Admin ConsoleUser Management

Member Roles and Permissions

Members of Bitwarden organizations can be granted a variety of roles and levels of permission for collections. You can set roles and collections permissions when you invite users to your organization, or at any time from the Members screen in your organization using the options menu:

Editing member roles
Editing member roles

Member roles

Role determines the what actions a member can take within the context of your organization's available tools. Roles do not determine which collections they have access to.

note

Starting on 03/07/24, organizations that haven't turned on collection management will begin to be migrated in batches to an updated permissions structure. If not migrated yet, your organization will be within the next few weeks or if you manually turn on collection management.

During migration, all Managers are migrated to members with the User role and automatically provided with a new Can manage permission over assigned collections. They will retain the ability to fully manage those collections, including the ability to assign new members or groups access. This will also:

  • Migrate members with a custom role that includes Edit assigned collections to the User role with Can manage permission over those collections.

  • Migrate members with a custom role with only Delete assigned collections to the User role with no permission over those collections.

  • Deprecate the Access all existing and future collections permission and granted all users that had this permission Can manage permission for all existing collections.

Options include:

Member role

Permissions

User

Access shared items in assigned collections. Can add, edit, or remove items from assigned collections, unless assigned Can view permission.

Can create, manage, and delete collections if permitted by the organization.

Admin

All of the above,
+ Assign users to user groups
+ Create or delete user groups
+ Invite and confirm new users
+ Manage enterprise policies
+ View event logs
+ Export organization vault data
+ Manage account recovery
+ View vault health reports
+ Manage domain verification
+ Manage SSO configuration
+ Manage device approvals
+ Manage SCIM configuration

Admin users automatically have access to all collections.

Owner

All of the above,
+ Manage collections management settings
+ Manage billing, including subscription, payment method, and billing history
+ Manage API key
+ Manage organization two-step login
+ Manage organization information, e.g. name

Owner users automatically have access to all collections.

Custom (Enterprise-only)

Allows for granular control of user permissions on a user-by-user basis, see Custom role.

note

Only an owner can create a new owner or assign the owner type to an existing user. For failover purposes, Bitwarden recommends creating multiple owner users.

Custom role

Custom roles are currently available for Enterprise organizations. Selecting the Custom role for a user allows for granular control of permissions on a user-by-user basis. A custom role user can have a configurable selection of manager and admin capabilities, including:

  • Access event logs

  • Access import/export

  • Access reports

  • Manage all collections (provides the following three options)

    • Create new collections

    • Edit any collection

    • Delete any collection

  • Manage groups

  • Manage SSO

  • Manage policies

  • Manage users

    tip

    Custom users with the Manage users permission can manage other custom users, however they can only assign other custom users the permissions that they themselves have.

  • Manage account recovery

Permissions

Permissions determine what actions a user can take with the items in a particular collection. While role can only set at an individual-member level, permissions can either be set for an individual member or for a group as a whole:

Permissions options
Permissions options

Permission

Description

Can view

The user or group can view all items in the collection, including hidden fields like passwords.

Can view, except passwords

The user or group can view all items in the collection except hidden fields like passwords.

Users may still use passwords via auto-fill.

Hiding passwords prevents easy copy-and-paste, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential.

Can edit

The user or group can add new items, remove existing items, and edit existing items in the collection, including hidden fields like passwords.

Can edit, except passwords

The user or group can add new items, remove existing items, and edit existing items in the collection, except hidden fields like passwords.

Users may still use passwords via auto-fill.

Hiding passwords prevents easy copy-and-paste, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential.

Can manage

The user or group can assign new members or groups access to the collection, including adding other members with Can manage permission, and delete the collection if they wish.

Make a suggestion to this page

Contact Our Support Team

For technical, billing, and product questions.

Name*
Bitwarden account email*
Verify account email*
Product*
Are you self-hosting?*
Subject*
Message...*

Cloud Status

Check status

© 2024 Bitwarden, Inc. Terms Privacy Cookie Settings Sitemap

This site is available in English.
Go to EnglishStay Here