Organization management via clients

leeo · April 9, 2020, 1:43pm

I was actually quite suprised to find that there seems to be no request for this yet. There are some pretty similar ones but nothing that quite fits:

I see the need for organization/collection management via client. For me this at least includes:

Member on-/offboarding
Management of Groups (Creation, Deletion, Modification, Membership)
Management of Collection (Creation, Deletion, Modification)

The reason for this lies in the trust model. While bitwarden’s cryptographic architecture makes it perfectly safe when used via app, users have to trust they always receive correct javascript when using the webvault. This contradicts bitwarden’s “zero-knowledge” approach (actually meaning zero-trust, not cryptographic zero-knowledge) because you indeed have to fully rely on bitwarden being trustworthy and that there is no man-in-the-middle in this scenario. For private use cases this may not be that problematic, as the webvault does not offer many additional features which individual users need on a regular basis. But for enterprise usecases this is quite different, as management of the organization and it’s collections and groups can currently only be done using the webvault.

This is actually not a new issue. In the 2018 pentest by cure53 one of the three findings deemed Critical was BWN-01-008 “Crypto: Server obtaining encryption keys for organizations”. Though the proposed mitigation (use of fingerprint phrases) was implemented, it was only implemented for the webvault despite the report clearly stating that “the web version of Bitwarden may not substantially benefit from this improvement”.

pachulo · April 14, 2020, 1:13pm

I think that you can now do most of it with the CLI and the API.
More info:

But I still haven’t really if there are any gaps.

leeo · April 17, 2020, 10:16am

Thanks for the tip! Group management is missing atm but one of our devs is already on it and we should be able to provide a PR for that shortly.

I’ll leave this open as I still think this should be integrated in the desktop and mobile client as well. According to the security assessment report this should already be on the roadmap.

pachulo · April 20, 2020, 4:11pm

That would be really great!!

leeo · May 4, 2020, 9:18am

Doesn’t seem like they are willing to merge it though

github.com/bitwarden/cli

ability to manage groups via CLI

master ← synyx:feature/groupManagement

opened 11:35AM - 20 Apr 20 UTC

marudor

+196 -0

This seems to be the last missing piece to use the CLI to manage every part in d…aily bitwarden usage. It's something we would really like to have at synyx (The company I work for) I tested it in our company bitwarden and it works well. The code itself can be improved. Especially by moving the groupResponse part into the jslib and use a similar pattern the rest there does (with Views) As this is my first contribution I was not 100% sure how to tackle that - so I added it directly here. Either you can move parts to the jslib or I guess I could do a follow up PR that does that. I tried to code similar to what I found - hope thats fine.

tgreer · May 4, 2020, 12:01pm

@leeo thanks for the contribution!

We haven’t forgotten - we just have to review it, and we’re all heads-down at the moment working on auto-logout and the trash can (soft delete) features, and organizing the next buckets of work

I’ll check in with the team today and see where this stands for review/suggestions.

Thanks!!

tgreer · May 13, 2020, 4:19pm

Hi @leeo - Looks like this one won’t be merged at the moment. We currently have the services that clients (like CLI) separated from items that our APIs handle. We’re not currently looking to partially mix the two service scopes from an architectural and maintenance standpoint.

I know that’s frustrating, and I am working on a mechanism for our community to be able to better scope out contributions and get a ‘green light’ so no code (or at least very little of it!) goes un-merged!

Stay tuned…

bw-admin · February 8, 2025, 12:51pm

Feel free to ping if you want this feature request reopened.