MSP Provider- Restrict Item to Organization Only (Security Issue)

I recently reviewed that Provider Portal and Setup and I’m definitely not comfortable with the access controls at this level.Example -Service Users- Accessing banking logins for clients? Service Users- Accessing Accounting Master Passwords for clients. (Really even the provider admin shouldn’t have access to any of these)

I realize it’s a work in progress so here is a quick solution that will solve most issues.

Allow items to have restricted to organization checkbox, available to organization owner accounts.
These items would not be able to be moved, deleted or accessible by provider accounts.

This ability would be contingent on an owner being setup for the client organization.

Now obviously this can be worked around by Provider setting up a new owner user on the account, but this should be clearly logged with who did it already. And this paper trail should be sufficient for now, until better controls are available a the provider level.

@Jon_Maurer for visibility :slight_smile:

I just started working on BitWarden and even with Enterprise licensing it does not feel like an enterprise product. With Passwordstate, and end user can setup their own private password list and master admins cannot see the contents by default. There is a procedure whereby a master admin could take ownership of the list if the person left the company, but it is a process. And there is an audit trail of it. I don’t see right now how BitWarden could be acceptable for use in organizations without proper segmentation of rights.

I am also seeing that if an entry is made in a vault in a sub-organization, that entry is visible to the master admin in their primary vault view. I could understand visibility into a target item by drilling into the organization or by doing some sort of an extended search, but if by default it appears inside of the primary vault, this is not acceptable from a security perspective.

Hi @QPCSecurity,

By default, items that are added to Bitwarden are in the Personal/Individual Vault. Only items with the cube icon next to them are shared (as part of a collection) with any admins or other users.

This seems to be a stop-gap procedure. I would have some of my clients having to check the “Restrict password to organization” to all passwords, so that puts more work on the client just to use us as the manager of the system? By default, passwords should be invisible to the provider unless the client organization deems it to be visible. This is how our current solution we are migrating from operates. The items are invisible to us unless the client ‘shares’ the password with us, then it appears in their client organization space. I would modify this suggestion that this “feature” is on by default via an enterprise policy and clients would have to uncheck the box to show us (the MSP) the password

+1 For this feature.
An MSP operator should not have access to managed Org. items at least on a content level.

Thanks for the feedback all! The team is looking closely at improvements in this space :+1: