Setting up administrative accounts with lesser privileges
Bitwarden member roles include four pre-defined permissions sets including a configurable Custom member role (Enterprise only). Owners and Admins have full access by default
to prevent lockout and allow for Bitwarden account administration.
To limit the day-to-day access a user has to the entire Organization, Owner account(s) can be set up on service account email addresses - these are not accessed on a regular basis, but only to perform tasks that require access to all vault data at once - and Admin account(s) can be downgraded to the Custom member role with a specific permissions set.
This guide assumes that you have already determined a storage and approval mechanism for the Owner account(s). It is recommended to remain logged into an Owner account while modifying the Admin account(s) to reduce their privileges.
The below Custom member role will replace your users’ Admin member role:
Manager Permissions
In the left column allow this Custom member role to Edit and Delete the collections they have been assigned, including adding and removing users from the collection.
Check any of the following boxes under the Admin Permission heading:
Event logs
Reports
Create new collections
Manage groups
SSO
Policies permissions
Note that none of the options above provide access to vault items.
Now that the Admin users have been downgraded, several tasks can only be accomplished via the Owner account(s) due to the cryptographic or API permissions these tasks require. These tasks are:
Import/Export of the organization vault
Editing/Deleting unassigned collections
Admin password reset
Manual user onboarding/offboarding
Accessing the organization API key
Once you have changed your Admin users to this Custom member role, you will need to designate people to manage access to each collection. There are two ways to configure this, depending on how much access you want to give to the "department head".
Manager member role
The pre-defined Manager member role provides the ability to edit or delete any collections they are assigned, including adding and removing access for users. This role is best if you have a static set of collections that need restricted access.
Custom member roles for Department Heads
If your "department head" needs to be able to create new collections in addition to managing their currently assigned collections, you will want to change those users to a Custom member role as well, with the following permissions:
Learning Center Modules
Help Articles
Secure Your Business Data with End-to-End Encryption
Choose the right Bitwarden plan for your business and start your free 7-day trial today.
Business Plans
Starting at$3
per user/month
Unlimited users
Enjoy business features
- Unlimited collections and vault items
- Directory sync tools
- Self-hosting, SSO integration, Policies, and more included in Enterprise plan
Get a Quote
For companies with hundreds or thousands of employees contact sales for a custom quote and see how Bitwarden can:
- Reduce cybersecurity risk
- Boost productivity
- Integrate seamlessly
Bitwarden scales with any sized business to bring password security to your organization.
Free for Everyone
Live Demo
Every Wednesday at 12pm ET
Join us every Wednesday at 12pm (ET) to see Bitwarden in action.