Open BloodyIron opened 3 years ago
BloodyIron
commented
3 years ago Oh okay so get this, I was able to restore (from bin) the deleted personal vault test entry from step # 3. I did it with the browser plugin, but probably can do it from web too.
cscharf
commented
3 years ago Thanks for the writeup and detail @BloodyIron , getting a lot of great feedback from you this week 😁 (love it)!
As far as this goes... this is one of those areas that are purpose-built around a particular use-case where the general reason for disabling personal vaults for an Organization member is that the Organization doesn't want the employee saving or creating credentials for work sites in their personal vault and wants any items created/saved to be shared appropriate with the org (risk mitigation, retention of access after attrition, etc.). It wasn't intended to prevent or block access to a user's already existing personal vault.
I'll circle this back around with the product team and flag the card internally, moving it to our backlog board. Thanks again and will reach out if we have any questions or would like more clarification. Also, please feel free to hit me up via email (my GitHub username @ bitwarden.com) as I would love to connect to hear more about your setup and onboarding experience as and after you work through it.
BloodyIron
commented
3 years ago Hey @cscharf sounds good to me! :)
BloodyIron
commented
3 years ago Also, E-Mail sent ;)
bitwarden-bot
commented
2 years ago Hi @BloodyIron, We're cleaning up our repositories in preparation for a major reorganization. Issues from last year will be marked as stale and closed after two weeks. If you still need help, comment to let us know and we'll look into it. Thanks!
BloodyIron
commented
2 years ago Unsure if still a problem... @cscharf should we keep this one open? I haven't tested recently.
dwbit
commented
2 years ago Hey @BloodyIron, thanks for checking in! We will run some QA on this one and get back to you.
BloodyIron
commented
2 years ago Glad to hear the outcome, thanks @dwbit ! :D
I'm using the hosted/cloud version of Bitwarden, we're an Enterprise sub in the setup/trial phase.
The org has the policy set where personal vaults are disabled (this is intentional). When I invite a new user (with the "User" class, haven't tested "Manager" calss), this New User can create personal vault entries until they gain access to the Org. Considering that the Org sent the invite, this should be disabled the whole way (unless the invite is rejected maybe?).
Order of operations:
I'm hoping we can find an improvement to this workflow. The intent here is to reduce user error, confusion, and increase the consistency of the user experience. Additionally, why not just force the user to "Verify E-Mail" before they can even do anything at all? (Or make this a policy option?). I see there being a non-trivial amount of users that completely miss they need to verify their E-Mail, and then just start using the tool.
Frankly, this edge-case in the UX/workflow is something the end-users shouldn't have to worry about. Considering the Master Password complexity is enforced, it's surprising that the "no personal vault" policy isn't enforced to the same degree.
Any chance we can get this added to a kanban board somewhere/roadmap/milestone or whatnot? I don't expect this done "tomorrow" or even "ASAP". But I think improving/fixing this is worthwhile. And I really do think this qualifies for "bug", not "feature request" as this, in a sense, breaks the "no personal vault" policy enforcement capability.
Thoughts?