Manage your Organization
As an organization using Secrets Manager, you'll share many of the tools originally used by Password Manager. This article covers these common areas and links to share documentation where appropriate.
note
If you're brand new to Bitwarden organizations, we recommend checking out our article on getting started as an organization administrator.
Policies allow Enterprise organizations to enforce security rules for their members, for example mandating use of two-step login. While some policies apply chiefly to Password Manager, there are a handful of policies that are broadly applicable to users of Secrets Manager:
tip
If you're new to Bitwarden, we recommend setting policies before onboarding your users.
With the exception of granting organization members access to Secrets Manager and some member role differences, user management for organizations using Secrets Manager is identical to organizations using Password Manager.
There are a few different methods of onboarding users to your Bitwarden organization. While we recommend checking out this guide for more complete information, but we'll list some of the highlights here:
Manual
The Bitwarden web vault provides a simple and intuitive interface for inviting new users to join your organization. This method is best for small organizations or those that aren't using directory services like Azure AD or Okta. Learn how to get started.
SCIM
Bitwarden servers provide a SCIM endpoint that, with a valid SCIM API Key, will accept requests from your identity provider for user and group provisioning and de-provisioning. This method is best for larger organizations using a SCIM-enabled directory service or IdP. Learn how to get started.
Directory Connector
Directory Connector automatically provisions users and groups in your Bitwarden organization by pulling from a selection of source directory services. This method is best for larger organizations using directory services that don't support SCIM. Learn how to get started.
Once onboarded, give individual members of your organization access to Secrets Manager:
Open your organization's Members tab and open your Member role panel using the () options menu.
At the bottom of the panel, check the This user can access the Secrets Manager Beta box:
![Assign access to the beta |]()
Assign access to the beta
tip
Giving members access to Secrets Manager won't automatically give them access to stored projects or secrets. You'll need to assign people or groups access to the projects next.
The following table outlines what each member role can do within Secrets Manager. During the beta, users have the same member role for Secrets Manager that they're assigned for Password Manager:
Member role | Description |
|---|---|
User | Users can create their own secrets, projects, service accounts, and access tokens. They can edit these objects once created. Users must be assigned to projects or service accounts in order to interact with existing objects, and can be given Can read or Can read, write access. |
Manager | Users can create their own secrets, projects, service accounts, and access tokens. They can edit these objects once created. Users must be assigned to projects or service accounts in order to interact with existing objects, and can be given Can read or Can read, write access. |
Admin | Admins automatically have Can read, write access to all secrets, projects, service accounts, and access tokens. Admins can assign themselves access to Secrets Manager and assign other members access to Secrets Manager. |
Owner | Owners automatically have Can read, write access to all secrets, projects, service accounts, and access tokens. Owners can assign themselves access to Secrets Manager and assign other members access to Secrets Manager. |
note
Custom roles are not currently scoped with options for Secrets Manager, however can still be used to assign specific Password Manager or broader organization capabilities.
Groups relate together individual members and provide a scaleable way to access access to and permissions for specific projects. When adding new members, add them to a group to have them automatically inherit that group's configured permissions. Learn more.
Once groups are created in the admin console, assign them to projects from the Secrets Manager web app.
Login with SSO is the Bitwarden solution for single sign-on. Using login with SSO, Enterprise organizations can leverage their existing Identity Provider to authenticate users with Bitwarden using the SAML 2.0 or Open ID Connect (OIDC) protocols. Learn how to get started.
Admin password reset allows designated administrators to recover enterprise organization user accounts and restore access in the event that an employee forgets their master password. Admin password reset can be activated for an organization by enabling the master password reset policy. Learn how to get started.
Event logs are timestamped records of events that occur within your Teams or Enterprise organization. Event logs are accessible to admins and owners from the Reporting tab of your organization vault:
Event logs are exportable, accessible from the /events endpoint of the Bitwarden Public API, and are retained indefinitely. While many events are applicable to all Bitwarden products and some are specific to Password Manager, Secrets Manager will specifically log the following:
Secret accessed by a service account