To start I want to say that I am in no way intending to bash Bitwarden in this post as they have designed a really nice product that does seem to work more reliably and has better features than most other products in this realm I have tried. That being said, I have a major migration pain that I am hoping someone has some insight on how to resolve.
I have been demoing Bitwarden in thinking about switching from Passportal (for a plethora of reasons). The only wall I am running into is a good path for how to structure the passwords for my clients. The suggested method by Bitwarden is to create a new Organization vault for each one. The problem here is that, while you can waive your existing employees licensing fees for each client organization via request to support, they will only waive up to 3 of your internal users.
To use separate organization vaults, first you would have to send an invite to each of your employees who need access individually each time you added a new client vault. Second, you would be limited to only three employees per client instead of everyone that needs the access for day to day support.
If you go with collections to manage each client as opposed to Bitwarden’s (and the intuitive) route of separate org vaults, you run into a new problem: what if my user now wants to purchase bitwarden licenses and get access to their passwords that you manage for them? You cannot do inter-organization sharing so you would have to add them as a seat in YOUR organization which seems wrong, leads to mixture of clients and employees in same org audit logs, but does get you the ability to use group-based access management for your team so you don’t have to keep inviting users.
I am curious how others are handling this situation. I really like Bitwarden more than Passportal but it seems like they never really considered how some MSPs work before blogging about how they are a great fit for all MSPs. I suppose, in their defense, there are MSPs who assign certain employees to certain clients, and orgs may work really well for them as you wouldn’t need more than 3 user seats per client org.
Anyone have any experience they can share on a path forward here?