Teams and Enterprise Organization Migration Guide

PassageWay: Making migration easy

Securing your Organization with PassageWay is straightforward and secure.

Simply follow the below steps to migrate data and users from your existing password manager:

1. Export your data
2. Create and configure your PassageWay Organization
3. Import your data into PassageWay
4. Onboard your users and share

If you need assistance during your migration, our Customer Success team is here to help!

Scope

This document will describe the best practices for migrating secure data from your current password manager(s) to a PassageWay Teams or Enterprise Organization, building an infrastructure for security based on simple and scalable methods.

Password management is crucial for organizational security and operational efficiency. Providing insight into the best methods to perform migration and configuration is designed to minimize the trial-and-error approach that is often needed when exchanging enterprise tools.

The below steps are listed in the recommended order for ease of use and smooth onboarding for users.

Exporting data

Exporting your data from another password manager may be a bit tricky. We recommend paying special attention to the location of the following types of data during export:

• Secure documents
• Secure file attachments
• Secure notes
• SSH / RSA key files
• Shared Folders
• Nested shared items
• Any customized structures within your password management infrastructure

Important notes on exported data

Data imported into PassageWay is defined as one of four item types:

• Login (username, password, 2FA keys)
• Card (Credit Cards, Bank Cards)
• Identity (Name, address fields, personal information)
• Secure Note

PassageWay currently limits the length of item fields to 1,000 characters, and Secure Notes to 10,000 characters. Items that exceed that criteria should be saved as separate files (text, key, pem, ssh, etc.) and added as attachments to an item.

• More on Items
• Attaching a file to an item

Gathering a full export of your data across your existing password manager may require assigning all shared folders to a single user, or performing multiple exports - one for each segment of shared folders.

Exported data from your previous password manager may contain data from both your Personal vault, as well as any Shared folders that the exporting user was assigned to. Be sure to remove any personal vault items before importing data into a PassageWay Organization.

Creating an Organization

Shared or company-level data is stored in a PassageWay Organization. The best practice is to create this Organization first and import it directly, instead of importing the data into an individual account and then sharing it with the organization secondarily.

For more on creating a PassageWay Organization, visit this article.

Enterprise policies

Policies are found in the Business Portal

Policies allow you to control the actions of users within your Organization. It is recommended to configure these policies prior to onboarding users. For a complete list and details for Enterprise Policies, please see our helpful article here.

Importing data

Importing information into PassageWay can be performed in both an Individual Vault and Organization Vault. The below instructions are for Organization Imports.

There are two options to import data into your Organization:

1. Using the default CSV export file from your prior password manager
2. Creating a PassageWay specific CSV from your exported data

The best practice for most Organizations is to format your data into a PassageWay CSV, or for advanced users, a PassageWay JSON file for import into your Organization vault.

For instructions on shaping a PassageWay specific import file, please refer to the guide here.

A collection of data import and export documentation is available here. to assist with imports from additional sources.

Individual user data import

PassageWay supports a variety of import formats from other password management platforms. Individual users can import their data into their PassageWay Vault on their own, and do not require Administrative assistance.

For more on importing individual data, check out our helpful article here.

Onboarding users

PassageWay supports both manual and automated user invitation and onboarding. Best practice is to manually onboard any necessary Administrative users during configuration and initial deployment, ensuring all Organization configurations including Enterprise Policies, Login with SSO, and Directory Connector are ready prior to automating the User invitation and onboarding process.

Manual onboarding

Manual onboarding is done via the Web Vault. More information on manual user onboarding can be found in this helpful article

Automated onboarding

Automated user onboarding is also available when leveraging PassageWay Directory Connector - a standalone application available in a Desktop app and a CLI tool - synchronizing user and group information to the PassageWay Organization. These users are automatically invited to join the Organization, and can be confirmed manually or automatically using the Bitwarden CLI tool.

• Learn more about how syncing works here.
• Discover how to configure user and group filters for Directory Connector here.
• Documentation for multiple Directory Connector options is available here.

Sharing Collections and items

Collections

PassageWay empowers Teams and Organizations to share sensitive data easily, securely, and in a scalable manner. This is accomplished by segmenting shared secrets, items, logins, etc. into Collections.

Collections organize secure items in many ways, including but not limited to: business function, group assignment, application access levels, or even security protocols. Collections perform the same functions as shared folders, allowing for consistent access control and sharing amongst groups of users.

Shared folders from other password managers can be imported as Collections into PassageWay by using the Organization Import template found here and placing the name of the shared folder in the Collection column.

Example Export:

Example PassageWay Organization Import

Collections can be shared with both Groups and Individual users. Limiting the number of individual users that can access a Collection will make management more efficient for Administrators.

For more information on assigning Collections to Users and Groups, please refer to our help article here.

Groups

Leveraging Groups for sharing is the most effective way to provide credential and secret access. Ideally Groups are mirrored from an LDAP service, however PassageWay supports automatic Group synchronization via the Directory Connector application, as well as manually created ad-hoc Groups.

As a part of deployment preparations, it is possible to synchronize just groups from the LDAP directory before synchronization of Users begins, such that Collections can be assigned to Groups before users begin accessing PassageWay.

For more information on filtering and synchronization of Users with the PassageWay Directory Connector, please check out the article here.

Permissions

PassageWay Collection permissions are assigned on the assignment of the Group or User to a particular Collection. This means that each Group or User can be configured with permissions for the same Collection.

Collection permissions are easily configured with options for Read Only and Hide Passwords.

Read Only prevents users from adding new items to that Collection, as well as preventing the editing or deleting of existing items. Hide Passwords prevents the users from seeing the Password field, TOTP field, and any custom field for an item that is listed as hidden. This permission is best used for Collections of items that are able to be auto-filled in a browser, since copying and pasting of credentials is disabled when this is configured.

PassageWay uses an union of permissions to determine final access permissions for a User and a Collection Item.

Example:

• User A is part of the Tier 1 Support group, which has access to the Support Collection, with read-only permission.
• User A is also a member of the Support Management group, which has access to the Support Collection, with read-write access.
• In this scenario, User A will be able to read-write to the Collection.

More information on permissions can be found on our help site here.

Migration support

The PassageWay Customer Success team is available 24/7 with priority support for Enterprise and Teams Organizations. If you need assistance or have questions, please do not hesitate to contact us here: bitwarden.com/contact.

Terms and equivalent references

Organization

• A PassageWay Organization is the encompassing “object” that relates all data for a given sharing entity. Click here for more information on Organizations.

Folders for Individual Vaults

• Within PassageWay, individual Users can create Folders and assign items to those folders to help organize their Vault. Folders function much like ‘tags’ since they are linked to your items by reference, and deleting a folder does not delete the data inside it. Organizations use Collections to group secure items that need to be shared with the same user(s) or user group(s).

Collections for Organizational Vaults

• Collections are used by PassageWay Organizations to group secure items that need to be shared with the same user(s) or user group(s).
• Most often exported shared folders become Collections, however, you can organize Collections in a number of ways.

User

• Any user who is a member of a PassageWay Organization

Group

• Most password managers support User Groups. When migrating to PassageWay, you can leverage BWDC to synchronize your LDAP groups into your PassageWay Organization.

Read Only

• A permission that prevents users from adding new data to items within a Collection. Users can see / access all data within items but cannot add new items or modify existing data. This permission is set on a User or Group assignment to a Collection.

Hide Password

• Permission to prevent users from seeing any part of a secure item within a Collection.

User Type

• Users within PassageWay can be granted a “user-type”. Users onboarded via Directory Connector are defaulted to “Users” that can only access items that they are assigned directly and do not have access to reconfigure sharing or permissions.

Vault

• Storage area for encrypted data. PassageWay users that are members of an Organization have an Individual and Organization Vault, encrypted with separate keys.