Resource: Collections Management Settings

Bitwarden Password Manager organisation owners have access to four toggleable settings for collections management. Each of these affects the behaviour of collections, providing several flexible options for how collections and vault items can be managed. This allows for a range of management access strategies, including full self-service, a policy of least privilege, and strict administrator oversight.

Allow owners and admins to manage all collections and items from the Admin Console When this setting is ticked, administrator roles will have the ability to view, edit, and manage all collections and vault items in them. When this setting is unticked, administrator roles will only have access to collections where they have direct collection permissions assigned.

Restrict collection creation to owners and admins When this option is ticked, administrator roles will be the only members in the organisation that can create collections. When this option is off, all members in the organisation will have the ability to create collections.

Restrict collection deletion to owners and admins When this option is ticked, administrator roles will be the only members in the organisation that can delete collections. When this option is off, all members in the organisation with the Manage collection permission on a collection will have the ability to delete that collection.

Restrict item deletion to members with the Manage collection permission When this option is ticked, only users with the Manage collection permission can delete items from the collection. With it unticked, anyone with the Edit items permission will be able to delete items from the collection, sending them to the organisation trash.

All options ticked Owners and Administrators have access to everything in the organisation vault, and only they can create and delete collections.

• Empowers the administrator to set up collections as the organisation needs

• Gives administrators the visibility and access to make changes to all vault items

First option unticked, second and third options ticked Administrators will be able to see that a collection exists, but cannot access it or the items within it unless they have been given permissions by a user with the Manage collection permission for that collection. Admins alone can create a collection and they’ll automatically receive the Manage collection permission, but can then pass that on to a designated collection manager to populate. Only admins will be able to delete collections, regardless of Manage collection permissions.

• Great middle ground between full admin control and user self-service

• Admins can create the structure of the organisation and then let users work within that space

• Helps adhere to a policy of least privilege - administrators can be assigned to low-sensitivity collections, but not to confidential ones

First option ticked, second and third options unticked Users can create and delete their own collections, and administrators are able to access those collections. This allows for a self-service approach with admin supervision.

• Users can manage their own work without contacting administrators

• Admins can intervene if something unexpected comes up, such as the collection manager going on leave

• Users will automatically receive the Manage collection permission for organisations they create, and the Manage collection permission is required to delete a collection

Tip: Get more granular control by adjusting the second or third options to choose whether to allow users to create OR delete collections.

Fourth option ticked/unticked The fourth option adjusts the permission level for deleting items. Leaving this unticked is beneficial for self-service setups where team members are able to manage themselves with minimal interaction with admins. Ticking this will require escalation to users with the Manage collection permission to delete items, which is useful when an item is shared in more than one collection and admins have the opportunity to simply remove it from the collection to ensure no disruption to users using the other collection.

All options unticked This is the default for new organisations. Administrators will only be able to see that a collection exists and the collection structure of the organisation. Users can create and delete their own collections without needing to contact administrators. Administrators cannot see the contained vault items unless a user with the Manage collection permission assigns them permission. Users with the Edit items collection can send collection items to the organisation bin.

• Allows for full user self-service

• Useful for large organisations with many small teams with lots of collections

• Helps adhere to a principle of least privilege policy

A great use case for this setup would be for the Centralise organisation ownership policy, where a user must store their own passwords in the organisation vault, but can do so inside a private collection.

Tip: Administrators will automatically receive access to orphaned collections if there are no users with Manage collection access.

Start a free 7-day business trial and experience the flexibility of Bitwarden collections and the other great benefits of a business password manager today!