Summary and recommendation
Bitwarden user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Bitwarden's organization model centers on a fixed role hierarchy - Owner, Admin, Manager, Member - extended by a Custom role on Enterprise that lets you select individual administrative permissions.
Collection-level access controls operate independently of org roles, so you can grant a Member edit rights on one collection and read-only on another without changing their role. Because every app your team relies on for secrets and credentials flows through Bitwarden, getting role assignments right at onboarding prevents both access gaps and over-provisioning.
Groups let you assign collection permissions in bulk, which is the practical path for any organization with more than a handful of users.
Quick facts
| Admin console path | Organization Settings → Members (web vault: vault.bitwarden.com → select Organization → Members tab) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Teams/Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Owner | Full administrative control: manage members, collections, groups, policies, billing, and organization settings. Can delete the organization. | Cannot be managed or removed by Admins; only another Owner can remove an Owner. | All paid plans (Free org supports 2 members max) | Counts as a billable seat | At least one Owner must exist at all times; transferring ownership requires adding a second Owner first. |
| Admin | Manage members, collections, and groups. Can invite and remove users up to Admin level. Can access all collections unless restricted by policy. | Cannot manage billing, cannot remove or modify Owners, cannot delete the organization. | All paid plans | Counts as a billable seat | Admins can access all items in all collections by default unless the 'Limit admin access to all collection items' policy is enabled (Enterprise only). |
| Manager | Manage assigned collections and the groups/members within those collections. Can create and delete collections they manage. | Cannot access organization-level settings, billing, or collections they are not assigned to. | Teams and Enterprise | Counts as a billable seat | Manager role was introduced to allow collection-scoped administration without full Admin rights. |
| Member (User) | Access items in collections they are assigned to, based on collection-level permissions (can view/edit/hide passwords as configured per collection). | Cannot manage other users, collections, groups, or organization settings. | All plans | Counts as a billable seat | Collection access and permission level (read-only, hide passwords, edit) is set per collection assignment, not globally. |
| Custom | Granular permission set selected at invitation or edit time. Permissions include: manage assigned collections, manage groups, manage users, manage organization policies, manage SSO, manage billing, access event logs, access import/export. | Cannot exceed the permissions of the Admin role; cannot manage Owners. | Enterprise | Counts as a billable seat | Custom role is only available on Enterprise plan; on Teams, admins must use the fixed role set. |
Permission model
- Model type: hybrid
- Description: Bitwarden uses a fixed role hierarchy (Owner > Admin > Manager > Member) combined with collection-level access controls. On Enterprise, a Custom role allows selecting individual administrative permissions. Collection permissions (view, edit, hide passwords, manage) are set per user or group per collection, providing item-level access granularity independent of the org-level role.
- Custom roles: Yes
- Custom roles plan: Enterprise
- Granularity: Role-level for administrative actions; collection-level for vault item access (view, edit, hide passwords, manage collection). Groups can be used to assign collection permissions in bulk.
How to add users
- Log in to vault.bitwarden.com and open the target Organization.
- Navigate to the Members tab.
- Click Invite Member.
- Enter the user's email address.
- Select the desired role (Owner, Admin, Manager, Member, or Custom on Enterprise).
- Assign the user to one or more Collections with the appropriate collection-level permission.
- Click Save to send the invitation email.
- The invited user must accept the invitation via the emailed link.
- After acceptance, an Owner or Admin must confirm the user in the Members tab (click the pending member → Confirm) to complete onboarding.
Required fields: Email address, Role, At least one Collection assignment (optional but recommended)
Watch out for:
- Invitation emails expire after 5 days; if not accepted, the invite must be resent.
- Users must have or create a Bitwarden account before they can accept an invitation.
- A manual confirmation step by an Owner or Admin is required after the user accepts; the user does not gain access until confirmed.
- If SSO is enforced via policy, users must authenticate through the configured IdP before accessing the vault.
- Seat limits apply: adding a member beyond the purchased seat count triggers a billing adjustment (prorated for the remainder of the billing period).
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Organization → Members → Invite Member → bulk invite via CSV upload (CSV columns: email, role, collections) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Teams and Enterprise (SCIM); Directory Connector available as an alternative for any plan with a supported directory |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Bitwarden supports both Revoke (deactivate) and Remove (delete from organization). Revoke suspends the member's access to the organization without removing their account or their personal vault. Remove permanently removes the member from the organization. Neither action deletes the user's personal Bitwarden account or their personal vault items.
- Log in to vault.bitwarden.com and open the Organization.
- Navigate to the Members tab.
- Locate the member to deactivate.
- Click the gear/options icon next to the member.
