Member Roles
Member roles control what users can do, like configuring SSO or managing device approvals. Assign a default role or custom role when inviting users or anytime after. Admins and owners manage roles and can create custom roles in Enterprise organizations.
Assign member roles
There are two ways to assign a member role in the Admin Console:
When inviting a new member, select a Member role.
To change an existing member's role, go to Members and select the person's name. Choose a Member role from the options that appear:
Edit member role
Default roles
There are three default member roles: owner, admin, and user. Each role grants different permissions for managing your organization and accessing shared items.
Role | Overview |
|---|---|
Owner | Owners are the only ones that can access an organization's subscription and billing details. Only a current owner can invite new owners or assign the owner role to existing members. To prevent disruptions to your organization’s subscription when an owner leaves, we highly recommend assigning at least one additional owner. Good candidates include your IT team manager or a project manager. |
Admin | Admins help manage your organization's unique configuration, like SSO and enterprise policies. They also have permission to manage members, like inviting new users and creating user groups. When picking admins for your team, consider who will help deploy Bitwarden across the organization or need access to organization reporting, like event logs or Access Intelligence. |
User | Users can access shared items in their assigned collections and manage personal vault items. Based on their collection permissions, they can add, edit, or remove collection items. Assign the user role to teammates who need access to shared passwords but won’t manage organization settings, members, or policies. This is the standard role for most members. |
tip
Assign at least one additional owner to maintain access to billing and subscription details if the current owner becomes unavailable.
Default role permissions
The following tables list the permissions for each member role.
Items and collections
While every member role can save new items in My vault or My Items, access to collections is determined by three types of permissions that interact.
note
These member permissions work together to determine collection access:
Member roles define who can do organization-level actions.
Collection settings specify which member roles can create, manage, or delete collections across the entire organization.
Collection permissions control what actions a specific user or group can take within a single collection.
The table below lists what each member role can do by default and when collection settings or collection permissions may affect them. When an organization is first set up, all collection settings are turned off and invited users or groups receive the View items collection permission.
Action | Owner | Admin | User |
|---|---|---|---|
Add, edit, or remove items in My vault or My Items | |||
Create collections | if the Restrict collection creation to owners and admins setting is turned off | ||
Access shared items in assigned collections | |||
Add, edit, remove, and export items from assigned collections *A member’s collection permissions determines what they can do within that collection. | |||
Delete an assigned collection | if the Manage collection permission is assigned | if the Manage collection permission is assigned | if the Restrict collection deletion to owners and admins setting is turned off and the Manage collection permission is assigned |
Access and manage all collections in the organization | if the Allow owners and admins to manage all collections and items from the Admin Console setting is turned off | if the Allow owners and admins to manage all collections and items from the Admin Console setting is turned off | |
Manage collection settings |
Members and activity
Owners and admins have enhanced capabilities for managing users and accessing organization-level reporting.
Action | Owner | Admin | User |
|---|---|---|---|
Assign and manage member roles | |||
Create and delete groups | |||
Add users to groups | |||
Manage account recovery | |||
Manage trusted device approvals | |||
View vault health reports | *All users can access the Data breach report. | ||
View event logs | |||
View Access Intelligence |
Organization billing and settings
Access to most organization configuration settings is limited to owners.
Action | Owner | Admin | User |
|---|---|---|---|
Manage billing, including subscription, payment method, and billing history | |||
Change organization name | |||
Manage enterprise policies | |||
Manage claimed domains | |||
Manage SSO configuration | |||
Manage organization two-step login | |||
Manage API key | |||
Manage SCIM configuration |
Custom roles
Enterprise teams can build custom roles tailored to their needs, ideal for least-privileged security models. Use custom roles to delegate organization management tasks or give users access to specific features. Common custom roles include:
Use case | Custom role permissions |
|---|---|
IT help desk who handles login issues and trusted device requests | Manage account recovery |
Auditor who reviews security events and compliance | Access event logs and Access reports |
Team manager who tracks password health and manages group-based collection access | Access reports and Manage groups |
note
If someone needs to manage subscription information or update payment details, assign the owner role. Access to organization billing cannot be granted through a custom role.
By default, custom roles include the same permissions as the user member role. When assigning a custom role to a new or existing member, check the additional permissions you want to grant:
Access event logs
Access import/export
Access reports
Manage all collections
This includes the ability to create, edit, and delete any collection.
Create new collections
Delete any collection
Edit any collection
Manage groups
Manage SSO
Manage policies
Manage users
Custom users with the Manage users permission can only grant permissions they already have. For example, a custom user with only Manage users and Access reports cannot grant Manage SSO to someone else.
Manage account recovery
The custom user can reset master passwords for members enrolled in account recovery. Without the additional Manage users permission, the Members page only lists enrolled members and displays the Recover account action.
This permission also allows the custom user to manage trusted device requests.