Member Roles
Member roles control what users can do, like configuring SSO or managing device approvals. Assign a
Assign member roles
There are two ways to assign a member role in the Admin Console:
When
inviting a new member, select a Member role.To change an existing member's role, go to Members and select the person's name. Choose a Member role from the options that appear:
Edit member role
Default roles
There are three default member roles: owner, admin, and user. Each role grants different permissions for managing your organization and accessing shared items.
Role | Overview |
|---|---|
Owner | Owners are the only ones that can access an organization's subscription and billing details. Only a current owner can invite new owners or assign the owner role to existing members. To prevent disruptions to your organization’s subscription |
Admin | Admins help manage your organization's unique configuration, like SSO and enterprise policies. They also have permission to manage members, like inviting new users and creating user groups. When picking admins for your team, consider who will help deploy Bitwarden across the organization or need access to organization reporting, like event logs or Access Intelligence. |
User | Users can access shared items in their assigned collections and manage personal vault items. Based on their collection permissions, they can add, edit, or remove collection items. Assign the user role to teammates who need access to shared passwords but won’t manage organization settings, members, or policies. This is the standard role for most members. |
tip
Assign at least one additional owner to maintain access to billing and subscription details if the current owner becomes unavailable.
Default role permissions
The following tables list the permissions for each member role.
Items and collections
While every member role can save new items in My vault or
note
These member permissions work together to determine collection access:
- Member rolesdefine who can do organization-level actions.
- Collection settingsspecify which member roles can create, manage, or delete collections across the entire organization.
- Collection permissionscontrol what actions a specific user or group can take within a single collection.
The table below lists what each member role can do by default and when collection settings or collection permissions may affect them. When an organization is first set up, all collection settings are turned off and invited users or groups receive the View items collection permission.
Action | Owner | Admin | User |
|---|---|---|---|
Add, edit, or remove items in My vault or My items | |||
Create collections | if the Restrict collection creation to owners and admins | ||
Access shared items in assigned collections | |||
Add, edit, remove, and export items from assigned collections *A member’s | |||
Delete an assigned collection | if the Manage collection | if the Manage collection | if the Restrict collection deletion to owners and admins |
Access and manage all collections in the organization | if the Allow owners and admins to manage all collections and items from the Admin Console | if the Allow owners and admins to manage all collections and items from the Admin Console | |
Manage |
Members and activity
Owners and admins have enhanced capabilities for managing users and accessing organization-level reporting.
Action | Owner | Admin | User |
|---|---|---|---|
Assign and manage member roles | |||
Create and delete | |||
Add users to groups | |||
Manage | |||
Manage | |||
View | *All users can access the | ||
View | |||
View |
Organization billing and settings
Access to most organization configuration settings is limited to owners.
Action | Owner | Admin | User |
|---|---|---|---|
| |||
Change organization name | |||
Manage | |||
Manage | |||
Manage SSO configuration | |||
Manage organization two-step login | |||
Manage | |||
Manage |
Custom roles
Enterprise teams can build custom roles tailored to their needs, ideal for least-privileged security models. Use custom roles to delegate organization management tasks or give users access to specific features. Common custom roles include:
Use case | Custom role permissions |
|---|---|
IT help desk who handles login issues and trusted device requests | Manage account recovery |
Auditor who reviews security events and compliance | Access event logs and Access reports |
Team manager who tracks password health and manages | Access reports and Manage groups |
note
If someone needs to manage subscription information or update payment details, assign the owner role. Access to organization billing cannot be granted through a custom role.
By default, custom roles include the same permissions as the user member role. When assigning a custom role to a new or existing member, check the additional permissions you want to grant:
Access event logs
Access import/export
Access reports
Manage all collections
This includes the ability to create, edit, and delete any collection.
Create new collections
Delete any collection
Edit any collection
Manage groups
Manage SSO
Manage
policiesManage users
Custom users with the Manage users permission can only grant permissions they already have. For example, a custom user with only Manage users and Access reports cannot grant Manage SSO to someone else.
Manage account recovery
The custom user can
reset master passwordsfor members enrolled in account recovery. Without the additional Manage users permission, the Members page only lists enrolled members and displays the Recover account action.This permission also allows the custom user to manage
trusted device requests.