Organization management via clients

I was actually quite suprised to find that there seems to be no request for this yet. There are some pretty similar ones but nothing that quite fits:

I see the need for organization/collection management via client. For me this at least includes:

  • Member on-/offboarding
  • Management of Groups (Creation, Deletion, Modification, Membership)
  • Management of Collection (Creation, Deletion, Modification)

The reason for this lies in the trust model. While bitwarden’s cryptographic architecture makes it perfectly safe when used via app, users have to trust they always receive correct javascript when using the webvault. This contradicts bitwarden’s “zero-knowledge” approach (actually meaning zero-trust, not cryptographic zero-knowledge) because you indeed have to fully rely on bitwarden being trustworthy and that there is no man-in-the-middle in this scenario. For private use cases this may not be that problematic, as the webvault does not offer many additional features which individual users need on a regular basis. But for enterprise usecases this is quite different, as management of the organization and it’s collections and groups can currently only be done using the webvault.

This is actually not a new issue. In the 2018 pentest by cure53 one of the three findings deemed Critical was BWN-01-008 “Crypto: Server obtaining encryption keys for organizations”. Though the proposed mitigation (use of fingerprint phrases) was implemented, it was only implemented for the webvault despite the report clearly stating that “the web version of Bitwarden may not substantially benefit from this improvement”.

I think that you can now do most of it with the CLI and the API.
More info:

But I still haven’t really if there are any gaps.

1 Like

Thanks for the tip! Group management is missing atm but one of our devs is already on it and we should be able to provide a PR for that shortly.

I’ll leave this open as I still think this should be integrated in the desktop and mobile client as well. According to the security assessment report this should already be on the roadmap.

That would be really great!!

Doesn’t seem like they are willing to merge it though :confused:

@leeo thanks for the contribution!

We haven’t forgotten - we just have to review it, and we’re all heads-down at the moment working on auto-logout and the trash can (soft delete) features, and organizing the next buckets of work :slight_smile:

I’ll check in with the team today and see where this stands for review/suggestions.


1 Like

Hi @leeo - Looks like this one won’t be merged at the moment. We currently have the services that clients (like CLI) separated from items that our APIs handle. We’re not currently looking to partially mix the two service scopes from an architectural and maintenance standpoint.

I know that’s frustrating, and I am working on a mechanism for our community to be able to better scope out contributions and get a ‘green light’ so no code (or at least very little of it!) goes un-merged!

Stay tuned…