How to enable Personal Ownership policy on server level

[tkurt]

Hi, we are using a lot of Organisations in our vaultwarden. The "problem" is that if one organisation admin or owner disables this feature (personal ownership) in organisation policies, this option spreads to the whole user account (if user is a member of multiple organisations). As a result, user can't create new items in his personal vault. Basically this means that user forced to share even personal creds that he wants to keep in secret from other colleagues in organisations.

So the question is: is it possible to enable personal ownership by default in servers settings (config.json or in the environment variables in docker-compose.yml ), so users would always have a functionality to use their personal vault no matter what settings organisation admins are applied.

Basically this option should be disabled in all organisations if user wants to keep his personal vault enabled.

[jjlin]

You're basically asking for the personal ownership policy to not work. Why don't you just ask the org owner/admin to not set this policy, or else don't join their org?

[tkurt]

Because we have tons of organisations and a lot of admins/owners so it's hard to track all off it. After all, in my opinion, It's just stupid that enabling the policy will take away personal vault from user. It's quite often the case that user has some personal work credentials that should not be shared with other users, like vpn creds etc.

[jjlin]

This policy exists because some org owners expect the software to be used only for passwords that are to be shared with the org, and worry that their users may (whether inadvertently or intentionally) save passwords to their personal vaults that may be unrecoverable if something happens to that user. It's a bit strange to say it's "stupid" that this policy does exactly what it's supposed to do.

If you really want this policy to be unusable, you're free to build your own version of the software that removes any calls to enforce_personal_ownership_policy(). If you don't want to modify the software, it would probably be simplest to just have a cron job that deletes any instances of the policy from the database on a daily/hourly/whatever basis, e.g. DELETE FROM org_policies WHERE atype = 5.

[tkurt]

I do understand what for this policy exists. But I don't get the idea of taking away personal vault, without asking user. For example I am working on multiple projects with a few teams involved so different teams are in different organisations. One admin enables the policy and I can't save anything personal, just share within all user in one or another organisation. But some credentials are given to user not for sharing, even worse user can accidentally share unneeded information to others. Anyway, it's quite controversial topic.

Thanks for the suggestions to solve the problem but rebuilding the software after every release is definitely is not the case.
And a cronjob is a workaround which can lead to more problems then solutions. (direct requests to db from outside the app, cron might be turned off, etc.)

Maybe there will be a possibility of changing the policies for different orgs from admin panel. Also it would be fine if user will be noticed (in notice message while creating new record) in that organisation mentioned policy was enabled for him.