bitwarden/server
Organizations, members, groups, policies, providers
Active contributors: admin console team.
Purpose
Organizations are the multi-tenant boundary in Bitwarden. An Organization row owns members (OrganizationUser), groups, collections, policies, an SSO config, a SCIM config, an installation key (for the public API), and a billing relationship. Providers add another level of multi-tenancy: a managed-services provider tenant owns multiple client organizations.
Where the code lives
| Concern | Path |
|---|---|
| Domain | src/Core/AdminConsole/ |
| API | src/Api/AdminConsole/Controllers/, src/Api/AdminConsole/Public/Controllers/ |
| Schema | src/Sql/dbo/Tables/Organization*.sql, Group*.sql, Policy.sql, Provider*.sql, Collection*.sql |
| Authorization | src/Core/AdminConsole/Authorization/, src/Api/AdminConsole/Authorization/ |
| Per-feature folders | src/Core/AdminConsole/OrganizationFeatures/{Organizations, OrganizationUsers, Groups, Policies, OrganizationApiKeys, OrganizationConnections, OrganizationDomains, OrganizationAbility, AccountRecovery, Collections, Import, Shared}/ |
Key abstractions
| Type | Path | Description |
|---|---|---|
Organization |
src/Core/AdminConsole/Entities/Organization.cs |
Plan info, seat counts, feature flags, billing pointers, public-API installation key. |
OrganizationUser |
src/Core/AdminConsole/Entities/OrganizationUser.cs |
Membership row: User ↔ Org with role + status (Invited, Confirmed, Revoked). |
Group |
src/Core/AdminConsole/Entities/Group.cs |
Bulk-permission grouping. |
Collection |
src/Core/AdminConsole/Entities/Collection.cs |
Cipher container scoped to an org. |
Policy |
src/Core/AdminConsole/Entities/Policy.cs |
Org-wide rule (PolicyType enum: TwoFactorAuthentication, MasterPassword, PasswordGenerator, SingleOrg, RequireSso, ResetPassword, MaximumVaultTimeout, RemoveUnlockWithPin, FreeFamiliesSponsorshipPolicy, ...). |
Provider / ProviderUser / ProviderOrganization |
src/Core/AdminConsole/Providers/ |
MSP tenant + its members + the orgs it manages. |
IOrganizationService / OrganizationService |
src/Core/AdminConsole/Services/{IOrganizationService.cs, Implementations/OrganizationService.cs} |
The classic 1,219-line "fat service" — being incrementally split into commands. |
IOrganizationUserCommands / Queries (per feature folder) |
src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/ |
Newer narrower interfaces. |
OrganizationDomain |
src/Core/Entities/OrganizationDomain.cs |
Verified email domains used to claim an org. Verified via DNS TXT record. |
BulkCollectionAuthorizationHandler etc. |
src/Core/Vault/AuthorizationHandlers/, src/Core/AdminConsole/Authorization/ |
The resource-based auth handlers that decide who can act on what. |
How permissions work
graph TD
User --> OU[OrganizationUser<br/>Role: Owner/Admin/Manager/User/Custom]
User --> GroupMember
GroupMember --> Group
OU --> CollectionAccess[CollectionUser<br/>readOnly / hidePasswords / manage]
Group --> CollectionAccess[CollectionGroup]
CollectionAccess --> Collection
Collection --> CollectionCipher --> Cipher- An OrganizationUser is one of
Owner,Admin,Manager,User, orCustom. Custom roles use a JSON permissions blob stored on theOrganizationUserrow. - Access to ciphers flows through
Collectionmembership — either directly (CollectionUser) or viaGroup(CollectionGroup). BulkCollectionAuthorizationHandlermaterialises this graph and answers "can this caller view / edit / manage these collections?".
Major in-flight features (2025-2026)
- Invite Links — PR #7407 "Add entities, repository and database migrations for Organization Invite Link feature" (2026-04-09). Extends invitation to a shareable link instead of email-only.
- Bulk Auto-Confirm on Login — PR #7530 + flag
BulkAutoConfirmOnLogin. Auto-confirms invited users at first login when policy permits. - Master Password policy uplift — PR #7537, "Implement master password policy requirement". Stronger gating for admin enforcement.
- Group Revision Date bump — PR #7467. Ensures the
Group.RevisionDateadvances when access changes so client caches sync.
Policies
Policy rows are the org-wide rule set. The full enum lives in src/Core/AdminConsole/Enums/PolicyType.cs. Policy enforcement is split across:
IPolicyService(src/Core/AdminConsole/Services/IPolicyService.cs) — read / save / publish.- Per-policy enforcement under
src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/— each validator decides whether a given user / action is allowed under the active policies. BaseRequestValidatorinvokes the relevant policy enforcement at login time (e.g.RequireTwoFactorAuthenticationPolicy).
Public API (org-level)
src/Api/AdminConsole/Public/ is the documented org-level v1 API used by integrations. It reuses the same domain commands but exposes a curated, versioned surface (Members, Groups, Collections, Policies, Events).
Integration points
- Audit events — every membership / group / policy mutation logs an
OrganizationUser_*/Group_*/Policy_*event. - Mail — invitations, accept / confirm / revoke notifications go through
IMailService. - Application cache —
OrganizationAbilityis updated on every plan / seat / feature toggle. - Push — org changes push
SyncOrgKeysevents so clients refetch.
Entry points for modification
- New policy → add to
PolicyType, write a validator undersrc/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/, surface in the Web Vault UI viaApi/AdminConsole/Controllers/PoliciesController.cs. - New OrganizationUser status → extend
OrganizationUserStatusType, updateOrganizationServiceand the auth filters that gate by status. - New group → straightforward; add to the relevant
OrganizationFeatures/Groups/commands. Be sure to bumpGroup.RevisionDate(PR #7467 made this consistent). - Public API addition → controller under
src/Api/AdminConsole/Public/Controllers/with thePublicAPI group convention.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.