Support for groups

[ptman]

https://help.bitwarden.com/article/groups/

[dani-garcia]

I'm not sure if I'm missing something, but I don't see any difference between this and organizations.
Instead of having an organization with multiple groups, you can create multiple organizations, and it serves the same purpose, it seems.

For now I'll mark this as low priority, and if someone wants to help implement it, I'll merge it.

[dani-garcia]

To keep the issue tracker more focused, I'm closing this issue in favor of the meta issue at #246.

[miko007]

this meta issue thing is kind of a stupid idea. i can not really focus on the "groups" discussion, because all topics are mixed up in issue #246.

group support is essential for the use of this implementation in organisations. has there been any progress been made on this topic?

the "multiple organisations" workaround has the major downside, that datasets can not be shared between organisation. one has to keep track of all the likewise entries in all organisations and keep them synchronized. i do not think, that this is of "low priority".

[dani-garcia]

There hasn't been any progress in the groups functionality and unless someone steps up to implement it there won't be any, as I have zero interest in implementing this.

If you need to share entries between organizations, create a new organization for all the users that need the shared entries. If your organization is so big that doing that becomes unworkable, you probably have enough resources to deploy the official server, and then you'll have your groups.

My vision of bitwarden_rs is focused on small to medium deployments, where the implementation of groups really is "low priority".

PD: In the future I'd refrain from calling things stupid, there is no need for that language here, we are all volunteering our time for free, you might not like our ideas, but as a minimum they deserve a little respect.

[miko007]

Well, it seems you totally got me on the wrong foot there. First, i can not see in which relation calling an idea stupid stands to any form of respect for people. I just put out my opinion, and in that, the idea is stupid. Does not have anything to do with you, nor other people contributing to the project.

Next, our company, which has round about 25 employees has a "medium deployment", i think. We already have the official server deployed an we also pay for every single license. This is not the point here. I thought, i would bring some insights from your target audience to this open project.

And from an administrators point of view, i want to tell you, that groups are a feature, which is used quite often, and makes life so much easier.

We have for example interns, which only should be able to look at the "read-only" accounts. We have developers, which need to see all the administration datasets as well as the "read-only" ones, an so forth.

Splitting all this up into different organizations would mean, those datasets can not coexist inside the same collection, as collections are organization bound, and therefore would be difficult to find.

I hope, at least somebody can relate.

love and respect. Mike.

[aiveras]

We are also an SME and would need this feature. Especially in combination with LDAP group policies are necessary to scale a company.
If you have to create a new organization for each group, it also complicates maintaining passwords. That's why I can only agree with @miko007 that this is a basic feature and has nothing to do with the size of a company or the willingness to buy. Especially in the sensitive area of passwords, a filigree identity management is almost equally weighted with the security of the password storage. After all, most leaks are not caused by technical errors but by people passing them on. For this reason, and I think every system administrator can confirm this, the lowest access rights are always granted in IT systems to protect data sovereignty.

[ptman]

While I agree, that organizations and collections make groups a nice-to-have instead of a must-have, groups are most likely very nice once you have enough users.

[sangdrax8]

Ouch, I didn't realize groups were missing. This could actually strongly relate to issues implementing the ldap-connector support I was looking at. Pulling in groups from LDAP becomes a moot point if groups don't exist on the server side to sync them to.

[lethargosapatheia]

I'm not sure if I'm missing something, but I don't see any difference between this and organizations.

I find the statement a little bit bewildering. The point is, of course, to be able to add a group of users to a collection, instead of each individual user. What if you've got 50 people in one team and you want to share a collection with them?
Instead of adding the group, you have to click 50 times, basically. Having 50 people in one team doesn't mean you're a huge company. Creating another yet organisation doesn't make any sense in so many cases and doesn't make things easier.

That you don't want to because you think there's too much effort to be made or don't have the time or whatever is understandable. That you think this is useless functionality for small/medium companies is quite disconcerting.

[pepa65]

In our organization, we didn't see the need for organizations, and we thought it would be confusing to our users, so we called them "groups". But the functionality is actually not the same, and having groups to me is much more interesting that having organizations (even if they are called "groups"...).

[BlackDex]

Any well written PR would be welcome.

[omueller]

Hi @dani-garcia & everybody,

I also got an internal request to "activate groups" in our vaultvarden server (for a small company), and had to explain it's not possible for now. Using different organisations as mentioned as workaround is not an option, as none of the password entries nor users would be there (without copying/cloning them manually).

I just saw you activated the GitHub sponsoring feature (https://github.com/sponsors/dani-garcia) : how much "sponsoring" do you think it would take to have an implantation of the bitwarden groups feature (https://bitwarden.com/help/article/about-groups/), and would you interested to do it then ? I am convicted many of the vaultwarden users would be happy to help then.

Many thanks again for your great work & best regards, Olivier

[bokkabonga]

For our (more or less) small Business, Bitwarden would be around 21000$ . Let´s just say management would never allow me to spend that much on it

[simaoafonso-pwt]

If you are managing 7 thousand people, maybe Bitwarden will give you a discount on the bulk rate?

[bokkabonga]

Nah that was the qouted price (bulk discount included) for around 500 Users. So Nothing too crazy tbh

Edit: Yearly that is

[simaoafonso-pwt]

🙁

[andbuitra]

Maybe you could get the company to fund the implementation? However it seems @dani-garcia is really not interested on implementing this but have said before that a PR would be accepted. Something like a bounty could work there.

