Problem Statement:
MSPs who are BitWarden Partners have limited means of assigning access to organization to MSP employees. The current standard practice is to either A. Use a utility account which is a member of all the MSP’s tenant organizations, or B. Add every MSP employee to every tenant organization.
Option A limits traceability and does not adhere to the principle of least privilege.
Option B creates large overhead for ensuring roles and permissions are set up consistently across tenants and is not MSP-Friendly in terms of pricing, as it requires addition seats per MSP employee and per tenant organization.
Proposed Solution:
BitWarden Partner accounts with role-based access to view and edit organization vault items.
Currently, BitWarden Partner accounts can only be used for administration over tenant organizations, not for viewing/editing organization vault items.
In an ideal world, an MSP could create multiple roles that allowed access to some or all organizations, and ideally special access within those organizations.
Real World Example:
Super Awesome MSP has three employees: a billing admin, a server admin, and a helpdesk technicians. Super Awesome MSP creates three roles at the partner level: billing, server, and helpdesk, and assigns each of these roles to the employees.
Now these employees can see the relevant collections within all of Super Awesome MSP’s tenant organizations. Each of the MSP employees directly access the tenant organizations through their own account.
Super Awesome MSP pays for 3 special partner seats, instead of 3 times the number of tenant organizations.