bitwarden/help
1
0
Fork 0
mirror of https://github.com/bitwarden/help synced 2025-12-25 20:53:19 +00:00
Code Issues Releases Wiki Activity

Release Documentation (#653)

Browse Source 
* Stage (#636)

* Initial Draft. To do: "How it Works" + Event Logs, User Types, Plans & Pricing, Release Notes.

* whoops, missed one

* Merge latest into working (#616)

* Update proof-of-concept.md (#607)

The "Download Bitwarden" link was going to the Apple Store (https://get.bitwarden.com/) rather than the "Downloads" page (https://bitwarden.com/download/).

* Update proof-of-concept.md (#610)

* Create enterprise-feature-list.md (#611)

* Azure SSO HiFi Documentation (#584)

* azure HiFi documentation

* finalize azure

* typo fixes

* Google Workspace HiFi SSO Documentation (#605)

* Duo HiFi documentation (#598)

* Buncha Stuff (#612)

* clarification on where to find legacy mac .dmg

* tip for update email address

* code vetting security faq

* /managing-items/ refactor

* two-step login 'remember me' duration

* small updates, including denoting purpose of the globe icon

* additional tip for deleting users in a self-host org!

* uri component pieces

* encryption key edit

* importing cleanup

* notes re: importing on file attachements

* Removes custom Safari shortcut docs (#499)

Bitwarden 1.25.0 on MacOS with Safari seems to use the standard MacOS shortcut for autofill (`Cmd + Shift + L`) and the custom Safari shortcuts no longer work (`Cmd + \ or Cmd + 8 or Cmd + Shift + P`).

* Update Microsoft Store Installation path (#614)

* Correct path for Microsoft Store app (#615)

Co-authored-by: Andrea Lebron <78605241+alebr-on@users.noreply.github.com>
Co-authored-by: baylorrandolph <70168800+baylorrandolph@users.noreply.github.com>
Co-authored-by: Charles Renwick <crenwick@users.noreply.github.com>
Co-authored-by: Alex <abanay@bitwarden.com>

* mpwr event logging

* mpwr user permissions

* admin pw reset 2nd draft

* final(ish) draft

* password reprompt

* initial bwdc updates (to do: update cli login procedure)

* update personal api key article to better distingush from org api key

* refactors bwdc desktop app article

* clearer instructions for getting api key

* bwdc cli login scheme

* Bulk Org User Actions

* export event logs

* cli get notes

* send cli --maxAccessCount

* autofill on page load enhancements

* onpageload TOTP copy

* release notes & typo

Co-authored-by: Andrea Lebron <78605241+alebr-on@users.noreply.github.com>
Co-authored-by: baylorrandolph <70168800+baylorrandolph@users.noreply.github.com>
Co-authored-by: Charles Renwick <crenwick@users.noreply.github.com>
Co-authored-by: Alex <abanay@bitwarden.com>

* typo fix

* fix

* fix

* fix

* mpwr final

* mpw reprompt - better gif

* finalize event logs

* fixes to autofill o.p.l. & better screenshot

* directory connector large sync

* reorder rn

* edits from cscharf

* fix date

* mp re-prompt warning

* mobile re-prompt notes

* downcase it

* semi-vague timeline tweak

Co-authored-by: Andrea Lebron <78605241+alebr-on@users.noreply.github.com>
Co-authored-by: baylorrandolph <70168800+baylorrandolph@users.noreply.github.com>
Co-authored-by: Charles Renwick <crenwick@users.noreply.github.com>
Co-authored-by: Alex <abanay@bitwarden.com>
This commit is contained in:
fred_the_tech_writer
2021-06-28 13:39:33 -04:00
committed by GitHub
parent 8249a78f54
commit 9be8c67fa8
38 changed files with 384 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
_articles/organizations/admin-reset.md Normal file
View File

