[PM-14406] Security Task Notifications (#5344)

* initial commit of `CipherOrganizationPermission_GetManyByUserId` * create queries to get all of the security tasks that are actionable by a user - A task is "actionable" when the user has manage permissions for that cipher * rename query * return the user's email from the query as well * Add email notification for at-risk passwords - Added email layouts for security tasks * add push notification for security tasks * update entity framework to match stored procedure plus testing * update date of migration and remove orderby * add push service to security task controller * rename `SyncSecurityTasksCreated` to `SyncNotification` * remove duplicate return * remove unused directive * remove unneeded new notification type * use `createNotificationCommand` to alert all platforms * return the cipher id that is associated with the security task and store the security task id on the notification entry * Add `TaskId` to the output model of `GetUserSecurityTasksByCipherIdsAsync` * move notification logic to command * use TaskId from `_getSecurityTasksNotificationDetailsQuery` * add service * only push last notification for each user * formatting * refactor `CreateNotificationCommand` parameter to `sendPush` * flip boolean in test * update interface to match usage * do not push any of the security related notifications to the user * add `PendingSecurityTasks` push type * add push notification for pending security tasks
2025-03-01 04:01:11 +01:00 · 2025-02-27 08:34:42 -06:00 · 2025-02-27 08:34:42 -06:00 · 1267332b5b
commit 1267332b5b
parent a2e665cb96
35 changed files with 893 additions and 8 deletions
--- a/src/Api/Vault/Controllers/SecurityTaskController.cs
+++ b/src/Api/Vault/Controllers/SecurityTaskController.cs
@ -22,19 +22,22 @@ public class SecurityTaskController : Controller
    private readonly IMarkTaskAsCompleteCommand _markTaskAsCompleteCommand;
    private readonly IGetTasksForOrganizationQuery _getTasksForOrganizationQuery;
    private readonly ICreateManyTasksCommand _createManyTasksCommand;
    private readonly ICreateManyTaskNotificationsCommand _createManyTaskNotificationsCommand;
    public SecurityTaskController(
        IUserService userService,
        IGetTaskDetailsForUserQuery getTaskDetailsForUserQuery,
        IMarkTaskAsCompleteCommand markTaskAsCompleteCommand,
        IGetTasksForOrganizationQuery getTasksForOrganizationQuery,
-        ICreateManyTasksCommand createManyTasksCommand)
+        ICreateManyTasksCommand createManyTasksCommand,
        ICreateManyTaskNotificationsCommand createManyTaskNotificationsCommand)
    {
        _userService = userService;
        _getTaskDetailsForUserQuery = getTaskDetailsForUserQuery;
        _markTaskAsCompleteCommand = markTaskAsCompleteCommand;
        _getTasksForOrganizationQuery = getTasksForOrganizationQuery;
        _createManyTasksCommand = createManyTasksCommand;
        _createManyTaskNotificationsCommand = createManyTaskNotificationsCommand;
    }
    /// <summary>
@ -87,6 +90,9 @@ public class SecurityTaskController : Controller
        [FromBody] BulkCreateSecurityTasksRequestModel model)
    {
        var securityTasks = await _createManyTasksCommand.CreateAsync(orgId, model.Tasks);
        await _createManyTaskNotificationsCommand.CreateAsync(orgId, securityTasks);
        var response = securityTasks.Select(x => new SecurityTasksResponseModel(x)).ToList();
        return new ListResponseModel<SecurityTasksResponseModel>(response);
    }
--- a/src/Core/Enums/PushType.cs
+++ b/src/Core/Enums/PushType.cs
@ -29,5 +29,7 @@ public enum PushType : byte
    SyncOrganizationCollectionSettingChanged = 19,
    Notification = 20,
-    NotificationStatus = 21
+    NotificationStatus = 21,
    PendingSecurityTasks = 22
 }
--- a/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.html.hbs
@ -0,0 +1,61 @@
 {{#>FullUpdatedHtmlLayout}}
 <table border="0" cellpadding="0" cellspacing="0" width="100%"
  style="background-color: #175DDC;padding-top:25px;padding-bottom:15px;">
  <tr>
    <td align="center" valign="top" width="70%" class="templateColumnContainer">
      <table border="0" cellpadding="0" cellspacing="0" width="100%"
        style="padding-left:30px; padding-right: 5px; padding-top: 20px;">
        <tr>
          <td
            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 24px; color: #ffffff; line-height: 32px; font-weight: 500; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
            {{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
            TaskCountPlural}}s{{/unless}} a
            password change
          </td>
        </tr>
      </table>
    </td>
    <td align="right" valign="bottom" class="templateColumnContainer" style="padding-right: 15px;">
      <img width="140" height="140" align="right" valign="bottom"
        style="width: 140px; height:140px; font-size: 0; vertical-align: bottom; text-align: right;" alt=''
        src='https://assets.bitwarden.com/email/v1/business-warning.png' />
    </td>
  </tr>
 </table>
 {{>@partial-block}}
 <table width="100%" style="display:table; background-color: #FBFBFB; vertical-align: middle; padding:30px" border="0"
  cellpadding="0" cellspacing="0" valign="middle">
  <tr>
    <td width="70%" class="footer-text" style="padding-right: 20px;">
      <table align="left" border="0" cellpadding="0" cellspacing="0">
        <tr>
          <td
            style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
            <p
              style="margin: 0; padding: 0; margin-bottom: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 600; font-size: 20px; line-height: 28px;">
              We’re here for you!</p>
            If you have any questions, search the Bitwarden <a
              style="text-decoration: none; color: #175DDC; font-weight: 600;"
              href="https://bitwarden.com/help/">Help</a> site or <a
              style="text-decoration: none; color: #175DDC; font-weight: 600;"
              href="https://bitwarden.com/contact/">contact us</a>.
