[GH-ISSUE #2015] Send policy across multiple Orgs #1126

New issue

Closed

opened 2026-03-03 02:06:28 +03:00 by kerem · 2 comments

kerem commented 2026-03-03 02:06:28 +03:00

Owner

Copy link

Originally created by @bloodypiker on GitHub (Oct 1, 2021).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2015

I am trying to selectively allow users to create sends. I have sends enabled from the admin console, but blocked in the primary org. The org owners are able to create sends, and all other users cannot. (expected) I would like to allow select users to create sends, so I created a new org and joined a test user to this org. However, they are still blocked from creating sends, by org policy. (unexpected) I have also given this test user owner privileges to the new "send" org.

`### Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.22.2
• Web-vault version: v2.21.1
• Running within Docker: true
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.35.4
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_SSL, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": true,
  "domain": "*****://****.***************.***",
  "domain_origin": "*****://****.***************.***",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 0,
  "icon_cache_ttl": 0,
  "icon_download_timeout": 0,
  "invitation_org_name": "Control Services Bitwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "********@***************.***, *******@***************.***",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "*********@***************.***",
  "smtp_from_name": "Bitwarden",
  "smtp_host": "********-***.***-******.***",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": "*********@***************.***",
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

`

Originally created by @bloodypiker on GitHub (Oct 1, 2021). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2015 I am trying to selectively allow users to create sends. I have sends enabled from the admin console, but blocked in the primary org. The org owners are able to create sends, and all other users cannot. (expected) I would like to allow select users to create sends, so I created a new org and joined a test user to this org. However, they are still blocked from creating sends, by org policy. (unexpected) I have also given this test user owner privileges to the new "send" org. `### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.22.2 * Web-vault version: v2.21.1 * Running within Docker: true * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.35.4 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_SSL, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_ip_header_enabled": true, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "authenticator_disable_time_drift": false, "data_folder": "data", "database_max_conns": 10, "database_url": "****/**.*******", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": true, "domain": "*****://****.***************.***", "domain_origin": "*****://****.***************.***", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "enable_db_wal": true, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 0, "icon_cache_ttl": 0, "icon_download_timeout": 0, "invitation_org_name": "Control Services Bitwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/data/bitwarden.log", "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "org_attachment_limit": null, "org_creation_users": "********@***************.***, *******@***************.***", "password_iterations": 100000, "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_explicit_tls": false, "smtp_from": "*********@***************.***", "smtp_from_name": "Bitwarden", "smtp_host": "********-***.***-******.***", "smtp_password": "***", "smtp_port": 587, "smtp_ssl": true, "smtp_timeout": 15, "smtp_username": "*********@***************.***", "templates_folder": "data/templates", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> `

kerem closed this issue 2026-03-03 02:06:28 +03:00

kerem commented 2026-03-03 02:06:29 +03:00

Author

Owner

Copy link

@cksapp commented on GitHub (Oct 6, 2021):

If the test user is still a part of the org which has the Disable Send policy in place then that policy will still apply to that test user unless they are Owner/Admin of the Org that has the policy enforced. Joining a second Org as Owner/Admin without the Disable Send policy will still leave the policy from Org 1 in place unless the test user was made an Owner/Admin of that first organization.

https://bitwarden.com/help/article/policies/#disable-send

<!-- gh-comment-id:936563572 --> @cksapp commented on GitHub (Oct 6, 2021): If the test user is still a part of the org which has the **Disable Send** policy in place then that policy will still apply to that test user unless they are Owner/Admin of the Org that has the policy enforced. Joining a second Org as Owner/Admin without the **Disable Send** policy will still leave the policy from Org 1 in place unless the test user was made an Owner/Admin of that first organization. https://bitwarden.com/help/article/policies/#disable-send

kerem commented 2026-03-03 02:06:29 +03:00

Author

Owner

Copy link

@bloodypiker commented on GitHub (Oct 6, 2021):

I incorporated a workaround by creating separate policy organizations with individual policies. I had my users join these new policy org's to enforce the policy type.

The only downside I see in this approach is the user can un-enroll from the policy org's, to remove the restrictions.

<!-- gh-comment-id:936885412 --> @bloodypiker commented on GitHub (Oct 6, 2021): I incorporated a workaround by creating separate policy organizations with individual policies. I had my users join these new policy org's to enforce the policy type. The only downside I see in this approach is the user can un-enroll from the policy org's, to remove the restrictions.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#1126

No description provided.