@@ -0,0 +1,114 @@
---
layout: article
title: Admin Password Reset
categories: [organizations]
featured: true
popular: false
tags: [master password, reset, administrator, owner]
order: 15
---
{% callout info %}
Admin Password Reset is available for **Enterprise Organizations** on a current plan. Like Login with SSO, Password Reset is not available to [Classic 2019 Enterprise Organizations]({{site.baseurl}}/article/2020-plan-updates).
{% endcallout %}
## What is Admin Password Reset?
Admin Password Reset allows [designated administrators](#permissions) to recover Enterprise Organization user accounts and restore access in the event that an employee forgets their [Master Password]({{site.baseurl}}/article/master-password/). Admin Password Reset can be activated for an Organization by [enabling the Admin Password Reset Policy](#activate-admin-password-reset).
Individual users must be enrolled (either through [self-enrollment](#self-enroll-in-password-reset) or using the [automatic enrollment policy option](#automatic-enrollment)) to be eligible for password reset, as enrollment triggers the key exchange that makes Admin Password Reset secure.
**Admin Password Reset does not bypass Two-step Login or Login with SSO**. If a [Two-step Login method]({{site.baseurl}}/article/setup-two-step-login/) is enabled for the account or if your Organization [requires SSO Authentication]({{site.baseurl}}/article/policies/#single-sign-on-authentication), you will still be required to use that method to access your Vault after password reset.
### Encryption
{% callout info %}
**2021-06-01:** The release of Admin Password Reset introduces a new RSA public/private key pair for all Organizations. The private key is further encrypted with the Organization's pre-existing symmetric key before being stored.
The key pair is generated and encrypted client-side upon creation of a new Organization, or for an existing Organization upon:
- Navigation to the **Manage** &rarr; **People** screen.
- Updates to anything on the **Settings** &rarr; **My Organization** screen.
- Upgrades from one Organization type to another.
{% endcallout %}
When a member of the Organization [enrolls](#automatic-enrollment) in Admin Password Reset, that user's [encryption key]({{site.baseurl}}/article/account-encryption-key) is encrypted with the Organization's public key. The result is stored as the **Password Reset Key**.
When an Admin Password Reset action is taken:
1. The Organization private key is decrypted with the Organization symmetric key.
2. The user's **Reset Password Key** is decrypted with the decrypted Organization private key, resulting in the users's [encryption key]({{site.baseurl}}/article/account-encryption-key).
3. The user's encryption key and Master Password hash are replaced with a *new* encryption key and *new* Master Password hash, seeded from a new Master Password.
4. The user's new encryption key is encrypted with the Organization's public key, replacing the previous **Password Reset Key** with a new one.
**At no point** will anyone, including the administrator who executes the reset, be able to see the old Master Password.
### Permissions
Admin Password Reset can be executed by [Owners, Admins, and permitted Custom users]({{site.baseurl}}/article/user-types-access-control/). Admin Password Reset uses a hierarchical permission structure to determine who can reset whose Master Password, meaning:
- Any Owner, Admin, or permitted Custom user can reset a **User**, **Manager**, or **Custom User**'s Master Password.
- Only an Admin or Owner can reset an **Admin**'s Master Password.
- Only an Owner can reset another **Owner**'s Master Password.
### Event Logging
[Events]({{site.baseurl}}/article/event-logs/) are logged when:
- A Master Password is reset.
- A user enrolls in Admin Password Reset.
- A user withdraws from Admin Password Reset.
## Activate Admin Password Reset
To activate Master Password Reset for your Enterprise Organization, navigate to the [Business Portal]({{site.baseurl}}/article/about-business-portal/) and enable the [Master Password Reset Policy]({{site.baseurl}}/article/policies/#master-password-reset). Users will need to [self-enroll](#self-enroll-in-password-reset) or [be auto-enrolled](#automatic-enrollment) in Password Reset before their Master Password can be reset.
### Automatic Enrollment
Enabling the Automatic Enrollment policy option will automatically enroll new users in Admin Password Reset when their [invitation to the Organization is accepted]({{site.baseurl}}/article/managing-users/#accept). Users already in the Organization will not be retroactively enrolled in Admin Password Reset, and will be required to [self-enroll](#self-enroll-in-password-reset).
{% callout success %}
If you're automatically enrolling Organization members in Admin Password Reset, we **highly recommend notifying them of this feature**. Many Bitwarden Organization users store personal credentials in their Personal Vault, and should be made aware that Admin Password Reset could allow an administrator to access their Personal Vault.
{% endcallout %}
### Self-enroll in Password Reset
To enroll in Password Reset, navigate to **Settings** &rarr; **Organizations** in the [Web Vault](https://vault.bitwarden.com/){:target="\_blank"}:
{% image /organizations/pwreset-enroll.png Enroll in Password Reset %}
Hover over the Organization you wish to enroll in Password Reset for, select the {% icon fa-cog %} gear dropdown, and choose **Enroll in Password Reset**. When you're enrolled in Password Reset, the Organization listing will display a {% icon fa-key %} key icon. You can enroll in Admin Password Reset for multiple Organizations, if you choose.
### Withdraw Enrollment
Once enrolled, you can **Withdraw** from Password Reset from the same dropdown used to enroll:
{% image /organizations/pwreset-withdraw.png Withdraw from Password Reset %}
Manually changing your Master Password or [rotating your encryption key]({{site.baseurl}}/article/account-encryption-key/) **will not** withdraw you from Admin Password Reset.
## Reset a Master Password
{% callout info %}
You must be a [Owner, Admin, or permitted Custom user](#permissions) to reset a Master Password. Check the [Permissions](#permissions) section of this article to see whose Master Password you are allowed to reset.
{% endcallout %}
To reset a Master Password for a member of your Enterprise Organization:
1. In your [Web Vault](https://vault.bitwarden.com){:target="\_blank"}, open your Organization.
2. Open the **Manage** tab and navigate to the **People** section.
3. Hover over the user whose Master Password you want to reset, select the {% icon fa-cog %} gear dropdown, and choose {% icon fa-key %} **Reset Password**:
{% image /organizations/pwreset-reset.png Reset Password %}
4. On the Reset Password window, create a **New Password** for the user. If your Organization has enabled the [Master Password Policy]({{site.baseurl}}/article/policies/#master-password), you will need to create a password that meets the implemented requirements (e.g. min 8 characters, contains numbers):
{% image /organizations/pwreset-newpw.png Create a New Password %}
Copy the new Master Password and contact the user to coordinate secure communication of it, for example using [Bitwarden Send]({{site.baseurl}}/article/create-send/).
5. Select **Save** to execute the Password Reset. Doing so will log the user out of their current sessions. Active sessions on some client applications, like Mobile Apps, may remain active for up to one hour.
### After a Password Reset
When your Master Password is reset, you will receive an email from Bitwarden to inform you of this. On receiving this email, contact your Organization administrator to obtain your new Master Password through a secure channel like [Bitwarden Send]({{site.baseurl}}/article/create-send/).
Once you have regained access to your Vault using the new Master Password, you should immediately change your Master Password to something **strong** and **memorable**. Changing your Master Password after a reset will help to protect your privacy.