          </td>
        </tr>
      </table>
    </td>
    <td width="30%">
      <table align="right" valign="bottom" class="footer-image" border="0" cellpadding="0" cellspacing="0"
        style="padding-left: 40px;">
        <tr>
          <td>
            <img width="94" height="77" src="https://assets.bitwarden.com/email/v1/chat.png"
              style="width: 94px; height: 77px;" alt="" />
          </td>
        </tr>
      </table>
    </td>
  </tr>
 </table>
 {{/FullUpdatedHtmlLayout}}
--- a/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/Layouts/SecurityTasks.text.hbs
@ -0,0 +1,12 @@
 {{#>FullTextLayout}}
 {{OrgName}} has identified {{TaskCount}} critical login{{#if TaskCountPlural}}s{{/if}} that require{{#unless
 TaskCountPlural}}s{{/unless}} a
 password change
 {{>@partial-block}}
 We’re here for you!
 If you have any questions, search the Bitwarden Help site or contact us.
 - https://bitwarden.com/help/
 - https://bitwarden.com/contact/
 {{/FullTextLayout}}
--- a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.html.hbs
@ -0,0 +1,28 @@
 {{#>SecurityTasksHtmlLayout}}
 <table width="100%" border="0" style="display: block; padding: 30px;" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td
      style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
      Keep you and your organization's data safe by changing passwords that are weak, reused, or have been exposed in a
      data breach.
    </td>
  </tr>
  <tr>
    <td
      style="padding-top: 24px; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-style: normal; font-weight: 400; font-size: 16px; line-height: 24px;">
      Launch the Bitwarden extension to review your at-risk passwords.
    </td>
  </tr>
 </table>
 <table width="100%" border="0" cellpadding="0" cellspacing="0"
  style="display: table; width:100%; padding-bottom: 35px; text-align: center;" align="center">
  <tr>
    <td display="display: table-cell">
      <a href="{{ReviewPasswordsUrl}}" clicktracking=off target="_blank"
        style="display: inline-block; color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; border-radius: 999px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
        Review at-risk passwords
      </a>
    </td>
  </tr>
 </table>
 {{/SecurityTasksHtmlLayout}}
--- a/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
+++ b/src/Core/MailTemplates/Handlebars/SecurityTasksNotification.text.hbs
@ -0,0 +1,8 @@
 {{#>SecurityTasksHtmlLayout}}
 Keep you and your organization's data safe by changing passwords that are weak, reused, or have been exposed in a data
 breach.
 Launch the Bitwarden extension to review your at-risk passwords.
