The Bitwarden Blog

Additional enterprise options for least privilege access control

RL
authored by:Ryan Luibrand
posted:
Link Copied!
  1. Blog
  2. Additional enterprise options for least privilege access control

Collections are how organizations are able to manage access to logins, credit cards, and other sensitive items with teams in Bitwarden Password Manager. They enable speedy collaboration and make logging in and getting to work more convenient for users, and collections management settings offer both security and flexibility to adapt to the needs of the business.

Powerful, scalable, and secure sharing with collections

A collection can be thought of like a shared folder of vault items, with three major advantages:

Vault items can be in more than one collection

A vault item can belong in more than one collection without needing to duplicate the item. This means that an item that’s shared between two teams, such as Finance and HR teams, can be updated just once and those two teams have instant access to the changes. This eliminates administration overhead of having to find instanced or duplicated items to make updates in multiple locations.

Access control for groups and individual users is granular and scalable

Every vault item is assigned to one or more collections. Users can be added to one or more groups. Then groups and/or individual users are assigned to one or more collections. This scalable framework brings access management to any organization size, from small teams to large enterprises.

Additionally, permission levels for each group or individual user can be set to allow for as wide – or narrow – management control the organization prefers. Combined with collection management settings, organizations have the flexibility to choose how they want collections to function, from fully self-serve all the way to requiring complete admin oversight.

 - Diagram showing the relationship of vaults (Individual and Organization) and assignment of a user to a collection and to a group

Nested (sub) collections have independent access permissions

A collection can contain another nested collection and the access permissions of the top folder are not inherited by the subfolder. This ensures that access to specific collections are intentional and prevents accidental access through misplaced folders. This allows for organization of collections by project, where some members may have the same function (e.g. IT) but do not need access to other team projects (e.g. Cloud Infrastructure).

Flexible collections options for your organization

How collections are managed are entirely up to you. Bitwarden offers leading flexibility to meet the needs of your business. This means you can choose to allow your users to completely self-serve collections and vault items, make admins completely hands-on, and set up a policy of least privilege.

Bitwarden Password Manager organization owners have three toggleable options for collections management. Each one affects the behavior of collections. Note that only organization owners have access to these settings.

 - The three collection management options available to organization owners in the web app admin console

Owners and admins can manage all collections and items

When this option is checked, administrator roles will have the ability to view, edit, and manage all collections and vault items in them. When this option is unchecked, administrator roles will only have access to collections where they have direct collection permissions assigned.

Limit collection creation / deletion to owners and admins

These two options limit who can create or delete a collection. When checked, only admins will be able to create or delete a collection. If unchecked, then any user will be able to create a collection, and any user with the Can Manage permission for a collection can delete that collection.

More details on how these settings affect your organization and how they can be used are available in Resource: Collections Management Settings.

Enhanced control with permissions and custom roles

Beyond collections management settings, users and groups can be granted specific permissions for another level of management options.

The Can manage collection permission allows users to manage collection info and access. Users or groups with this permission can add/remove items in the collection, assign new users, and manage their access permissions to that collection. Depending on the collection management setting, they may also be able to delete the collection. This allows admins to designate a team or project lead for a specific collection and then let them manage the day-to-day work requirements.

For enterprise customers, a custom role (pictured above) can be assigned to individual users to delegate administrative overhead. For example, help desk team members might have this custom permission to help manage the organization collections without having access to more sensitive organization settings, such as SSO.

Productivity and security for your business

Collections and sharing vault items is just one of the compelling ways that Bitwarden Password Manager helps businesses be more productive in the day-to-day. This goes without even mentioning the security benefits that come from securing your workforce and even your entire business.

Start a free 7-day business trial and experience the flexibility of Bitwarden collections and the other great benefits of a business password manager today!

Editor's note November 19, 2024: Updated to reflect the more granular control for allowing users to create or delete collections.

Product UpdatesSecurity TipsSecure SharingBusinessPassword Manager
Link Copied!
Back to Blog

Get started with Bitwarden today.

Create your free account

Level up your cybersecurity knowledge.

Subscribe to the newsletter.


© 2024 Bitwarden, Inc. Terms Privacy Cookie Settings Sitemap

This site is available in English.
Go to EnglishStay Here