24
_articles/organizations/event-logs.md
View File

@@ -14,7 +14,7 @@ Event Logs are timestamped records of everything that occurs within your Organiz
{% image /organizations/event-logs-updated.png Event Logs %}
Events Logs are also accessible from the `/events` endpoint of the [Bitwarden Public API](https://bitwarden.com/help/article/public-api/).
Events Logs are [exportable](#export-events) and accessible from the `/events` endpoint of the [Bitwarden Public API](https://bitwarden.com/help/article/public-api/).
## Events
@@ -72,6 +72,9 @@ All Event types are listed below, with their corresponding type codes:
- Removed user *user-identifier*. (`1503`)
- Edited groups for user *user-identifier*. (`1504`)
- Unlinked SSO. (`1505`)
- *user-identifier* enrolled in Master Password Reset. (`1506`)
- *user-identifier* withdrew from Master Password Reset. (`1507`)
- Master Password was reset for *user-identifier*. (`1508`)
- Edited organization settings. (`1600`)
- Purged organization vault. (`1601`)
- Updated a Policy. (`1700`)
@@ -83,6 +86,21 @@ https://github.com/bitwarden/web/blob/master/src/app/services/event.service.ts
https://github.com/bitwarden/web/blob/master/src/locales/en/messages.json
{% endcomment %}
## Export Events
Exporting event logs will create a `.csv` of all events within the specified date range:
{% image /organizations/event-logs-export.png Export Event Logs %}
For example:
```
message,appIcon,appName,userId,userName,userEmail,date,ip,type
Logged in.,fa-globe,Web Vault - Chrome,1234abcd-56de-78ef-91gh-abcdef123456,Alice,alice@bitwarden.com,2021-06-14T14:22:23.331751Z,111.11.111.111,User_LoggedIn
Invited user zyxw9876.,fa-globe,Unknown,1234abcd-56de-78ef-91gh-abcdef123456,Alice,alice@bitwarden.com,2021-06-14T14:14:44.7566667Z,111.11.111.111,OrganizationUser_Invited
Edited organization settings.,fa-globe,Web Vault - Chrome,9876dcba-65ed-87fe-19hg-654321fedcba,Bob,bob@bitwarden.com,2021-06-07T17:57:08.1866667Z,222.22.222.222,Organization_Updated
```
## API Responses
Accessing Event Logs from the `/events` endpoint of the [Bitwarden Public API](https://bitwarden.com/help/article/public-api/) will return a JSON response like the following:
@@ -111,9 +129,7 @@ Accessing Event Logs from the `/events` endpoint of the [Bitwarden Public API](h
## SIEM and External Systems Integrations
When exporting data from Bitwarden into other systems, a combination of data from the API and CLI may be used to gather data.
For example, using Bitwarden RESTful APIs gather data around the structure of the organization:
When exporting data from Bitwarden into other systems, a combination of data from the Exports, API and CLI may be used to gather data. For example, using Bitwarden RESTful APIs to gather data around the structure of the organization:
- GET /public/members returns the Members, Ids, and assigned groupIds
- GET /public/groups returns all the Groups, Ids, assigned Collections, and their permissions

