Manage Roles and Permissions
Members of Bitwarden organizations can be granted a variety of roles and levels of permission for collections. You can set roles and collections permissions when you invite users to your organization, or at any time from the Members screen in your organization using the options menu:
Member roles
Role determines the what actions a member can take within the context of your organization's available tools. Options include:
Member role | Permissions |
|---|---|
User | Access shared items in assigned collections. Can add, edit, or remove items from assigned collections, unless assigned View items permission. Can create, manage, and delete collections if permitted by the organization. |
Admin | All of the above, Collection access for admins is dependent on your organization's collection management settings. |
Owner | All of the above, Collection access for owners is dependent on your organization's collection management settings. |
Custom (Enterprise-only) | Allows for granular control of user permissions on a user-by-user basis, see Custom role. |
note
Only an owner can create a new owner or assign the owner type to an existing user. For failover purposes, Bitwarden recommends creating multiple owner users.
Custom role
Custom roles are currently available for Enterprise organizations. Selecting the Custom role for a user allows for granular control of permissions on a user-by-user basis. A custom role user can have a configurable selection of administrative capabilities, including:
Access event logs
Access import/export
Access reports
Manage all collections (provides the following three options)
Create new collections
Edit any collection
Delete any collection
Manage groups
Manage SSO
Manage policies
Manage users
tip
Custom users with the Manage users permission can manage other custom users, however they can only assign other custom users the permissions that they themselves have.
Manage account recovery (may also manage device approval requests)
note
Manage account recovery will grant limited access to the Members tab on the Admin Console for access to the Master password reset action.
Permissions
Permissions determine what actions a user can take with the items in a particular collection. While role can only set at an individual-member level, permissions can either be set for an individual member or for a group as a whole. Permissions set for a member will supercede permissions set by that member's group(s):
tip
The Member access report can be used by Enterprise organizations to download a comprehensive .csv detailing what groups a member is in, what collections they have access to, their level of permission within each assigned collection, and more.
Permission | Description |
|---|---|
View items | The user or group can view all items in the collection, including hidden fields like passwords. |
View items, hidden passwords | The user or group can view all items in the collection, except hidden fields like passwords. The user or group may still use passwords via auto-fill. Hiding passwords prevents easy copy-and-paste, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential. |
Edit items | The user or group can add new items, assign items to collections, un-assign items from collections, change collection assignment, and edit existing items in the collection, including hidden fields like passwords. The user or group can also take any action granted by 'View items' permission. |
Edit items, hidden passwords | The user or group can edit existing items in the collection, except hidden fields like passwords. The user or group may still use passwords via auto-fill. The user or group cannot assign the collection items to a different collection. Hiding passwords prevents easy copy-and-paste, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential. |
Manage collection | The user or group can assign new members or groups access to the collection, including adding other members with 'Manage collection' permission, can delete collection items, can delete an organizational vault item, and can delete the collection if they wish. The user or group can also take any action granted by 'Edit items' permission. |