Onboarding and Succession
Read the full paper below or download the PDF.
Getting new employees up and running quickly drives productivity. Likewise, saying farewell properly drives assurance in the security of your business's systems and accounts. Whether your business leans towards consolidation and centralization, or prefers a flexible and dynamic environment, Bitwarden fits your needs.
This guide covers the Bitwarden approach to onboarding and succession planning for users in your Organization, starting with our approach to the relationship between users and Organizations, then covering the simplest use-cases for Onboarding and Offboarding, and finally and moving on to the levers and options at your disposal to fit Bitwarden to your needs.
The Bitwarden vision is to imagine a world where no one gets hacked. We carry this forward in our mission to help individuals and companies manage their sensitive information easily and securely. Bitwarden believes that:
Basic password management for individuals can and should be free. We provide just that, a basic free account for individuals.
Individuals and Families should take an active role in their security using TOTPs, Emergency Access, and other supporting security features.
Organizations can greatly improve their security profile through Organizational password management and secure sharing.
For Bitwarden, different plans and options are connected and complementary, all originating in our vision of a hack-free world. Empowering everyone at work and at home with password management gets us one step closer to that goal.
A key aspect of Bitwarden is that, unlike many software applications, everything in every a Vault is end-to-end encrypted. To maintain this security model, every person using Bitwarden must have a unique account with a unique Master Password. Master Passwords should be strong and memorable.
Each user is in charge of their Master Password. Bitwarden is a Zero-knowledge encryption solution, meaning that the team at Bitwarden, as well as Bitwarden systems themselves, have no knowledge of, way to retrieve, or way to reset any Master Password.
Security everywhere means security anywhere, so the best password managers provide access across all your devices. Bitwarden supports a range of client applications, any of which can be connected to our Cloud-hosted servers or a self-hosted server of your own:
Anyone who creates a Bitwarden account will have their own individual vault. Accessible from any client application, individual vaults are unique to each user and only that user holds the key to access it, using a combination of their Email Address and Master Password. Personal accounts, and the individually-owned vault items stored therein, are the account owners responsibility. Organization Owners, Admins, and Managers cannot see any other user's individual vault by design, guaranteeing someone's individual vault data remains their own.
Families, Teams, and Enterprise Organizations automatically provide members individually with premium features, like Emergency Access and encrypted Attachment storage, which they can choose to use. Data in an individual vault belongs to the user. Individual vaults do not enable sharing, Organizations do.
Why provide Personal Vaults by default?
Personal Vaults are an instrumental component of the Bitwarden approach. Employees use a range of credentials every day, personally and professionally, and habits formed in one area typically become habits in the other. In our view, employees that use proper security practices in their personal lives will carry over that good behavior to their professional lives, protecting your business in the process.
Using the same tool in both areas helps that habit form faster and easier. Enterprise Organizations have the option to configure policies, including to disable Personal Vaults.
Bitwarden Organizations add a layer of collaboration and sharing to password management for your team or enterprise, allowing you to securely share common information like office wifi passwords, online credentials, or shared company credit cards. Secure sharing through Organizations is safe and easy.
Anyone can start an Organization directly from the Web Vault:
Once created, you'll land in your Organization Vault, which is the central hub for all things sharing and Organization administration. Whoever launches the Organization will be the Owner, giving them full control to oversee the ault, to Manage users, Collections, Groups, and Policies, to run Reporting, and to configure the Organization's Settings:
Bitwarden Organizations manage users and data in a scalable and secure fashion. Managing users and data on an individual basis is inefficient for large businesses and can leave room for error. To solve this, Organizations provide Collections and Groups.
Collections gather together Logins, Notes, Cards, and Identities for secure sharing within an Organization:
Once your Organization is established and Collections are setup to store your data, Owners and Administrators should invite new members. To ensure the security of your Organization, Bitwarden applies a 3-step process for onboarding new members, Invite → Accept → Confirm.
