User Types and Access Control

Category: Organizations
On this page:

    Users in Bitwarden Organizations can be granted a variety of User Types and Access Controls in order to manage their permissions.

    You can designate User Type and Access Control when you invite users to your Organization (see Add or Remove Users From Your Organization), or at any time from the ManagePeople screen in your Organization.

    User Types

    User Type determines the level of access that a user will have within your Organization. User Type is configured at the Organization level.

    Options include:

    User Type Permissions
    User Access shared items in assigned Collections
    Add, edit, or remove items from assigned Collections (unless Read Only)
    Manager All of the above,
    + Assign Users to Collections
    + Assign User Groups to Collections
    + Create or delete new Collections
    Admin All of the above,
    + Assign Users to User Groups
    + Create or delete User Groups
    + Invite and confirm new Users
    + Manage Enterprise Policies
    + View Event Logs
    + Export Organization Vault data

    Admin Users automatically have access to all Collections.
    Owner All of the above,
    + Manage Billing, Subscription, and Integrations

    Owner Users automatically have access to all Collections.
    Custom Allows for granular control of user permissions on a user-by-user basis. For more information, see Custom Role.

    Only an Owner can create a new Owner or assign Owner to an existing user. For failover purposes, Bitwarden recommends creating multiple Owner users.

    Custom Role

    Selecting the Custom role for a user allows for granular control of user permissions on a user-by-user basis. A user with the Custom role can have a customizable selection of Manager and Admin capabilities, including:

    • Manage Assigned collections
    • Access Business Portal
    • Access Event Logs
    • Access Import/Export
    • Access Reports
    • Manage All Collections
    • Manage Groups
    • Manage SSO
    • Manage Policies
    • Manage Users

    As an example, the Custom role allows for the creation of a user that can fully manage a User-Group-Collection relationship, without the ability to see anything in a Collection to which they are not assigned. This scenario would involve selecting only the following boxes for this Custom user:

    • Manage Assigned Collections
    • Manage Groups
    • Manage Users

    Access Control

    Access Control determines the Collection assignment of Users and Managers, as well as permissions within a given Collection. Access Control is configured at the Collection level.

    Assigning Admins and Owners to Collections via Access Control will only impact which Collections appear readily in the Filters section of their Vault. Admins and Owners will always be able to access “un-assigned” Collections via the Organization view.

    Configure Access Control options
    Configure Access Control options

    Selecting This user can access and modify all items will allow users to use all Collections in your Organization.

    Selecting This user can access only the selected collections will restrict users to only the assigned Collections, and activate Granular Access Control:

    Granular Access Control

    To assign users to only selected Collections, check the checkbox to the left of each desired Collection. For each checked Collection, you may also configure:

    Hide Passwords

    Selecting Hide Password prevents users from seeing or copying all passwords, TOTP seeds, or Hidden custom fields. Users with Hide Passwords active may only use items in the Collection via Auto-Fill.


    Enabling Hide Passwords prevents easy copy-and-paste of hidden items, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential.

    Read Only

    Selecting Read Only prevents users from adding, editing, or removing items within the Collection. Users with Read Only active may still see and use all passwords, TOTP seeds, and Hidden custom fields.

    Was this helpful?

    Rate this article: