Prevent organization users to delete items

Ask the Community Password Manager
, , ,
1

Hi! I’m setting up a Bitwarden Organization (Enterprise) plan for my company.

However, I’m having trouble configuring the permissions correctly.

Basically, I need to have a collection that will contain all the credentials that a certain group will need to access. The group members need to be able to add and edit items, so I added the “edit items” permission for them, but I don’t want them to be able to delete items (or at least not permanently).

I enabled the “Restrict item deletion to members with the Manage collection permission” option in the organization settings.

However, it seems that this option is not working correctly, as users are still able to delete items and even permanently delete them from the trash.

Am I missing something? Or is there something broken in this feature?

2

Not exactly my field of expertise… What member role do your “users” have – User or Admin?

3

Hello and welcome back, :waving_hand:

Based on the doc here, you presumably want to restrict these actions:

image
image957×480 32.5 KB

You want to assign the “User” role with the “Edit items, hidden passwords” permission (which you may not have done), turn on “Restrict item deletion to members with the Manage collection,” and don’t assign Manage collection permission to that member.

image
image939×208 13.2 KB

Since I don’t use or see this, this could be entirely wrong… :man_shrugging: But maybe this is helpful.

There is usually one active member in this forum with enterprise expertise; otherwise, Bitwarden customer support may be your best bet.

4

I just did a couple of quick tests and:

In the family organization of my personal account it works exactly how @Neuron5569 describes.

However, in the enterprise organization of my work account I was able to delete an item from a collection with a user that only has edit permission on that collection (after enabling that restrict item deletion setting on the org).

So, I would bet this is a bug.

1 Like
5

Bear in mind with this, that if a user has edit permission he can overwrite all the item fields with garbage (and overwrite the password and hidden fields enough times to wipe out item password hisstory).

That, effectively is the same as “deleting” an item. So, periodic org backups are your safest bet (I myself do them weekly).

I view this item deletion restriction as a way to prevent accidents more than anything else.

And take into account that this “restrict item deletion to members with the manage collection” permission can only be set on the organization. Which means it will apply to all of your collections.

2 Likes
6

I did more tests, and it actually seems to work, but there is a delay of about 5 minutes from when you change the setting to when it takes effect.

So initially it looked like it wasn’t working.

1 Like
7

Oh, I hadn’t considered that the password history has a maximum number of records…

Yes, at this point, it’s almost pointless to block the ability to delete items.

To be honest, I’ve been using Bitwarden Premium for several years now, and I’m very happy with it, but I had higher expectations for the Enterprise plan.