In the simplest cases, users can be added to your Organization directly from the Web Vault. When adding users, you can designate which Collection to grant them access to, which role to give them, and more.
Once users are fully onboarded to your Organization, you can assign access to your Organization's Vault data by assigning them to Collections. Teams and Enterprise Organizations can assign users to Groups for scalable permissions assignment, and construct Group-Collection associations instead of assigning access on the individual level.
For large Organizations, Directory Connector is the best way to onboard and offboard users at scale.
Groups relate together individual users, and provide a scaleable way to assign permissions including access to Collections and other access controls. When onboarding new users, add them to a Group to have them automatically inherit that Groups's configured permissions:
Comprehensive Role-based Access Controls
Bitwarden takes an enterprise-friendly approach to sharing at scale. Users can be added to the Organization with a number of different roles, belong to different Groups, and have those Groups assigned to various Collections to regulate access. Among the available roles is a Custom Role for granular configuration of administrative permissions.
At Bitwarden, we see sharing of credentials as a vital aspect to getting work done efficiently and securely. We also recognize that once a credential is shared, it is technically possible for the recipient to keep it. For that reason, secure onboarding using appropriate role-based access controls and implementing policies plays an important role in facilitating secure offboarding.
Alice is a Manager in your Organization, which is hosted on the Bitwarden Cloud and uses company email addresses (e.g.
firstname.lastname@example.org). Currently, this is how Alice uses Bitwarden:
Uses Bitwarden on Mobile and a Browser Extension personally and professionally, and the Web Vault for occasional Organization-related work.
Email & Master Password
Logs in to Bitwarden using
Stores assorted personal items, including Logins and Credit Cards, in her Personal Vault.
Permissions in the Organization
As a Manager, Alice can manage many aspects of Collections.
Uses Organization-wide Duo 2FA.
Created a Collection for her team, "Alice's Team Collection".
Created and shared several Vault items that are owned by by the Organization and reside in her team's Collection.
When Alice is removed from your Organization:
Can continue to use any Bitwarden application to access her individual vault, however all will immediately lose access to the Organization Vault, all Collections, and all shared items.
Email & Master Password
Can continue to log in using
Will still be able to use her individual vault and access the items stored therein.
Permissions in the Organization
Will immediately lose all permissions over and access to anything related to the Organization.
Won't be able to use Organization Duo 2FA to access her Vault, but can setup one of our free Two-step Login options or upgrade to Premium for more.
Ownership of Collections and shared items belongs to the Organization, so Alice will lose access to "Alice's Team Collection" despite having created it.
Ownership of Collections and shared items belongs to the Organization, so Alice will lose access to all these items despite having created them.
Offline devices cache a read-only copy of vault data, including organizational vault data. If you anticipate malicious exploitation of this, credentials the member had access to should be updated when you remove them from the organization.
At Bitwarden, we often say that password management is people management, and we can fit the workflows suited to your Organization. By offering a wide range of options, shared via our open source approach, customers can rest assured that they can meet their own individual needs.
Get started today with a free Enterprise or Teams trial.
For companies with large user-bases that operate using directory services (LDAP, AD, Okta, and others), Directory Connector can synchronize users and groups from the directory to the Bitwarden Organization. Directory Connector is a stand-alone application that can be run anywhere with access to your directories and to Bitwarden.
Many Bitwarden Teams and Enterprise Organizations focus their onboarding efforts on the Directory Connector and use the Organization Vault administration areas to manage Group-Collection relationships.
Directory Connector will:
Sync LDAP-based directory groups with Bitwarden Groups
Sync users within each Group
Invite new users to join the Organization
Remove deleted users from the Organization
Bitwarden Enterprise Organizations can integrate with your existing Identity Provider (IdP) using SAML 2.0 or OIDC to allow members of your Organization to login to Bitwarden using SSO. Login with SSO separates user authentication from Vault decryption:
Authentication is completed throught your chosen IdP and retains any two-factor authentication processes connected to that IdP. Decryption of Vault data requires the user's individual key, which is derived in part from the Master Password. There are two decryption options, both of which will have users authenticate using their regular SSO credentials.
