bitwarden/server
Group & GroupUser
Groups are organization-scoped permission buckets. A group's CollectionGroup rows determine which collections (and hence which ciphers) members of the group can access; members are added via GroupUser rows.
Entities
Group(src/Core/AdminConsole/Entities/Group.cs) —Id,OrganizationId,Name,AccessAll(legacy: deprecated; replaced by explicit collection assignments),ExternalId(SCIM mapping),RevisionDate,CreationDate. Persisted todbo.Group.GroupUser(src/Core/AdminConsole/Entities/GroupUser.cs) — many-to-many betweenGroupandOrganizationUser. Just two columns + composite PK.
Lifecycle
- Created via the AdminConsole UI (
POST /organizations/{id}/groups) or imported via SCIM (POST /scim/v2/{orgId}/Groups). - Memberships modified via
GroupsController.PutUsers, SCIM PATCH ops, or directory-connector imports. - Deleted with cascade:
GroupUserandCollectionGrouprows go with them.
Group revision date
Group.RevisionDate is bumped whenever group membership or collection access changes — a recent change (PR #7467, 2026-04-04) ensured this happens on every edit so that client-side caches detect the change. Sync responses include the latest group revision.
Stored procedures
Group_ReadByOrganizationId,Group_ReadById.GroupUser_Update— replaces members atomically.Group_DeleteById— removes group + cascades.
Where it shows up
- organizations-and-policies.
- scim-provisioning.
- collection.md — the access graph that ties groups to ciphers.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.