I’m creating an organization for my employees to store their passwords. What I like about it is that I can define policies regarding password strength for entries and check them for breaches and weak passwords. The problem is that if I, as an administrator, go to the web vault → organizations → vault I can see every password stored there. A solution is to let them have their own personal vault, but then I can’t enforce policies, check for breaches and weak passwords. Is there anyway to prevent the administrator from viewing certain collections within an organization, so people can have their own “personal vault” in the organization?
That is not how Bitwarden works.
The sentence to let people have there own personal vault within the organization just doesn’t match.
You either have a personal vault with items you can only see your self, or you put items into an organization which are shared across a bunch of people.
I would suggest to read the Bitwarden documentation Organizations Quick Start | Bitwarden Help Center
Many password management tools allow for role-based access control. Check if your tool lets you customize admin privileges, restricting access to certain collections. This way, employees can have their personal vaults while you maintain oversight on policy enforcement.
1 Like
Bitwarden supports RBAC but an admin or owner has access to all items of een organization. But they never have access to the personal vaults of the users.
2 Likes
I was searching in the bitwarden forums and found this option - “This user can access only the selected collections”. This isn’t available in vaultwarden, but would certainly come in handy. Is there a chance that this will be implemented?
It may not look exactly the same, but the functionality is there in Vaultwarden.
In the organization, under members, click 3 dots to right of a user and select collections. From there you can check off to allow user to have all collections even going forward, and below that you can individually add a collection and assign it view or edit or both permissions.