 Review at-risk passwords ({{{ReviewPasswordsUrl}}})
 {{/SecurityTasksHtmlLayout}}
--- a/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
+++ b/src/Core/Models/Mail/SecurityTaskNotificationViewModel.cs
@ -0,0 +1,12 @@
 namespace Bit.Core.Models.Mail;
 public class SecurityTaskNotificationViewModel : BaseMailModel
 {
    public string OrgName { get; set; }
    public int TaskCount { get; set; }
    public bool TaskCountPlural => TaskCount != 1;
    public string ReviewPasswordsUrl => $"{WebVaultUrl}/browser-extension-prompt";
 }
--- a/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
+++ b/src/Core/NotificationCenter/Commands/CreateNotificationCommand.cs
@ -28,7 +28,7 @@ public class CreateNotificationCommand : ICreateNotificationCommand
        _pushNotificationService = pushNotificationService;
    }
-    public async Task<Notification> CreateAsync(Notification notification)
+    public async Task<Notification> CreateAsync(Notification notification, bool sendPush = true)
    {
        notification.CreationDate = notification.RevisionDate = DateTime.UtcNow;
@ -37,7 +37,10 @@ public class CreateNotificationCommand : ICreateNotificationCommand
        var newNotification = await _notificationRepository.CreateAsync(notification);
-        await _pushNotificationService.PushNotificationAsync(newNotification);
+        if (sendPush)
        {
            await _pushNotificationService.PushNotificationAsync(newNotification);
        }
        return newNotification;
    }
--- a/src/Core/NotificationCenter/Commands/Interfaces/ICreateNotificationCommand.cs
+++ b/src/Core/NotificationCenter/Commands/Interfaces/ICreateNotificationCommand.cs
@ -5,5 +5,5 @@ namespace Bit.Core.NotificationCenter.Commands.Interfaces;
 public interface ICreateNotificationCommand
 {
-    Task<Notification> CreateAsync(Notification notification);
+    Task<Notification> CreateAsync(Notification notification, bool sendPush = true);
 }
--- a/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
+++ b/src/Core/NotificationHub/NotificationHubPushNotificationService.cs
@ -329,6 +329,11 @@ public class NotificationHubPushNotificationService : IPushNotificationService
            GetContextIdentifier(excludeCurrentContext), clientType: clientType);
    }
    public async Task PushPendingSecurityTasksAsync(Guid userId)
    {
        await PushUserAsync(userId, PushType.PendingSecurityTasks);
    }
    public async Task SendPayloadToInstallationAsync(string installationId, PushType type, object payload,
        string? identifier, string? deviceId = null, ClientType? clientType = null)
    {
--- a/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/AzureQueuePushNotificationService.cs
@ -219,6 +219,11 @@ public class AzureQueuePushNotificationService : IPushNotificationService
        await SendMessageAsync(PushType.NotificationStatus, message, true);
    }
    public async Task PushPendingSecurityTasksAsync(Guid userId)
    {
        await PushUserAsync(userId, PushType.PendingSecurityTasks);
    }
    private async Task PushSendAsync(Send send, PushType type)
    {
        if (send.UserId.HasValue)
--- a/src/Core/Platform/Push/Services/IPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/IPushNotificationService.cs
@ -38,4 +38,5 @@ public interface IPushNotificationService
        string? deviceId = null, ClientType? clientType = null);
    Task SendPayloadToOrganizationAsync(string orgId, PushType type, object payload, string? identifier,
        string? deviceId = null, ClientType? clientType = null);
    Task PushPendingSecurityTasksAsync(Guid userId);
 }
--- a/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/MultiServicePushNotificationService.cs
@ -179,6 +179,12 @@ public class MultiServicePushNotificationService : IPushNotificationService
        return Task.FromResult(0);
    }
    public Task PushPendingSecurityTasksAsync(Guid userId)
    {
        PushToServices((s) => s.PushPendingSecurityTasksAsync(userId));
        return Task.CompletedTask;
    }
    private void PushToServices(Func<IPushNotificationService, Task> pushFunc)
    {
        if (!_services.Any())
--- a/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NoopPushNotificationService.cs
@ -121,4 +121,9 @@ public class NoopPushNotificationService : IPushNotificationService
    {
        return Task.FromResult(0);
    }
    public Task PushPendingSecurityTasksAsync(Guid userId)
    {
        return Task.FromResult(0);
    }
 }
--- a/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/NotificationsApiPushNotificationService.cs
@ -232,6 +232,11 @@ public class NotificationsApiPushNotificationService : BaseIdentityClientService
        await SendMessageAsync(PushType.NotificationStatus, message, true);
    }
    public async Task PushPendingSecurityTasksAsync(Guid userId)
    {
        await PushUserAsync(userId, PushType.PendingSecurityTasks);
    }
    private async Task PushSendAsync(Send send, PushType type)
    {
        if (send.UserId.HasValue)