22
_articles/organizations/managing-users.md
View File

@@ -64,28 +64,29 @@ To invite users to your Organization:
- Select the **Access Control** to be applied to new users. [Access Control]({{site.baseurl}}/article/user-types-access-control/#access-control) will determine which Collections these users will have access to, and what level of access within those Collections.
5. Click **Save** to invite the designated users to your Organization.
{% callout info %}
**Invitations expire after 5 days**, at which point the user will need to be re-invited. Re-invite users in bulk by selecting each user and using the {% icon fa-cog %} gear dropdown to **Resend Invitations**:
{% image /organizations/org-people-reinvite.png Bulk Reinvite %}
If you're self-hosting Bitwarden, you can configure the invitation expiration period [using an environment variable]({{site.baseurl}}/article/environment-variables/).
{% endcallout %}
### Accept
Invited users will receive an email from Bitwarden inviting them to join the Organization. Clicking the link in the email will open a Bitwarden Client invitation window. **Log In** with an existing Bitwarden or **Create Account** to accept the invitation:
{% image organizations/user-accept-updated.png Invitation Window %}
{% callout warning %}
Invitations will expire after 5 days, at which point the user will need to be [re-invited](#invite). If you're self-hosting Bitwarden, you can configure the invitation expiration period [using an environment variable]({{site.baseurl}}/article/environment-variables/).
{% endcallout %}
### Confirm
To confirm accepted invitations into your Organization:
1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"} and open your Organization.
2. Open the **Manage** tab and select **People** from the left-hand menu.
3. Hover over the `Accepted` user and select the {% icon fa-cog %} gear dropdown:
3. Select any `Accepted` users and use the {% icon fa-cog %} gear dropdown to {% icon fa-check %} **Confirm Selected**:
{% image organizations/org-people-options-overlay.png Confirm an Accepted user %}
3. Select {% icon fa-check %} **Confirm**.
4. Verify that the [fingerprint phrase]({{site.baseurl}}/article/fingerprint-phrase) on your screen matches the one your new member can find in **Settings** &rarr; **My Account**:
3. Verify that the [fingerprint phrase]({{site.baseurl}}/article/fingerprint-phrase) on your screen matches the one your new member can find in **Settings** &rarr; **My Account**:
{% image fingerprint-phrase.png Sample Fingerprint Phrase %}
@@ -97,10 +98,9 @@ To remove users from your Organization:
1. Login to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"} and open your Organization.
2. In your Organization, open the **Manage** tab and select **People** from the left menu.
3. On the **People** screen, hover over the user you want to remove and select the gear dropdown.
4. From the gear dropdown, select the **Remove** option.
3. Select the users you want to remove from the Organization and use the {% icon fa-cog %} gear dropdown to {% icon fa-times %} **Remove**:
{% image organizations/org-people-options-updated-overlay.png Remove a user %}
{% image organizations/org-people-bulkremove.png Remove Users %}
### Deleting User Accounts

