Back when the provider feature was first released, MSPs would get full access to all collections of their customer’s corporate vault.
I can appreciate that this is problematic with regards to data protection, so I do personally agree with some of the discussions that ensued, leading to the change late last year when this access was removed entirely.
However, I feel that this corrective measure went too far. (And, at the same time, maybe not far enough: why can I still see, create, modify and delete collections?)
As the MSP, often we create (initial) passwords for the users of our customers. If those customers don’t use Bitwarden, we’d typically send them a password using Bitwarden Send.
However, when they do use Bitwarden, it stands to reason that we could make things more comfortable for our clients by directly creating a new entry in their vault instead of using something like Send.
In my view, MSP access is something that needs to be confirmed by both customer and MSP. This is where the initial version was too permissive, and the new version is too strict.
Here an example of how I think this should be done. By default, the MSP should not have any access whatsoever, neither to entries nor collections. However, the customer should be able to overrule this, giving their provider access either globally or per collection.
For legal reasons, I think it’s important, though, that this would only be considered an invitation towards the provider - he would still have to confirm that he agrees to having such access. And of course, both parties should be able to terminate this access at any given time.
With this solution, MSPs could offer actual added value to their customers while not having more permissions than necessary or required by both sides. And both sides would not only be responsible for making sure that data protection requirements are met, but they’d have the tools to do so.