--- a/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
+++ b/src/Core/Platform/Push/Services/RelayPushNotificationService.cs
@ -300,6 +300,11 @@ public class RelayPushNotificationService : BaseIdentityClientService, IPushNoti
            false
        );
    public async Task PushPendingSecurityTasksAsync(Guid userId)
    {
        await PushUserAsync(userId, PushType.PendingSecurityTasks);
    }
    private async Task SendPayloadToInstallationAsync(PushType type, object payload, bool excludeCurrentContext,
        ClientType? clientType = null)
    {
--- a/src/Core/Services/IMailService.cs
+++ b/src/Core/Services/IMailService.cs
@ -5,6 +5,7 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
 using Bit.Core.Vault.Models.Data;
 namespace Bit.Core.Services;
@ -98,5 +99,5 @@ public interface IMailService
        string organizationName);
    Task SendClaimedDomainUserEmailAsync(ManagedUserDomainClaimedEmails emailList);
    Task SendDeviceApprovalRequestedNotificationEmailAsync(IEnumerable<string> adminEmails, Guid organizationId, string email, string userName);
    Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons);
 }
--- a/src/Core/Services/Implementations/HandlebarsMailService.cs
+++ b/src/Core/Services/Implementations/HandlebarsMailService.cs
@ -15,6 +15,7 @@ using Bit.Core.Models.Mail.Provider;
 using Bit.Core.SecretsManager.Models.Mail;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.Core.Vault.Models.Data;
 using HandlebarsDotNet;
 namespace Bit.Core.Services;
@ -654,6 +655,10 @@ public class HandlebarsMailService : IMailService
        Handlebars.RegisterTemplate("TitleContactUsHtmlLayout", titleContactUsHtmlLayoutSource);
        var titleContactUsTextLayoutSource = await ReadSourceAsync("Layouts.TitleContactUs.text");
        Handlebars.RegisterTemplate("TitleContactUsTextLayout", titleContactUsTextLayoutSource);
        var securityTasksHtmlLayoutSource = await ReadSourceAsync("Layouts.SecurityTasks.html");
        Handlebars.RegisterTemplate("SecurityTasksHtmlLayout", securityTasksHtmlLayoutSource);
        var securityTasksTextLayoutSource = await ReadSourceAsync("Layouts.SecurityTasks.text");
        Handlebars.RegisterTemplate("SecurityTasksTextLayout", securityTasksTextLayoutSource);
        Handlebars.RegisterHelper("date", (writer, context, parameters) =>
        {
@ -1196,9 +1201,26 @@ public class HandlebarsMailService : IMailService
        await _mailDeliveryService.SendEmailAsync(message);
    }
    public async Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
    {
        MailQueueMessage CreateMessage(UserSecurityTasksCount notification)
        {
            var message = CreateDefaultMessage($"{orgName} has identified {notification.TaskCount} at-risk password{(notification.TaskCount.Equals(1) ? "" : "s")}", notification.Email);
            var model = new SecurityTaskNotificationViewModel
            {
                OrgName = orgName,
                TaskCount = notification.TaskCount,
                WebVaultUrl = _globalSettings.BaseServiceUri.VaultWithHash,
            };
            message.Category = "SecurityTasksNotification";
            return new MailQueueMessage(message, "SecurityTasksNotification", model);
        }
        var messageModels = securityTaskNotificaitons.Select(CreateMessage);
        await EnqueueMailAsync(messageModels.ToList());
    }
    private static string GetUserIdentifier(string email, string userName)
    {
        return string.IsNullOrEmpty(userName) ? email : CoreHelpers.SanitizeForEmail(userName, false);
    }
 }
--- a/src/Core/Services/NoopImplementations/NoopMailService.cs
+++ b/src/Core/Services/NoopImplementations/NoopMailService.cs
@ -5,6 +5,7 @@ using Bit.Core.Billing.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Models.Mail;
 using Bit.Core.Vault.Models.Data;
 namespace Bit.Core.Services;
@ -322,5 +323,9 @@ public class NoopMailService : IMailService
    {
        return Task.FromResult(0);
    }
 }
    public Task SendBulkSecurityTaskNotificationsAsync(string orgName, IEnumerable<UserSecurityTasksCount> securityTaskNotificaitons)
    {
        return Task.FromResult(0);
    }
 }
--- a/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
+++ b/src/Core/Vault/Commands/CreateManyTaskNotificationsCommand.cs
@ -0,0 +1,82 @@
 using Bit.Core.Enums;
 using Bit.Core.NotificationCenter.Commands.Interfaces;
 using Bit.Core.NotificationCenter.Entities;
 using Bit.Core.NotificationCenter.Enums;
 using Bit.Core.Platform.Push;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Vault.Commands.Interfaces;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Models.Data;
 using Bit.Core.Vault.Queries;
 public class CreateManyTaskNotificationsCommand : ICreateManyTaskNotificationsCommand
 {
    private readonly IGetSecurityTasksNotificationDetailsQuery _getSecurityTasksNotificationDetailsQuery;
    private readonly IOrganizationRepository _organizationRepository;
    private readonly IMailService _mailService;