[bendem]

Planning a larger than usual deployment here, we are onboarding users slowly and this is a major turnoff. We have multiple depts, we created a cross-dept organisation to allow users to share some passwords but each time we onboard someone we have to manually review each collection to see if the user should be added.
Also, if we create a new collection, we have to go through the user list and for each user, click on the user, select the new collection, select corresponding options, save. Currently, this is 3 clicks times 10 users (this is already very annoying), in the next months, it will be 3 clicks times 50 users.

[BlackDex]

I want to emphasize that vaultwarden is mainly developed for small self hosted personal environments. And that we can thank Bitwarden for having almost all of there code open-sourced and that we are able and allowed to use it.

Also, this project is maintained by contributors during there sparse free time and it is not there main paid job.
If you want to have all those features within a large company, then you should go for Bitwarden Cloud or Self-Hosted in my opinion. This project depends on Bitwarden and without it there would not be a Vaultwarden.

If you want features to be added, this project does except Pull Requests.

[johnnyq]

This a feature that is needed very much indeed, I was just checking to see if anyone has started working on this, or hired someone to do so.

[mikelwellsmore]

Agreed — we’re also in need.

[BloodyIron]

I cannot fathom why the value of groups (in addition to organisations) is somehow not self-evident to the devs here. The function of any group, whether it's in Vaultwarden/otherwise, in this scope of operation, is to limit access to content.

It is commonplace (within the paid version of Bitwarden) to have different groups provide different levels of access to the same collections, and this helps keep access organised for larger amounts of users (hundreds to thousands, etc). Instead of having to manage the permissions each user has to each collection, you just add them to the groups that grant them the access they need, as that is already configured. This drastically reduces the administrative overhead of access control.

By having only organisations, and no groups aspect, in Vaultwarden, this effectively puts an artificial cap on how many users can realistically be managed within Vaultwarden before the administrative overhead becomes unwieldy/unreasonable. It is an unrealistic expectation for administrators to manage access to content within Bitwarden without groups, as that means they have to do it per-user, every single time. And multiple organisations does not solve that, as earlier mentioned this means groups within an authentication domain cannot be translated into Vaultwarden.

It begs the question, have the devs actually worked in environments where access is delegated by Group membership? Because it sure feels like they haven't.

This feature not being considered critical is comedic in nature. I highly recommend this position be changed, and adding group support is likely a one-time effort, not likely to have regular development overhead.

[BlackDex]

I'm going to be really short here.

1. This project is mostly mend for home usage, not for companies who don't want to pay for Bitwarden Enterprise or Self-Hosted.
2. Group support #2667
3. This is an opensource project, if you want something added, go and create a PR.

[Dan-Zi]

it's an sql database. i'll see if i can make some sql-scripts like: who's assigned to collection, or assign a list of users to collection, or assign all users to sub-level collections.

[BlackDex]

it's an sql database. i'll see if i can make some sql-scripts like: who's assigned to collection, or assign a list of users to collection, or assign all users to sub-level collections.

For which reason?

[lethargosapatheia]

I'm guessing he still doesn't know that the merge request for group support has been merged. And I think it would make sense to reference this here, given that this is the first discussion you come across when you search for it: #2846

Oh, never mind, you did reference it in the previous post. It just doesn't stand out.

[Dan-Zi]

yep. sorry. I meant to mark BloodyIron's essay as a TL;DR. and decided to find a workaround instead of nagging.
thank you for good news about groups support :)
as I understand the groups feature is disabled by default; one has to add some ENV to enable?

[BlackDex]

Group support is not toggleable, and enabled by default.

[Dan-Zi]

hmm. most probably I did something wrong. I have no "Organizations->Manage->Groups" section. Just People,Collections, and Policies. I'm on vaultwarden/server:latest docker image.

[BlackDex]

It isn't in the current latest release yet.
It is in the testing tagged release though, which is based upon main branch.

[Dan-Zi]

got it! thanks a lot!

[Schmandre]

Hello all,

the group support is implemented since a few months. Thanks for that @MFijak. On #246 still is a message "NOTE (2022-12-15): This feature has some known issues!"

Unfortunately, I cant find any information about the "known issues". What issues are currently known? Or is the information just outdated?

BR

[runiq]

I've been meaning to thank you for that PR but kept forgetting. Tossed $5 your way today to make up for it. Thank you <3

[BlackDex]

Thanks @runiq

[bendem]

I can say that we've been running with groups enabled since 1.28.0 and we have not seen any problem with it. I see there is a problem with livesync, I'm not even sure what that is. 😁

We currently have one org, 4 groups, 25 users, maybe 50 collections and 100-200 passwords.

If there is anything specific you would like us to test, I can play with it some more.

[BlackDex]

The issue with live-sync is that when one user updates a cipher within a collection, an other user which has access to that collection via group policies (So not directly to a collection), will not receive this update via web-sockets.

[fdaone]

I'm seeing an issue where Managers can create collections, but they cannot modify/delete the collections afterwards. The Managers have "Can edit" on the collections via groups, but only if I give "Can edit" directly to each member they can then modify (Edit info / Access / Delete) the collections.

Also - if my memory serves me well - the combination of "Can edit" via group" and "Can view" via member, will actually make the "Can edit" via group work. :-)

I'll get around to submitting an issue with detailed info and steps to reproduce later this week...