Prior to deploying BW to our entire enterprise, we are trying to give our service desk the permissions to perform account recovery. However, we discovered that to have’ Account Recovery’ permissions the user also needs ‘Manage User’ permissions. which gives the service desk entirely too much access to invite, revoke, or delete user accounts. It would be helpful if the Account Recovery permission could be separated from the Manage User permission to allow service desk to assist users who have forgotten their Master Password.
Even better, as you teach users to use their vault, make sure they are creating an emergency sheet.
It is much lower risk for the service desk to remind users how to use their emergency kit than it is for the service desk to validate the user’s identity and then do it for them. The latter being at risk of social engineering.
I understand what you are saying and agree to a certain extent. But we are rolling out to +5000 users over the next month. We have customized user training being provided by Bitwarden but it is optional. Since the majority of our users are ‘unsophisticated’, our history indicates that a significant number of users who actually configure their BW accounts will forget their MP and call the service desk for assistance. There is no way around that. Our vault uses SSO with claimed domains. We already have stringent identity verification in place for our users for normal Account password resets and have plans to rollout verified ID. Our BW vault is managed by one team that is not the service desk. That team is not capable of processing the number of Account Recovery requests we anticipate receiving during rollout not to mention ongoing usage. The account recovery task should be handled by service desk to reduce resolution time. But we don’t want the service desk to be able to manage users. Hence, why I am making a feature request.