    private readonly ICreateNotificationCommand _createNotificationCommand;
    private readonly IPushNotificationService _pushNotificationService;
    public CreateManyTaskNotificationsCommand(
        IGetSecurityTasksNotificationDetailsQuery getSecurityTasksNotificationDetailsQuery,
        IOrganizationRepository organizationRepository,
        IMailService mailService,
        ICreateNotificationCommand createNotificationCommand,
        IPushNotificationService pushNotificationService)
    {
        _getSecurityTasksNotificationDetailsQuery = getSecurityTasksNotificationDetailsQuery;
        _organizationRepository = organizationRepository;
        _mailService = mailService;
        _createNotificationCommand = createNotificationCommand;
        _pushNotificationService = pushNotificationService;
    }
    public async Task CreateAsync(Guid orgId, IEnumerable<SecurityTask> securityTasks)
    {
        var securityTaskCiphers = await _getSecurityTasksNotificationDetailsQuery.GetNotificationDetailsByManyIds(orgId, securityTasks);
        // Get the number of tasks for each user
        var userTaskCount = securityTaskCiphers.GroupBy(x => x.UserId).Select(x => new UserSecurityTasksCount
        {
            UserId = x.Key,
            Email = x.First().Email,
            TaskCount = x.Count()
        }).ToList();
        var organization = await _organizationRepository.GetByIdAsync(orgId);
        await _mailService.SendBulkSecurityTaskNotificationsAsync(organization.Name, userTaskCount);
        // Break securityTaskCiphers into separate lists by user Id
        var securityTaskCiphersByUser = securityTaskCiphers.GroupBy(x => x.UserId)
                                   .ToDictionary(g => g.Key, g => g.ToList());
        foreach (var userId in securityTaskCiphersByUser.Keys)
        {
            // Get the security tasks by the user Id
            var userSecurityTaskCiphers = securityTaskCiphersByUser[userId];
            // Process each user's security task ciphers
            for (int i = 0; i < userSecurityTaskCiphers.Count; i++)
            {
                var userSecurityTaskCipher = userSecurityTaskCiphers[i];
                // Create a notification for the user with the associated task
                var notification = new Notification
                {
                    UserId = userSecurityTaskCipher.UserId,
                    OrganizationId = orgId,
                    Priority = Priority.Informational,
                    ClientType = ClientType.Browser,
                    TaskId = userSecurityTaskCipher.TaskId
                };
                await _createNotificationCommand.CreateAsync(notification, false);
            }
            // Notify the user that they have pending security tasks
            await _pushNotificationService.PushPendingSecurityTasksAsync(userId);
        }
    }
 }
--- a/src/Core/Vault/Commands/Interfaces/ICreateManyTaskNotificationsCommand.cs
+++ b/src/Core/Vault/Commands/Interfaces/ICreateManyTaskNotificationsCommand.cs
@ -0,0 +1,13 @@
 using Bit.Core.Vault.Entities;
 namespace Bit.Core.Vault.Commands.Interfaces;
 public interface ICreateManyTaskNotificationsCommand
 {
    /// <summary>
    /// Creates email and push notifications for the given security tasks.
    /// </summary>
    /// <param name="organizationId">The organization Id </param>
    /// <param name="securityTasks">All applicable security tasks</param>
    Task CreateAsync(Guid organizationId, IEnumerable<SecurityTask> securityTasks);
 }
--- a/src/Core/Vault/Models/Data/UserCipherForTask.cs
+++ b/src/Core/Vault/Models/Data/UserCipherForTask.cs
@ -0,0 +1,23 @@
 namespace Bit.Core.Vault.Models.Data;
 /// <summary>
 /// Minimal data model that represents a User and the associated cipher for a security task.
 /// Only to be used for query responses. For full data model, <see cref="UserSecurityTaskCipher"/>.
 /// </summary>
 public class UserCipherForTask
 {
    /// <summary>
    /// The user's Id.
    /// </summary>
    public Guid UserId { get; set; }
    /// <summary>
    /// The user's email.
    /// </summary>
    public string Email { get; set; }
    /// <summary>
    /// The cipher Id of the security task.
    /// </summary>
    public Guid CipherId { get; set; }
 }
--- a/src/Core/Vault/Models/Data/UserSecurityTaskCipher.cs
+++ b/src/Core/Vault/Models/Data/UserSecurityTaskCipher.cs
@ -0,0 +1,27 @@
 namespace Bit.Core.Vault.Models.Data;
 /// <summary>
 /// Data model that represents a User and the associated cipher for a security task.
 /// </summary>
 public class UserSecurityTaskCipher
 {
    /// <summary>
    /// The user's Id.
    /// </summary>
    public Guid UserId { get; set; }
    /// <summary>
    /// The user's email.
    /// </summary>
    public string Email { get; set; }
    /// <summary>
    /// The cipher Id of the security task.
    /// </summary>
    public Guid CipherId { get; set; }
    /// <summary>
    /// The Id of the security task.
