Disable Organization Leave?

[CFox243]

Good morning/ Good afternoon,

I was just wondering if there is a way to stop users that were invited solely to an organization to remove the ability to leave.
Maybe make it a request to leave to the admins of said Org.

[ryanjaeb]

I'm going to bump this hoping there's a way to disable organization leaving. Is there? I'll explain my problem / use case. Maybe someone has a solution that I'm not thinking of.

For this question, assume I'm using Vaultwarden as a password manager for a small company and the company is entitled to see every password in the system under the right circumstances. To keep things simple, there's a single organization.

• Single organization enabled.
• Account recovery admin enabled with auto-enrollment.
• Remove individual vault disabled.

Account recovery isn't reliable if users can leave the organization. I just tested it by leaving the organization. Since recovery is tied to the organization, the organization owner can no longer recover my account and all passwords in my individual vault are lost if I'm unable or unwilling to unlock it.

I could force the removal of individual vaults when users join the organization, but that has it's own problems. Specifically, that makes every password in the system shared and gives me the ability to observe passwords that I shouldn't have access to. For example, what's stopping me from adjusting permissions to get passwords for important administrative accounts that I'm not supposed to have access to? Users would never know I've "peeked" at their passwords that should be confidential.

If I could force account recovery enrollment in a way that users can't opt out, confidential passwords could be put into individual vaults. I could still recover them, but it leaves a proverbial paper trail. I can't recover a user's account without changing their master password which at least lets them know "something" has happened. That would give me the ability to promise that as long as they've never needed their account recovered, and the master password they chose still works, I've never had access to their confidential passwords.

I might be able to use emergency access, but that's user revocable too IIRC.

It would also be useful if I could define a minimum period of time for items to stay in the trash before allowing permanent deletion.

How does everyone configure their installs to guard against users or organization owners acting maliciously?