User Types and Access Control
Users in Bitwarden organizations can be granted a variety of user types and access controls in order to manage their permissions and access. You can set user types and access controls when you invite users to your organization, or at any time from the Manage → Members screen in your organization:
User type determines the permissions a user will have within your organization. User types does not determine which collections they have access to, rather it determines what actions they can take within the context of your organization's resources and tools. Options include:
|User||Access shared items in assigned collections
Add, edit, or remove items from assigned collections (unless Read Only)
|Manager||All of the above,
+ Assign users to collections
+ Assign user groups to collections
+ Create or delete collections
|Admin||All of the above,
+ Assign users to user groups
+ Create or delete user groups
+ Invite and confirm new users
+ Manage enterprise policies
+ View event logs
+ Export organization vault data
+ Manage password reset
Admin users automatically have access to all collections.
|Owner||All of the above,
+ Manage billing, subscription, and integrations
Owner users automatically have access to all collections.
|Custom||Allows for granular control of user permissions on a user-by-user basis, see Custom role.|
Only an owner can create a new owner or assign the owner type to an existing user. For failover purposes, Bitwarden recommends creating multiple owner users.
Selecting the Custom role for a user allows for granular control of permissions on a user-by-user basis. A custom role user can have a configurable selection of manager and admin capabilities, including:
Manage assigned collections (provides the following two options)
Edit assigned collections
Delete assigned collections
Access event logs
Manage all collections (provides the following three options)
Create new collections
Edit any collection
Delete any collection
Manage password reset
As an example, the custom role allows for the creation of a user that can only manage SSO configuration and access related credentials. This scenario might look like the following:
Access control determines access to collections, as well as permissions within each individual collection:
Recall that admins and owners can automatically access all collections. For these user types, configuring access control will determine which collections are readily accessible in their individual vault and client applications (browser extension, mobile, and more). Admins and owners will still be able to access "unassigned" collections from the organization vault.
|This user can access and modify all items||Grants the user(s) access to all collections, as well as the ability to modify vault items stored therein.
Selecting this option will collapse the collection selection section.
|This user can access only the selected Collections||Grants the user(s) access to only selected collections, as well as granular access control over permissions for each collection.
Selecting this option will expand the collection selection section.
If you selected This user can access only the selected Collection, choose which collections you want to provide them access to. For each collection, you can also configure the following options:
|Hide passwords||Prevents users from seeing or copying all passwords, TOTP seeds, or hidden custom fields. Users with Hide Passwords active may only use items in the collection via auto-fill.
Hide Passwords prevents easy copy-and-paste of hidden items, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential.
|Read Only||Prevents users from adding, editing, or removing items within the collection. Users with Read Only access may still see and use all passwords, TOTP seeds, and hidden custom fields.|