    /// </summary>
    public Guid TaskId { get; set; }
 }
--- a/src/Core/Vault/Models/Data/UserSecurityTasksCount.cs
+++ b/src/Core/Vault/Models/Data/UserSecurityTasksCount.cs
@ -0,0 +1,22 @@
 namespace Bit.Core.Vault.Models.Data;
 /// <summary>
 /// Data model that represents a User and the amount of actionable security tasks.
 /// </summary>
 public class UserSecurityTasksCount
 {
    /// <summary>
    /// The user's Id.
    /// </summary>
    public Guid UserId { get; set; }
    /// <summary>
    /// The user's email.
    /// </summary>
    public string Email { get; set; }
    /// <summary>
    /// The number of actionable security tasks for the respective users.
    /// </summary>
    public int TaskCount { get; set; }
 }
--- a/src/Core/Vault/Queries/GetSecurityTasksNotificationDetailsQuery.cs
+++ b/src/Core/Vault/Queries/GetSecurityTasksNotificationDetailsQuery.cs
@ -0,0 +1,33 @@
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Models.Data;
 using Bit.Core.Vault.Repositories;
 namespace Bit.Core.Vault.Queries;
 public class GetSecurityTasksNotificationDetailsQuery : IGetSecurityTasksNotificationDetailsQuery
 {
    private readonly ICurrentContext _currentContext;
    private readonly ICipherRepository _cipherRepository;
    public GetSecurityTasksNotificationDetailsQuery(ICurrentContext currentContext, ICipherRepository cipherRepository)
    {
        _currentContext = currentContext;
        _cipherRepository = cipherRepository;
    }
    public async Task<ICollection<UserSecurityTaskCipher>> GetNotificationDetailsByManyIds(Guid organizationId, IEnumerable<SecurityTask> tasks)
    {
        var org = _currentContext.GetOrganization(organizationId);
        if (org == null)
        {
            throw new NotFoundException();
        }
        var userSecurityTaskCiphers = await _cipherRepository.GetUserSecurityTasksByCipherIdsAsync(organizationId, tasks);
        return userSecurityTaskCiphers;
    }
 }
--- a/src/Core/Vault/Queries/IGetSecurityTasksNotificationDetailsQuery.cs
+++ b/src/Core/Vault/Queries/IGetSecurityTasksNotificationDetailsQuery.cs
@ -0,0 +1,16 @@
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Models.Data;
 namespace Bit.Core.Vault.Queries;
 public interface IGetSecurityTasksNotificationDetailsQuery
 {
    /// <summary>
    /// Retrieves all users within the given organization that are applicable to the given security tasks.
    ///
    /// <param name="organizationId"></param>
    /// <param name="tasks"></param>
    /// <returns>A dictionary of UserIds and the corresponding amount of security tasks applicable to them.</returns>
    /// </summary>
    public Task<ICollection<UserSecurityTaskCipher>> GetNotificationDetailsByManyIds(Guid organizationId, IEnumerable<SecurityTask> tasks);
 }
--- a/src/Core/Vault/Repositories/ICipherRepository.cs
+++ b/src/Core/Vault/Repositories/ICipherRepository.cs
@ -4,6 +4,7 @@ using Bit.Core.Repositories;
 using Bit.Core.Vault.Entities;
 using Bit.Core.Vault.Models.Data;
 namespace Bit.Core.Vault.Repositories;
 public interface ICipherRepository : IRepository<Cipher, Guid>
@ -49,6 +50,13 @@ public interface ICipherRepository : IRepository<Cipher, Guid>
    Task<ICollection<OrganizationCipherPermission>> GetCipherPermissionsForOrganizationAsync(Guid organizationId,
        Guid userId);
    /// <summary>
    /// Returns the users and the cipher ids for security tawsks that are applicable to them.
    ///
    /// Security tasks are actionable when a user has manage access to the associated cipher.
