As your organization’s use of Bitwarden grows, it helps to have users who can manage collections independently, without requiring access to everything within the organizational vault.
Managing collections and groups is a simple way to separate, grant, or limit access to vault items in Bitwarden, thereby controlling user visibility of resources.
A complete list of roles and access control can be seen in the help note User Types and Access Control, and a table is at the end of this post.
We will review the Manager use case and the capabilities that role has in creating and managing collections.
Before addressing collection management, let’s review Collections, Groups, and Folders within Bitwarden:
When a user is granted a Manager role by an organization Admin or Owner, they are given access to manage the collections of which they are a part. The Manager role has fewer permissions than that Owner or Admin roles.
In this example, our user is a manager of the following collections. Each of these collections represents numerous shared items.
And this user can create a New Collection via the button on the top right
After clicking New Collection, the user is prompted to enter the Name and External ID.
From there the Manager of the collection can assign groups to the newly created collection.
Groups are available in Bitwarden Enterprise
For each Group added, additional options such as Hide Passwords and Read Only are available.
Read Only Selecting this option will prevent users assigned to this collection from adding new items, and editing or deleting existing items.
Hide Passwords This option hides passwords, TOTP seeds, and any custom fields of type hidden in this collection. This also disables the ability for an end-user to copy a password. In this configuration, an item may only be used with auto-fill.
Enabling hidden passwords prevents the easy copy and paste of hidden items, however it does not completely prevent user access to this information. Please treat hidden passwords as you would any shared credential.
When residing within the view of a collection in the web vault, new items will be saved within the collection.
Items within a personal vault can be shared with a collection as well. Simply click on the Settings icon in the web vault, or edit the item in the browser extension to share it with the appropriate collection.
Unsharing items from a Collection
Once an item has been shared with an organizational vault, it cannot be unshared back to a personal vault in a single step. This is an intentional design. Users must consider any item shared as being available for all authorized users until that item is both unshared AND the password is changed.
The recommended procedure to unshare an item is:
Managers can also add individual users to collections via the Settings icon next to a created collection.
After selecting the Users option, a list of individuals within the organization will appear.
With these capabilities in place, individual employees empowered as Managers will be able to create their own new collections, and add groups and users to those collections. They also have the ability to manage collections created by another manager.
Managers do not have access to change the composition of Groups. For that access, Admin or Owner roles are required. For example, if a Manager creates a collection of Design Services and adds the Marketing group to have access, and a user is removed from the Marketing group by the Admin, then that user will no longer have access to the Design Services collection.
Rate this article:
Want to talk to a human?Send Us An Email