# Setting up administrative accounts with lesser privileges ## Setting up administrative accounts with lesser privileges Bitwarden [member roles](https://bitwarden.com/it-it/help/user-types-access-control/) include four pre-defined permissions sets including a configurable Custom member role (Enterprise only). Owners and Admins have full administrative access by default to prevent lockout and allow for user account administration. To limit the day-to-day access a user has to the entire Organization, Owner account(s) can be set up with service account email addresses - these are not accessed regularly, but only to perform tasks that require access to all vault data at once - and Admin account(s) can be downgraded to the Custom member role with a specific permissions set. This guide assumes that you have already determined a storage and approval mechanism for the Owner account(s). It is recommended to remain logged into an Owner account while modifying the Admin account(s) to Custom role(s). ### **Defining your custom member role** The below Custom member role will replace your users’ Admin member role: ![Custom roles screenshot](https://bitwarden.com/assets/QtZFE23zRWzNz511iyVep/53d6f4ee36982864010f984f1909d2af/Admin_accounts_with_lesser_privileges_-_custom_role.png) **Check any of the following boxes:** - Access event logs - Access reports - Create new collections - Manage groups - Manage SSO - Manage policies Note that none of the options above provide access to additional vault items. ### **Using the Owner member role as a service account** Now that the Admin users have been downgraded, several tasks can only be accomplished via the Owner account(s) due to the cryptographic or API permissions these tasks require. These tasks are: - Import/Export of the organization vault - Editing/Deleting unassigned collections - Account recovery - Manual user onboarding/offboarding - Accessing the organization API key ### **Department Head/Manager permissions** Once you have changed your Admin users to this Custom member role, you will need to designate people to manage access to each collection. There are two ways to configure this, depending on how much access you want to give to the "department head". #### **Can manage Collection permission ** Grant the department heads the can manage [permission](https://bitwarden.com/it-it/help/user-types-access-control/#permissions/) for any collection you would like them to manage.  #### **Allowing Department Heads to create new collections** If your "department head" needs to be able to create new collections in addition to managing their currently assigned collections, you will have two options. #### **Allow all users to create collections** Within the Admin Console, navigate to **Settings > Organization info**. From there, you will be able to decide whether you want Collection creation and deletion restricted to owners and admins. If you would like all users to be able to create collections, uncheck this box and save.  ![Organization Settings - Limiting Collection Management to Owners and Admins](https://bitwarden.com/assets/4HGJbCGzTsTcdkMDrcv5Pg/7f0b22e259ba02d1310a1ee03174d215/Limited_Collection_Management.png) #### **Restrict collection creation to designated members** To allow department heads to create new collections when the Collection management option is checked, you will need to additionally grant those members the following Custom role: ![Custom Role - Create New Collections Selected](https://bitwarden.com/assets/XSydOs23gqbZ02DLAG57t/7a383b60f5b2387bf8f9052cac341893/Custom_Role_-_Create_New_Collections_Selected.png) These members will still need to be granted the Can manage permission for any existing collections, but will immediately be granted Can manage for any new collection they create.  ### Additional Resources #### Learning Center Modules - Video Series: [Getting started as an administrator](https://bitwarden.com/it-it/learning/pm-101-getting-started-as-an-administrator/) - [Scaling Members, Groups, and Collections](https://bitwarden.com/it-it/learning/scaling-user-roles-groups-and-collections/) #### Help Articles - [Member Roles and Permissions](https://bitwarden.com/it-it/help/user-types-access-control/) ## Ottieni subito una sicurezza per le password potente e affidabile. Scegli il tuo piano. ## Personale ### Hai appena iniziato? *Ottieni una gestione di base delle password oggi stesso. Sempre gratis.* [Crea un account gratuito](https://bitwarden.com/go/start-free/) --- ### Premium **$1.65** *al mese* *Con fatturazione annuale a 19,80 USD* Scopri le funzionalità premium - Autenticatore integrato - Allegati file - Accesso di emergenza - Blocco del phishing - Report di sicurezza e altro Condividi gli elementi della cassaforte con un altro utente [Crea un account Premium](https://bitwarden.com/go/start-premium/) --- ### Famiglie **$3.99** *al mese* *Fino a 6 utenti, con fatturazione annuale a 47,88 USD* Proteggi gli accessi della tua famiglia - 6 account premium - Condivisione illimitata - Raccolte illimitate - Spazio di archiviazione dell’organizzazione Condividi gli elementi della cassaforte tra sei persone [Inizia la prova gratuita per Famiglie](https://bitwarden.com/go/start-families-trial/) --- Prezzi indicati in USD e basati su un abbonamento annuale. Tasse escluse. ## Business ### Teams *Per team e aziende in crescita che devono muoversi rapidamente.* **$4** *al mese / per utente, con fatturazione annuale* **Nessun compromesso** Tutte le funzionalità Premium, più funzionalità avanzate come: - Condividi le credenziali in modo sicuro - Controlla le attività con i log eventi - Sincronizza la directory esistente - Automatizza il provisioning con SCIM [Avvia la prova gratuita](https://bitwarden.com/go/start-teams-trial/) --- ### Enterprise *Per aziende che necessitano di protezione e controllo avanzati.* **$6** *al mese / per utente, con fatturazione annuale* **Massima protezione** Tutte le funzionalità Premium e Teams, più funzionalità di livello enterprise come: - Controllo granulare degli accessi - Integrazione SSO senza password - Recupero account semplificato - Flessibilità di self-hosting - Mitigazione dei rischi con Access Intelligence [novità] - Piano Families gratuito per tutti gli utenti [Avvia la prova gratuita](https://bitwarden.com/go/start-enterprise-trial/) --- ### Parla con il team vendite *Per le grandi organizzazioni, parla con un esperto di un piano su misura e scopri come Bitwarden può:* *al mese* - Ridurre il rischio di cybersecurity - Aumentare la produttività - Integrarsi perfettamente Bitwarden si adatta ad aziende di qualsiasi dimensione per portare la sicurezza delle password nella tua organizzazione [Parla con il team vendite](https://bitwarden.com/talk-to-sales) --- Prezzi indicati in USD e basati su un abbonamento annuale. Tasse escluse.