    /// </summary>
    Task<ICollection<UserSecurityTaskCipher>> GetUserSecurityTasksByCipherIdsAsync(Guid organizationId, IEnumerable<SecurityTask> tasks);
    /// <summary>
    /// Updates encrypted data for ciphers during a key rotation
    /// </summary>
--- a/src/Core/Vault/VaultServiceCollectionExtensions.cs
+++ b/src/Core/Vault/VaultServiceCollectionExtensions.cs
@ -21,6 +21,8 @@ public static class VaultServiceCollectionExtensions
        services.AddScoped<IMarkTaskAsCompleteCommand, MarkTaskAsCompletedCommand>();
        services.AddScoped<IGetCipherPermissionsForUserQuery, GetCipherPermissionsForUserQuery>();
        services.AddScoped<IGetTasksForOrganizationQuery, GetTasksForOrganizationQuery>();
        services.AddScoped<IGetSecurityTasksNotificationDetailsQuery, GetSecurityTasksNotificationDetailsQuery>();
        services.AddScoped<ICreateManyTaskNotificationsCommand, CreateManyTaskNotificationsCommand>();
        services.AddScoped<ICreateManyTasksCommand, CreateManyTasksCommand>();
    }
 }
--- a/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
+++ b/src/Infrastructure.Dapper/Vault/Repositories/CipherRepository.cs
@ -323,6 +323,28 @@ public class CipherRepository : Repository<Cipher, Guid>, ICipherRepository
        }
    }
    public async Task<ICollection<UserSecurityTaskCipher>> GetUserSecurityTasksByCipherIdsAsync(
        Guid organizationId, IEnumerable<SecurityTask> tasks)
    {
        var cipherIds = tasks.Where(t => t.CipherId.HasValue).Select(t => t.CipherId.Value).Distinct().ToList();
        using (var connection = new SqlConnection(ConnectionString))
        {
            var results = await connection.QueryAsync<UserCipherForTask>(
                $"[{Schema}].[UserSecurityTasks_GetManyByCipherIds]",
                new { OrganizationId = organizationId, CipherIds = cipherIds.ToGuidIdArrayTVP() },
                commandType: CommandType.StoredProcedure);
            return results.Select(r => new UserSecurityTaskCipher
            {
                UserId = r.UserId,
                Email = r.Email,
                CipherId = r.CipherId,
                TaskId = tasks.First(t => t.CipherId == r.CipherId).Id
            }).ToList();
        }
    }
    /// <inheritdoc />
    public UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(
        Guid userId, IEnumerable<Cipher> ciphers)
--- a/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/CipherRepository.cs
@ -348,6 +348,51 @@ public class CipherRepository : Repository<Core.Vault.Entities.Cipher, Cipher, G
        }
    }
    public async Task<ICollection<UserSecurityTaskCipher>> GetUserSecurityTasksByCipherIdsAsync(Guid organizationId, IEnumerable<Core.Vault.Entities.SecurityTask> tasks)
    {
        using (var scope = ServiceScopeFactory.CreateScope())
        {
            var cipherIds = tasks.Where(t => t.CipherId.HasValue).Select(t => t.CipherId.Value);
            var dbContext = GetDatabaseContext(scope);
            var query = new UserSecurityTasksByCipherIdsQuery(organizationId, cipherIds).Run(dbContext);
            ICollection<UserSecurityTaskCipher> userTaskCiphers;
            // SQLite does not support the GROUP BY clause
            if (dbContext.Database.IsSqlite())
            {
                userTaskCiphers = (await query.ToListAsync())
                    .GroupBy(c => new { c.UserId, c.Email, c.CipherId })
                    .Select(g => new UserSecurityTaskCipher
                    {
                        UserId = g.Key.UserId,
                        Email = g.Key.Email,
                        CipherId = g.Key.CipherId,
                    }).ToList();
            }
            else
            {
                var groupByQuery = from p in query
                                   group p by new { p.UserId, p.Email, p.CipherId }
                    into g
                                   select new UserSecurityTaskCipher
                                   {
                                       UserId = g.Key.UserId,
                                       CipherId = g.Key.CipherId,
                                       Email = g.Key.Email,
                                   };
                userTaskCiphers = await groupByQuery.ToListAsync();
            }
            foreach (var userTaskCipher in userTaskCiphers)
            {
                userTaskCipher.TaskId = tasks.First(t => t.CipherId == userTaskCipher.CipherId).Id;
            }
            return userTaskCiphers;
        }
    }
    public async Task<CipherDetails> GetByIdAsync(Guid id, Guid userId)
    {
        using (var scope = ServiceScopeFactory.CreateScope())
--- a/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/UserSecurityTasksByCipherIdsQuery.cs
+++ b/src/Infrastructure.EntityFramework/Vault/Repositories/Queries/UserSecurityTasksByCipherIdsQuery.cs
