Organization Policies - Force Vault timeout action

greenmark-it · February 16, 2023, 3:40pm

Feature name

Organization Policies - Force Vault timeout action

Feature function

It should be possible for a company to set the Force Vault timeout action for its employees.
Background is, we as a company can force TOTP, as well as the maximum vault timeout, but not the timeout action. We would like that after the vault timeout the logout is triggered and the TOTP must be entered again.

grafik

DeskDude47 · February 16, 2023, 10:22pm

I was just about to post this exact thing when I came across this one. On top of being able to enforce mfa for each login as the OP mentioned, having this option would also make event logs much more useful for organizations. Currently if a user is only interacting with the extension, and the extension is only ever set to “Lock” instead of “Log out”, then there is no way for us to audit the most recent time a user interacted with Bitwarden since a “login” event is not recorded when unlocking the extension Without this there is no way to hold our users accountable for using their password manager.

Edit - Came across this post on Reddit from 6 months ago. Implementing this change as they described it would be even better.

Brigand · April 18, 2023, 10:12am

We recently looked at this and a quick search pulled up this Feature Request, thanks to previous posters.

I agree that the ability to have separate global settings for an organisation, so it can have control over vault time out actions is really required.

For example, we would want to have say 15 minutes for lock and then x hour(s) for force log out.

This would mean we could be sure that users were all following same controls.

From an organisation and business security model, this change would greatly assist in the overall management of Bitwarden.

It definitely needs more votes.

cksapp · April 18, 2023, 11:10am

This is actually something already that the team has been working on and a new feature that has been recently merged into the main, should be included in a future release.

github.com/bitwarden/clients

[AC-1045] add action to vault timeout policy

bitwarden:master ← bitwarden:ec-1045-vault-timeout-action-policy

opened 02:46PM - 16 Feb 23 UTC

jlf0dev

+795 -402

## Type of change ``` - [ ] Bug fix - [x] New feature development - [ …] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective The intention here is to add an action to the vault timeout policy. Managers can select either "user preference", "lock", or "logout" when setting the vault timeout policy and it will lock in this selection for members. Members cannot change this unless set to "user preference". Note that to avoid making the PR even larger, the vault timeout policy always requires a timeout to be set. While you can have a timeout without an action, you can't have an action without a timeout. I've included code in the settings pages for the future when we get a chance to remove this requirement. I have also refactored the preference and settings pages to use reactive forms. This is what the bulk of the changes are. ## Code changes - **\*/preferences or settings.component.html:** add reactive forms to settings; include policy callout - **\*/preferences or settings.component.ts:** add reactive forms; create observable for policy callout - **\*/vault-timeout-input.component.html/ts:** rename vault options and remove policy callout - **bitwarden_license/bit-web/src/app/policies/maximum-vault-timeout.component.html/ts:** allow setting an action with the vault timeout policy - **libs/common/src/services/policy/policy.service.ts:** add `get$` that returns an observable containing the first policy found that matches the criteria provided - **libs/common/src/services/vaultTimeout/vaultTimeoutSettings.service.ts:** add `getVaultTimeoutAction` so when we grab the vault timeout action we're checking the policy service and overriding if a policy is present ## Screenshots <img width="1344" alt="image" src="https://user-images.githubusercontent.com/24985544/219391928-94b34d5d-85a9-461c-a1ef-7335c20cb91f.png"> <img width="1344" alt="image" src="https://user-images.githubusercontent.com/24985544/219394017-61dd87bc-6a82-4c9d-9506-90ea72ac5e5b.png"> <img width="378" alt="image" src="https://user-images.githubusercontent.com/24985544/219396767-706234d6-cb0b-4336-a2d7-9eee75a74828.png"> <img width="838" alt="image" src="https://user-images.githubusercontent.com/24985544/219397091-53f4cbb3-c256-4571-a851-78a58434f6db.png"> ## Before you submit - Please add **unit tests** where it makes sense to do so (encouraged but not required) - If this change requires a **documentation update** - notify the documentation team - If this change has particular **deployment requirements** - notify the DevOps team

Brigand · April 18, 2023, 11:58am

That is good news.