Member Roles and Permissions
Members of Bitwarden organizations can be granted a variety of roles and levels of permission for collections. You can set roles and collections permissions when you invite users to your organization, or at any time from the Members screen in your organization using the Options menu:
Role determines the what actions a member can take within the context of your organization's available tools. Roles do not determine which collections they have access to. Options include:
Member role | Permissions |
|---|---|
User | Access shared items in assigned collections.
|
Manager | All of the above, |
Admin | All of the above, Admin users automatically have access to all collections. |
Owner | All of the above, Owner users automatically have access to all collections. |
Custom (Enterprise-only) | Allows for granular control of user permissions on a user-by-user basis, see Custom role. |
note
Only an owner can create a new owner or assign the owner type to an existing user. For failover purposes, Bitwarden recommends creating multiple owner users.
Custom roles are currently available for Enterprise organizations. Selecting the Custom role for a user allows for granular control of permissions on a user-by-user basis. A custom role user can have a configurable selection of manager and admin capabilities, including:
Manage assigned collections (provides the following two options)
Edit assigned collections
Delete assigned collections
Access event logs
Access import/export
Access reports
Manage all collections (provides the following three options)
Create new collections
Edit any collection
Delete any collection
Manage groups
Manage SSO
Manage policies
Manage users
tip
Custom users with the Manage users permission can manage other custom users, however they can only assign other custom users the permissions that they themselves have.
Manage password reset
Permissions determine what actions a user can take with the items in a particular collection. While role can only set at an individual-member level, permissions can either be set for an individual member or for a group as a whole:
Permission | Description |
|---|---|
Can view | The user or group can view all items in the collection, including hidden fields like passwords. |
Can view, except passwords | The user or group can view all items in the collection except hidden fields like passwords. Users may still use passwords via auto-fill. Hiding passwords prevents easy copy-and-paste, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential. |
Can edit | The user or group can add new items, remove existing items, and edit existing items in the collection, including hidden fields like passwords. |
Can edit, except passwords | The user or group can add new items, remove existing items, and edit existing items in the collection, except hidden fields like passwords. Users may still use passwords via auto-fill. Hiding passwords prevents easy copy-and-paste, however it does not completely prevent user access to this information. Treat hidden passwords as you would any shared credential. |
Grant access to all current and future collections | Selecting this option gives the user or group full (Can edit) access to items in all existing collections and to any collections created in the future. |
note
Recall that admins and owners can automatically access all collections from the organization vault. For these member roles, de-select the Grant access to all current and future collections.
Configuring access control will determine which collections are readily accessible in their individual vault and client applications (browser extension, mobile, and more). Admins and owners will still be able to access "unassigned" collections from the organization vault.