Master Password: Once authenticated, Organization members will decrypt Vault data using their Master Passwords.
Customer Managed Encryption: Connect Login with SSO to your self-hosted decryption key server. Using this option, Organization members won't need to use their Master Passwords to decrypt Vault data. Instead, Key Connector will retrieve a decryption key securely stored in a database owned and managed by you.
Leverage your existing Identity Provider
Protect the end-to-end encryption of your data
Provision users automatically
Configure access with or without SSO
Decrypt Vault data according to your company's security needs
Enterprise Organizations can implement a variety of Policies designed to lay a secure foundation for any business. Policies include:
Two-step Login: Require users to set up two-step login on their personal accounts.
Master Password: Set minimum requirements for master password strength.
Password Generator: Set minimum requirements for password generator configuration.
Single Organization: Restrict users from being able to join any other organizations.
Personal Ownership: Require users to save vault items to an organization by removing the personal ownership option.
The Personal Ownership policy, for example, fits into earlier discussion regarding the interplay between Personal Vaults and Organization Vaults. Some companies may desire the assurance of have all credentials retained in the Organization Vault. A possible implementation could involve allowing each individual user to have their own Collection, which unlike Personal Vaults could be overseen by Organization Owners and Admins.
Bitwarden Organizations include access to Event Logs, which can be viewed directly from the Web Vault or exported to be analyzed within security information and event management (SIEM) systems like Splunk. Event Logs include information about:
Changes made to Vault items
Organization Configuration Changes
Much, much more
In addition to these benefits, customers appreciate the ability to tightly integrate Bitwarden into their existing systems. Bitwarden offers a robust public API and a fully-featured command line interface (CLI) for further integration into existing Organization workflows.
In keeping with the Bitwarden approach to offer password management anywhere and everywhere, Bitwarden provides an option
to self-host to address an even wider range of use cases for Enterprises. There are many reasons for a company to choose to self-host. Specifically when it comes to onboarding, offboarding, and enhanced features, here are some of the reasons companies choose to do so:
Immediate deletion of user accounts: Because you control the server, users can be deleted entirely (including their individual vault).
Network access control: Organization Owners can determine which network access employees must use to access their Bitwarden server.
Advanced proxy settings: Administrators can choose to enable or disable certain types of devices from accessing the Bitwarden Server.
Use an existing database cluster: Connect to an existing Microsoft SQL Server database. Additional databases will be supported in the future.
Increase storage for file attachments and Bitwarden Send: File attachments for Bitwarden items or Bitwarden Send are retained on user-provided storage.
Directory Connector, Login with SSO, Enterprise Policies, and your Vault work well individually or in harmony to optimize your onboarding, offboarding, and Organization management experience. The following table details how that it might look to string together these pieces into one smooth process:
Use Directory Connector to sync groups and users to Bitwarden from your existing directory service.
Directory Connector will automatically issue invitations to synced users.
Pair your Login with SSO implementation with the SSO Policy to require users to sign up with SSO when they accept their invitations.
Use the Web Vault interface to promote some users to different roles and to ensure Group-Collection relationships are configured to grant the right access to the right users.
Periodically re-run Directory Connector to remove users from Bitwarden that are no longer active in your directory service and to start onboarding for new hires.
Q: If an employee already has a Bitwarden account, can we attach it to the Organization so they don't need another Bitwarden account?
A: Yes! You can. Some customers recommend that prior to attaching users to the Organization, that those users have a Bitwarden Vault attached to their company email. This choice is company-specific and either approach works.
Q: When an employee leaves, can we detach their account from the Organization so that they don't have access to company credentials anymore and they do not lose their individually-owned credentials?
A: Yes! That's exactly what offboarding entails.
Q: Can we prevent employees from duplicating credentials from the company Organization to their individual vault
A: Yes! Using our comprehensive suite of role-based access controls you can make credentials Read Only to prevent duplication.