- Select 'Revoke Access' to suspend access while retaining the member record, or 'Remove' to fully remove them from the organization.
| Data impact | Behavior |
|---|---|
| Owned records | Items stored only in the user's personal vault are unaffected and remain accessible to the user. Items the user added directly to organization collections remain in those collections and are accessible to other members. |
| Shared content | Organization collection items created or shared by the removed user remain in the organization collections; ownership of those items transfers to the organization and they are not deleted. |
| Integrations | If the user was provisioned via SCIM or Directory Connector, deprovisioning in the IdP/directory will trigger automatic revocation or removal depending on SCIM configuration. |
| License freed | Removing (not just revoking) a member frees the seat. Revoking access does not free the seat - the member still counts against the seat total until fully removed. |
Watch out for:
- Revoking access does not free a billable seat; only full removal does.
- If the removed user was the sole Owner, the organization cannot be managed until another Owner is assigned - Bitwarden prevents removing the last Owner.
- Items the user stored exclusively in their personal vault are not recoverable by the organization; admins cannot access personal vaults.
- If 'Account Recovery' (Admin Password Reset) was not enrolled before removal, the organization cannot recover the user's encryption key.
- SCIM-based deprovisioning revokes access automatically when the user is deactivated in the IdP, but the member record may remain until manually removed or until the next sync cycle depending on IdP behavior.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Free Organization | Up to 2 users, 2 collections, basic sharing | $0 |
| Teams seat | Unlimited collections, groups, Directory Connector, SCIM, event logs, priority support | $4/user/month (billed annually) |
| Enterprise seat | All Teams features plus SSO, custom roles, policy enforcement, Key Connector, Admin Password Reset, SCIM | $6/user/month (billed annually) |
| Families plan (personal) | Up to 6 users for personal/family use; not an organizational plan | $3.33/month for the whole plan (billed annually) |
- Where to check usage: vault.bitwarden.com → Organization → Settings → Subscription (shows current seat count, seats used, and next billing date)
- How to identify unused seats: Organization → Members tab shows each member's status (Invited, Accepted, Confirmed, Revoked) and last login is visible in the event log (Organization → Reporting → Event Logs). Members with 'Invited' status who have not confirmed can be identified and their invitations revoked to free seats.
- Billing notes: Seats are billed annually. Adding members mid-cycle is prorated. Removing members does not automatically reduce the seat count for the current billing period; seat reductions take effect at the next renewal unless the plan is explicitly downgraded. Self-hosted deployments use a license file that encodes the maximum seat count; exceeding it requires obtaining an updated license from vault.bitwarden.com.
The cost of manual management
Every app in your stack that lacks automated provisioning adds a recurring manual tax: invite the user, wait up to 5 days for acceptance, then perform a separate admin confirmation before access is live.
In Bitwarden, skipping the confirmation step means the user is stuck in Accepted status with no vault access - a silent failure that generates support tickets.
Seat billing compounds this: revoking access does not free a seat, so admins who deactivate users expecting an immediate billing reduction will find the seat count unchanged until the next renewal cycle.
What IT admins are saying
The two-step confirmation flow (invite → accept → admin confirm) is the most consistent friction point reported by admins, particularly those migrating from tools that auto-confirm provisioned users.
A second recurring complaint is the Directory Connector's architecture: it runs as a desktop app or CLI rather than a cloud service, requiring a persistent host machine for scheduled syncs - an operational burden for lean IT teams.
On Teams plan, admins always have full access to all collection items with no restriction option; the 'Limit admin access to all collection items' policy is Enterprise-only, which surprises Teams customers expecting parity.
Common complaints:
- SSO requires additional configuration for zero-knowledge; the default SSO implementation stores the decryption key server-side unless Key Connector is configured.
- Key Connector complexity for self-hosted deployments is a recurring pain point; it requires running an additional service and managing cryptographic key storage.
- The mandatory two-step confirmation flow (invite → accept → admin confirm) is considered cumbersome compared to auto-provisioning via SCIM.
- Revoking access does not free a seat, which surprises admins who expect deactivation to immediately reduce billing.
- The 'Limit admin access to all collection items' policy is Enterprise-only, meaning Teams plan admins always have access to all collection items with no restriction option.
- Directory Connector runs as a desktop application or CLI rather than a cloud service, requiring a persistent host machine for scheduled syncs.
- Invited users who never accept their invitation still appear in the Members list and can cause confusion about actual seat consumption.
The decision
Choose Teams if you need SCIM, groups, event logs, and Directory Connector without SSO requirements - every app provisioning scenario that relies on directory sync is supported at this tier. Move to Enterprise if you need SSO, policy enforcement, the Custom role, Admin Password Reset, or Key Connector for zero-knowledge SSO.
Self-hosted deployments are supported at both tiers but require managing a license file that encodes your maximum seat count; exceeding it requires obtaining an updated license from the web vault. Google Workspace users should note there is no native SCIM connector - Directory Connector is the supported path.
Bottom line
Bitwarden gives security-conscious teams a capable, auditable password management platform with genuine flexibility across tiers.
The manual provisioning workflow is functional but deliberate - every app your team uses will feel the friction of the three-step invite cycle until SCIM or Directory Connector is in place.
Admins should plan for the seat billing behavior on offboarding and validate that their IdP has a supported SCIM connector before committing to an automated provisioning strategy.
Automate Bitwarden workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
