User Types and Access Control

Users in Bitwarden organizations can be granted a variety of user types and access controls in order to manage their permissions and access. You can set user types and access controls when you invite users to your organization, or at any time from the ManageMembers screen in your organization:

Editing User Types and Access Control  |
Editing User Types and Access Control

User types

User type determines the permissions a user will have within your organization. User types does not determine which collections they have access to, rather it determines what actions they can take within the context of your organization's resources and tools. Options include:

User Type Permissions
User Access shared items in assigned collections
Add, edit, or remove items from assigned collections (unless Read Only)
Manager All of the above,
+ Assign users to collections
+ Assign user groups to collections
+ Create or delete collections
Admin All of the above,
+ Assign users to user groups
+ Create or delete user groups
+ Invite and confirm new users
+ Manage enterprise policies
+ View event logs
+ Export organization vault data
+ Manage password reset

Admin users automatically have access to all collections.
Owner All of the above,
+ Manage billing, subscription, and integrations

Owner users automatically have access to all collections.
Custom Allows for granular control of user permissions on a user-by-user basis, see Custom role.

Only an owner can create a new owner or assign the owner type to an existing user. For failover purposes, Bitwarden recommends creating multiple owner users.

Custom role

Selecting the Custom role for a user allows for granular control of permissions on a user-by-user basis. A custom role user can have a configurable selection of manager and admin capabilities, including:

  • Manage assigned collections (provides the following two options)

    • Edit assigned collections

    • Delete assigned collections

  • Access event logs

  • Access import/export

  • Access reports

  • Manage all collections (provides the following three options)

    • Create new collections

    • Edit any collection

    • Delete any collection

  • Manage groups

  • Manage SSO

  • Manage policies

  • Manage users

  • Manage password reset


As an example, the custom role allows for the creation of a user that can only manage SSO configuration and access related credentials. This scenario might look like the following:

Sample Custom User |
Sample Custom User

Access control

Access control determines access to collections, as well as permissions within each individual collection:

Configure Access Control options  |
Configure Access Control options

Recall that admins and owners can automatically access all collections. For these user types, configuring access control will determine which collections are readily accessible in their individual vault and client applications (browser extension, mobile, and more). Admins and owners will still be able to access "unassigned" collections from the organization vault.

Access control Description
This user can access and modify all items Grants the user(s) access to all collections, as well as the ability to modify vault items stored therein.

Selecting this option will collapse the collection selection section.
This user can access only the selected Collections Grants the user(s) access to only selected collections, as well as granular access control over permissions for each collection.

Selecting this option will expand the collection selection section.

Granular access control

If you selected This user can access only the selected Collection, choose which collections you want to provide them access to. For each collection, you can also configure the following options:

Option Description
Hide passwords Prevents users from seeing or copying all passwords, TOTP seeds, or hidden custom fields. Users with Hide Passwords active may only use items in the collection via auto-fill.

Hide Passwords prevents easy copy-and-paste of hidden items, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential.
Read Only Prevents users from adding, editing, or removing items within the collection. Users with Read Only access may still see and use all passwords, TOTP seeds, and hidden custom fields.

© 2023 Bitwarden, Inc.