Skip to content

Add consolidated collection management script#33

Open
georgiaschafer wants to merge 3 commits intobitwarden-labs:mainfrom
georgiaschafer:main
Open

Add consolidated collection management script#33
georgiaschafer wants to merge 3 commits intobitwarden-labs:mainfrom
georgiaschafer:main

Conversation

@georgiaschafer
Copy link
Copy Markdown

@georgiaschafer georgiaschafer commented Jun 5, 2025

Adapted from existing scripts. Optimizes functionality compared to original scripts by reducing calls to bw for each user/collection.
Creates collection for new users, assigns Administrator group to all collections, moves collections created at the root to nest under the first user with permissions.

@georgiaschafer
Add consolidated organization management script
3de2e18 
Adapted from scripts found here - https://github.com/bitwarden-labs/admin-scripts/tree/main/Powershell
Creates collection for new users, assigns Administrator group to all collections, moves collections created at the root to nest under the first user with permissions
Optimizes functionality compared to original scripts by reducing calls to bw for each user
@georgiaschafer
Update and rename bwUpdateOrganization.ps1 to bwUpdateOrgCollections.ps1
19f4a21 
Rename and fix comments
@fer
Copy link
Copy Markdown
Contributor

fer commented Jun 10, 2025

@georgiaschafer thank you very much for your submission, we do appreciate contributions to this repository.

Here some general comments before approving your suggestions:

  • We've been recently writing a more consistent script header, including .SYNOPSIS, .DESCRIPTION, .PARAMETER, .EXAMPLE, and/or .NOTES. Although not every script is aligned with this guideline, we'd definitely like to be able to parse this information in the future to potentially generate documentation around the scripts. Please note the .EXAMPLE section is useful for the end user to run the script properly (Show 1: dry-run, 2: full recursive write, 3: filtered root run).
  • Also, as file name convention, we now use InfiniteActionVerb-FunctionChange.ps1(eg., Apply-NestedPermissions.ps1)
  • Although we provide different ways to securely consume secrets as client_id / client_secret by encrypting them and persisting them in file, PowerShell offers a SecureString parameter option which already saves this step.
  • Check for existing BW_SESSION before Login, also avoid unnecessary prompts; reuse active sessions if present.
  • It'd be great to parameterize collection discovery depth, either recursively or by defining a MaxDepth parameter.
  • Using ConvertTo-Json will make the code more compact.

Don't hesitate to reach out with your thoughts and thank you very much again!

@georgiaschafer
Update and rename bwUpdateOrgCollections.ps1 to Maintain-BitwardenOrg…
aff9329 
…anization.ps1

Addressing comments from fer:
1. Added script header, including .SYNOPSIS, .DESCRIPTION, .PARAMETER, .EXAMPLE, .NOTES.
2. Changed name to format InfiniteActionVerb-FunctionChange.ps1
3. Checks "bw status" and only initiates login if status is "unathenticated"
4. Used ConvertFrom-Json to reduce code length.

Changes aside from fer's recommendations:
1. Converted linear code into functions.
2. Added the ConvertFrom-SecureStringPlain used in Apply-NestedPermissions.ps1 and updated all instances where SecureString is converted to use this function.
3. Adapted Authenticate-Bitwarden from Apply-NestedPermissions.ps1 to include API authentication.
4. Separated confirming users into its own function instead of doing the confirm action inside the personal collection creation code.
5. Updated existing code to use parameters. Sending global parameters to function parameters to make functions modular.
6. Changed variable named $t to $query for clarity.
@georgiaschafer
Copy link
Copy Markdown
Author

georgiaschafer commented Jun 26, 2025

@fer thanks for the feedback!

  1. Added the script header as requested with different examples.
  2. Updated the file name to fit format.
  3. This script isn't meant to be run manually; it is meant to be run by a scheduled task. This means the secrets do need to be stored in the encrypted files. I believe I have taken care to clear the secrets immediately after they are used.
  4. Added code to check bw status, but I have not found a reliable way to check for an active BW_SESSION. Again, since this is meant to be run by automation and the script clears existing sessions at the end, there should not be an active session. In the event an active session does exist, no code breaking errors occur by creating a new one.
  5. Depth is not in scope for this script. It is meant to add the Admin group as an owner to all collections nested within the "Users" base collection.
  6. Looking at using ConvertTo-Json next update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@georgiaschafer @fer