Hi, friendly people have said this is possible but I can’t figure out what is wrong.
I’ve added an organisation and added my wife to it. She accepted and then I approved her (is there a reason for a third step here?). She can see the shared collection via the web interface. But she can’t see it in the android app, is there a setting I’m missing?
This is how things are handled with the upstream Bitwarden project and as such Vaultwarden tries to match the intended behavior expected from the server.
The Org invite, and further the user acceptance is part of how the Org and user exchange encryption information, please see Bitwarden Security White Paper for more.
The third step of approving the user, I believe is a function added after the 2018 Security Code Assessment regarding the vulnerability BWN-01-008
Public key authentication via fingerprint (see #1 above) has been added to the confirmation step while
onboarding new users into an organization. Users can view and verify their fingerprint under their
account’s settings in various Bitwarden client applications. Going forward, we will continue to investigate
the possibility of implementing public key authentication for organization user onboarding in other
Bitwarden client applications, such as the desktop app, which are less susceptible to malicious server-
side attacks (see #2 above). This would make the authentication process of public keys returned by the
Bitwarden API server even safer.
Finally, it should be noted that users also have the ability to self-host the Bitwarden server on their own
trusted infrastructure which would remove the risks associated with this issue almost entirely.
As such this prompts the Org admin to confirm the users’ account fingerprint phrase to confirm the proper account is being accepting into the Organization.
Can you confirm if she is able to see them in the main web interface of her “personal” vault or only when she going into the “Organization Vault” view?
As long as she is assigned access to the Organization and the collections then those should show up in the personal vault and subsequently in the Android app.
If she is an Organization Owner or manager (I believe) then they will have access to the Organization and collections even if they are not “assigned” to the user to view, but will still not show up in the user’s personal vault view and the applications or browser extensions.
Hope this info helps
If i’m correct, you only see collections within the android app, and i even think you only see collections which have ciphers in them.
Best way to check if you have access to the organization is to create a new cipher via the app, scroll all the way down to Ownership there you can click on Who owns this item and that should list all the organizations that user is a member of, and allowed to add new ciphers.
Dude, that is one of the best and most comprehensive answers I’ve ever received, THANK YOU!
Digging further, I’m not sure why she was seeing things in the web view (when visiting the organization page). But found the ‘share select items’ / ‘share whole of organization’ setting, working very well now