12
_articles/organizations/policies.md
View File

@@ -118,3 +118,15 @@ Enabling the **Send Options** policy will allow Owners and Admins to specify opt
|Option|Description|
|------|-----------|
|Do not allow users to hide their email address|Enabling this option disables the [Hide Email option]({{site.baseurl}}/article/send-privacy/#hide-email), meaning that all [received Sends]({{site.baseurl}}/article/receive-send) will include whom they are sent from.|
### Master Password Reset
Enabling the **Master Password Reset** policy will allow Owners and Admins to use [Password Reset]({{site.baseurl}}/article/admin-reset/) to reset the master password of enrolled users. By default, users will need to [self-enroll in Password Reset]({{site.baseurl}}/article/admin-reset/#self-enroll-in-password-reset), however the [Automatic Enrollment](#automatic-enrollment) option can be used to automatically enroll invited users:
#### Automatic Enrollment
Enabling the **Automatic Enrollment** option will automatically enroll new users in Password Reset when their [invitation to the Organization is accepted]({{site.baseurl}}/article/managing-users/#accept).
{% callout info %}
Users already in the Organization will not be retroactively enrolled in Password Reset, and will be required to [self-enroll]({{site.baseurl}}/article/admin-reset/#self-enroll-in-password-reset).
{% endcallout %}

10
_articles/organizations/public-api.md
View File

@@ -5,7 +5,7 @@ categories: [organizations]
featured: true
popular: false
tags: [public api, oas, organizations]
order: 15
order: 16
---
The Bitwarden Public API provides Organizations a suite of tools for managing members, collections, groups, event logs, and policies.
@@ -36,9 +36,13 @@ For Self-hosted, `https://your.domain.com/identity/connect/token`.
## Authentication
The API uses bearer access tokens to authenticate with protected API endpoints. Bitwarden uses an [OAuth2 Client Credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/){:target="_blank"} application request flow to grant bearer access tokens from the endpoint.
The API uses bearer access tokens to authenticate with protected API endpoints. Bitwarden uses an [OAuth2 Client Credentials](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/){:target="_blank"} application request flow to grant bearer access tokens from the endpoint. Authentication requests take `client_id` and `client_secret` as required parameters.
Authentication requests take `client_id` and `client_secret` as required parameters. `client_id` and `client_secret` can be obtained by an **Owner** from the Web Vault by navigating to the **Settings** tab &rarr; **My Organization** and scrolling down to the **API Key** section.
The API Key `client_id` and `client_secret` can be obtained by an **Owner** from the Web Vault by navigating to Organization **Settings** &rarr; **My Organization** and scrolling down to the **API Key** section:
{% image organizations/org-api-key.png Get Organization API Key %}
If, as an owner, you want to share the API Key with an Admin or other user, use a secure communication method like [Bitwarden Send]({{site.baseurl}}/article/about-send/).
{% callout warning %}
Your API key enables full access to your Organization. Keep your API key private. If you believe your API key has been compromised, select the **Rotate API Key** button on this screen. Active uses of your current API key will need to be reconfigured with the new key before use.

3
_articles/organizations/user-types-access-control.md
View File

@@ -20,7 +20,7 @@ User Type determines the permissions a user will have within your Organization.
|---------|-----------|
|User|Access shared items in assigned Collections<br>Add, edit, or remove items from assigned Collections (unless **Read Only**)|
|Manager|All of the above,<br>+ Assign Users to Collections<br>+ Assign User Groups to Collections<br>+ Create or delete Collections|
|Admin|All of the above,<br>+ Assign Users to User Groups<br>+ Create or delete User Groups<br>+ Invite and confirm new Users<br>+ Manage Enterprise Policies<br>+ View Event Logs<br>+ Export Organization Vault data<br><br>**Admin Users automatically have access to all Collections.**|
|Admin|All of the above,<br>+ Assign Users to User Groups<br>+ Create or delete User Groups<br>+ Invite and confirm new Users<br>+ Manage Enterprise Policies<br>+ View Event Logs<br>+ Export Organization Vault data<br>+ Manage Password Reset<br><br>**Admin Users automatically have access to all Collections.**|
|Owner|All of the above,<br>+ Manage Billing, Subscription, and Integrations<br><br>**Owner Users automatically have access to all Collections.**|
|Custom|Allows for granular control of user permissions on a user-by-user basis, see [Custom Role](#custom-role).|
@@ -42,6 +42,7 @@ Selecting the **Custom** role for a user allows for granular control of permissi
- Manage SSO
- Manage Policies
- Manage Users
- Manage Password Reset
{% callout success %}
As an example, the Custom role allows for the creation of a user that can fully manage a User-Group-Collection relationship, without the ability to see anything in a Collection to which they are not assigned. This scenario would involve selecting only the following boxes for this Custom user: