You can configure the Bitwarden Directory Connector application to use filters to limit the users and/or groups that are processed for syncing to your Bitwarden organization.
The syntax for filtering is different for each directory server type and is covered in detail below.
The group and user filters can be in the form of any LDAP compatible search filter. Additionally, Active Directory provides a few more advanced options as well as a few limitations when writing search filters as opposed to other more standard LDAP directories. You can read more about writing LDAP search filters here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx
Search for all entries that have objectClass=user AND cn that contains the word ‘Marketing’.
(&(objectClass=user)(cn=*Marketing*))
Active Directory does not implement extensible matching, the following examples won’t work with it.
Find entries with an OU component of their DN which is either ‘Miami’ or ‘Orlando’.
(|(ou:dn:=Miami)(ou:dn:=Orlando))
To exclude entities which match an expression, use ‘!’. Find all Chicago entries except those with a Wrigleyville OU component.
(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville)))
The following examples are written for Active Directory. In order to use them for something such as OpenLDAP the attributes will need to be changed.
Users in the ‘Heroes’ group
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=Heroes,ou=users,dc=company,dc=com))
Users that are a member of the ‘Heroes’ group, either directly or via nesting
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=Heroes,ou=users,dc=company,dc=com))
The Microsoft Graph API does not provide a way to filter groups and users directly, however, you can use our custom filtering syntax that allows you to exclude or include a comma separated list of group names, user emails, or users based on their group membership.
If you are filtering groups your user filter will only apply to users from the groups returned.
include:Group A,Sales People,My Other Group
exclude:Group C,Developers,Some Other Group
You can include/exclude users directly by using include or exclude keywords like below:
include:[email protected],[email protected],[email protected]
exclude:[email protected]
Alternatively, you can filter users based on their Azure AD group membership by using includeGroup or excludeGroup keywords. You must obtain the Azure AD group ID and include it with the keyword. You can get the group’s ID in the Azure Portal or through Azure AD PowerShell.
includeGroup:97b9ff2a-7d4f-463d-a925-efb1677fd40d,b389c339-8c13-4c1a-8ac1-4fde56d9f70f
excludeGroup:97b9ff2a-7d4f-463d-a925-efb1677fd40d
The G Suite APIs do not provide a way to filter groups directly, however, you can use our custom filtering syntax that allows you to exclude or include a comma separated list of group names.
If you are filtering groups your user filter will only apply to users from the groups returned.
include:Group A,Sales People,My Other Group
exclude:Group C,Developers,Some Other Group
We provide the same custom filtering syntax that allows you to exclude or include a comma separated list of user emails.
Additionally, the G Suite APIs provide limited filtering capabilities for users that are exposed to you. Read more about filtering with the query parameter here: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
You can combine both of these filtering options by concatenating the two strings with a pipe (|);
Only the include/exclude filter:
include:[email protected],[email protected],[email protected]
An include/exclude filter + a G Suite query search:
exclude:[email protected],[email protected]|orgName=Engineering orgTitle:Manager
Only the G Suite query search (notice the | prefix that is required):
|orgName=Engineering orgTitle:Manager
We provide a custom filtering syntax that allows you to exclude or include a comma separated list of group names or user emails.
Additionally, the Okta APIs provide limited filtering capabilities for users and groups. Read more about filtering with the filter parameter here: https://developer.okta.com/docs/api/resources/groups#filters and https://developer.okta.com/docs/api/resources/users#list-users-with-a-filter
You can combine both of these filtering options by concatenating the two strings with a pipe (|);
Only the include/exclude filter:
include:Group A,Group B
An include/exclude filter + an Okta filter:
exclude:Group A|type eq "APP_GROUP"
Only the Okta filter search (notice the | prefix that is required):
|type eq "BUILT_IN"
Only the include/exclude filter:
include:[email protected],[email protected],[email protected]
An include/exclude filter + an Okta filter:
exclude:[email protected],[email protected]|profile.firstName eq "John"
Only the Okta filter search (notice the | prefix that is required):
|profile.lastName eq "Smith"
Rate this article:
Want to talk to a human?
Send Us An Email