User Types and Access Control
Users in Bitwarden organizations can be granted a variety of user types and access controls in order to manage their permissions and access. You can set user types and access controls when you invite users to your organization, or at any time from the Manage → Members screen in your organization:
User type determines the permissions a user will have within your organization. User types does not determine which collections they have access to, rather it determines what actions they can take within the context of your organization's resources and tools. Options include:
User Type | Permissions |
|---|---|
User | Access shared items in assigned collections
|
Manager | All of the above, |
Admin | All of the above, Admin users automatically have access to all collections. |
Owner | All of the above, Owner users automatically have access to all collections. |
Custom | Allows for granular control of user permissions on a user-by-user basis, see Custom role. |
note
Only an owner can create a new owner or assign the owner type to an existing user. For failover purposes, Bitwarden recommends creating multiple owner users.
Selecting the Custom role for a user allows for granular control of permissions on a user-by-user basis. A custom role user can have a configurable selection of manager and admin capabilities, including:
Manage assigned collections (provides the following two options)
Edit assigned collections
Delete assigned collections
Access event logs
Access import/export
Access reports
Manage all collections (provides the following three options)
Create new collections
Edit any collection
Delete any collection
Manage groups
Manage SSO
Manage policies
Manage users
Manage password reset
tip
As an example, the custom role allows for the creation of a user that can only manage SSO configuration and access related credentials. This scenario might look like the following:
Access control determines access to collections, as well as permissions within each individual collection:
note
Recall that admins and owners can automatically access all collections. For these user types, configuring access control will determine which collections are readily accessible in their individual vault and client applications (browser extension, mobile, and more). Admins and owners will still be able to access "unassigned" collections from the organization vault.
Access control | Description |
|---|---|
This user can access and modify all items | Grants the user(s) access to all collections, as well as the ability to modify vault items stored therein. |
This user can access only the selected Collections | Grants the user(s) access to only selected collections, as well as granular access control over permissions for each collection. |
If you selected This user can access only the selected Collection, choose which collections you want to provide them access to. For each collection, you can also configure the following options:
Option | Description |
|---|---|
Hide passwords | Prevents users from seeing or copying all passwords, TOTP seeds, or hidden custom fields. Users with Hide Passwords active may only use items in the collection via auto-fill. Hide Passwords prevents easy copy-and-paste of hidden items, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential. |
Read Only | Prevents users from adding, editing, or removing items within the collection. Users with Read Only access may still see and use all passwords, TOTP seeds, and hidden custom fields. |