
Any type of ETA or rough roadmap would be much appreciated, as having confirmation of expected implementation will go a long way in easing client apprehension when suggesting the solution.

Regards,

Hey Sam, thanks for your patience, this feature will be available by end of Q3.

We would really like to see this as well. The sooner the better!

Here we are in October and any word on this? MSP here and we want to push BW to all our clients but this keeps us from even looking at it again.

Hi @ExR90 - I’m happy to announce this functionality will be available with our November release - stay tuned!

November came and went.
Did I miss a newsletter?

Hi @raimo_h Thanks for asking! It is taking a bit longer than expected. This capability is still on the priority list and is slated for early next year.

1 Like

Thank you for the quick update @go12
I do hope that 3rd time is the charm when it comes to the timing of this feature :slightly_smiling_face:

1 Like

We are also waiting anxiously for this feature, before then we really can not consider the Bitwarden MSP model!