User-level collection creation in an enterprise org

We have a self hosted enterprise Bitwarden org for our users. There are two issues we have:

  • Users cannot create collections themselves, or manage the users. This creates a huge slowdown in workflow. Here’s an example scenario: project manager needs to share application credentials with developers working for him/her on a given project. Developers on the project come and go at times. The way this works currently, project manager must request a collection creation from a Bitwarden admin. Admin must then, ideally, create a user group, add the relevant users to it, create the collection, add that group to the collection. If a developer change occurs, project manager must request the group be altered and that has to occur before the new person can work.

  • Side issue with the above is the Bitwarden org admins have unnecessary access to these collections. It is not feasible to create a new org for every project, but it is also impossible to compartmentalize certain information using Bitwarden if the org admins have access to all collection-level data.

A new “Manager” role will be available in v2.5 which allows a user to create new and manage (users and groups) assigned collections for the organization without being given access to the entire organizations vault (like an admin/owner).

Does an admin/owner automatically have write access to all collections made in the organization by these Managers?

Unless you have your CEO be admin… or make a rule not to store secrets that your IT admin can not be privy to… or set up two BW orgs one for CXO company secrets (not for IT admin) and one for the rest of the company.

IMO since any paid org has Unlimited collections and Unlimited shared items, I think it should be default to allow any member of the org to create collections and add any org member they want to the collection. Admins of the org should by default not have read or write access to the collections without explicitly being added. However, they should be able to see all collections, the collection name, collection owner, and all members and each member’s privileges.

Then maybe as an optional setting you could allow the Admin to turn off non-admin collection management, or lock it down to Managers only. (3 settings: Open/Managed/Admin-only)

That being said. The Manager role function is a step in the right direction. Awesome stuff!

Yeah I’d definitely like to see self-managed collections or ‘manager’-managed collections that are not viewable by an admin. There is data a Bitwarden admin simply doesn’t need to have, but where keeping it in a Bitwarden-style software makes sense, and their having access to it may conflict with certain industry certifications / compliance directives.

Perhaps a concept like the following would make sense:

  • Either end users, or those given collection management permission by an admin, can create collections of their own within the Org.
  • These user-created collections, or manager created collections, have their existence visible to a Bitwarden admin, but access is not granted.
  • The user who creates the collection is effectively the owner, they can add other Org members to it for access.
  • The user who owns a collection can pass ownership to another user if that user accepts. This allows for a smooth transition to a different manager if someone is leaving a company amicably, moving to other projects, etc.
  • If a collection owner is otherwise no longer with the company (term’d, dies, etc.), a Bitwarden admin can transition collection ownership to someone else who is a member of the collection. This ensures the data doesn’t come into the possession of someone who didn’t already have access, nor the Bitwarden admin, and then the new manager can decide how to further manage it.

Is this the feature you released yesterday? " * Manager role"
Cause the Manager role is allowed to access every entry in the hole org and is able to edit it (not only in the assigned collection.

Yes, the manager role should only have access to items that are part of assigned collections that they have access to - the same as a regular user.

okay i think we have a translation mistake here… i was on german translation. I´ll fix this in crowdin. i would fix this if i had crowedin permissions :wink:

Unfortunately I haven’t been able to make much use of the manager role. I like that the manager role can create collections, but in our org, we tend to have more churn involving which staff can access which collections, rather than the need to regularly create and remove collections. For example, employees who work on a project for short periods of time would get added to the group with access to that project’s collection, then be later removed. The manager cannot do that, admin has to. The manager being able to see all groups also creates an issue where they, or people they’re friendly with, can learn of groups existing which we’d perhaps prefer they not know about.

Really hoping a user-created collection / access ability is in the long term plan, where that collection can have one or more owner that is not the admin, nor can an admin see it. Then people who need to share with others in their org can do so without admin involvement, or even admin knowledge, and if the last owner of a private collection no longer wants to be the manager of it, they have to pass it to someone else in the collection before they can give up that right.

Are the roles documented anywhere? Thanks!