@ -0,0 +1,71 @@
 using Bit.Core.Vault.Models.Data;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Infrastructure.EntityFramework.Repositories.Queries;
 namespace Bit.Infrastructure.EntityFramework.Vault.Repositories.Queries;
 public class UserSecurityTasksByCipherIdsQuery : IQuery<UserCipherForTask>
 {
    private readonly Guid _organizationId;
    private readonly IEnumerable<Guid> _cipherIds;
    public UserSecurityTasksByCipherIdsQuery(Guid organizationId, IEnumerable<Guid> cipherIds)
    {
        _organizationId = organizationId;
        _cipherIds = cipherIds;
    }
    public IQueryable<UserCipherForTask> Run(DatabaseContext dbContext)
    {
        var baseCiphers =
            from c in dbContext.Ciphers
            where _cipherIds.Contains(c.Id)
            join o in dbContext.Organizations
                on c.OrganizationId equals o.Id
            where o.Id == _organizationId && o.Enabled
            select c;
        var userPermissions =
            from c in baseCiphers
            join cc in dbContext.CollectionCiphers
                on c.Id equals cc.CipherId
            join cu in dbContext.CollectionUsers
                on cc.CollectionId equals cu.CollectionId
            join ou in dbContext.OrganizationUsers
                on cu.OrganizationUserId equals ou.Id
            where ou.OrganizationId == _organizationId
                && cu.Manage == true
            select new { ou.UserId, c.Id };
        var groupPermissions =
            from c in baseCiphers
            join cc in dbContext.CollectionCiphers
                on c.Id equals cc.CipherId
            join cg in dbContext.CollectionGroups
                on cc.CollectionId equals cg.CollectionId
            join gu in dbContext.GroupUsers
                on cg.GroupId equals gu.GroupId
            join ou in dbContext.OrganizationUsers
                on gu.OrganizationUserId equals ou.Id
            where ou.OrganizationId == _organizationId
                && cg.Manage == true
                && !userPermissions.Any(up => up.Id == c.Id && up.UserId == ou.UserId)
            select new { ou.UserId, c.Id };
        return userPermissions.Union(groupPermissions)
            .Join(
                dbContext.Users,
                p => p.UserId,
                u => u.Id,
                (p, u) => new { p.UserId, p.Id, u.Email }
            )
            .GroupBy(x => new { x.UserId, x.Email, x.Id })
            .Select(g => new UserCipherForTask
            {
                UserId = (Guid)g.Key.UserId,
                Email = g.Key.Email,
                CipherId = g.Key.Id
            })
            .OrderByDescending(x => x.Email);
    }
 }
--- a/Procedures/Cipher/UserSecurityTasks_GetManyByCipherIds.sql
+++ b/Procedures/Cipher/UserSecurityTasks_GetManyByCipherIds.sql
@ -0,0 +1,67 @@
 CREATE PROCEDURE [dbo].[UserSecurityTasks_GetManyByCipherIds]
    @OrganizationId UNIQUEIDENTIFIER,
    @CipherIds AS [dbo].[GuidIdArray] READONLY
 AS
 BEGIN
    SET NOCOUNT ON
    ;WITH BaseCiphers AS (
        SELECT C.[Id], C.[OrganizationId]
        FROM [dbo].[Cipher] C
        INNER JOIN @CipherIds CI ON C.[Id] = CI.[Id]
        INNER JOIN [dbo].[Organization] O ON
            O.[Id] = C.[OrganizationId]
            AND O.[Id] = @OrganizationId
            AND O.[Enabled] = 1
    ),
    UserPermissions AS (
        SELECT DISTINCT
            CC.[CipherId],
            OU.[UserId],
            COALESCE(CU.[Manage], 0) as [Manage]
        FROM [dbo].[CollectionCipher] CC
        INNER JOIN [dbo].[CollectionUser] CU ON
            CU.[CollectionId] = CC.[CollectionId]
        INNER JOIN [dbo].[OrganizationUser] OU ON
            CU.[OrganizationUserId] = OU.[Id]
            AND OU.[OrganizationId] = @OrganizationId
        WHERE COALESCE(CU.[Manage], 0) = 1
    ),
    GroupPermissions AS (
        SELECT DISTINCT
            CC.[CipherId],
            OU.[UserId],
            COALESCE(CG.[Manage], 0) as [Manage]
        FROM [dbo].[CollectionCipher] CC
        INNER JOIN [dbo].[CollectionGroup] CG ON
            CG.[CollectionId] = CC.[CollectionId]
        INNER JOIN [dbo].[GroupUser] GU ON
            GU.[GroupId] = CG.[GroupId]
        INNER JOIN [dbo].[OrganizationUser] OU ON
            GU.[OrganizationUserId] = OU.[Id]
            AND OU.[OrganizationId] = @OrganizationId
        WHERE COALESCE(CG.[Manage], 0) = 1
            AND NOT EXISTS (
                SELECT 1
                FROM UserPermissions UP
                WHERE UP.[CipherId] = CC.[CipherId]
                AND UP.[UserId] = OU.[UserId]
            )
    ),
    CombinedPermissions AS (
        SELECT CipherId, UserId, [Manage]
        FROM UserPermissions
        UNION
        SELECT CipherId, UserId, [Manage]
        FROM GroupPermissions
    )
    SELECT
        P.[UserId],
        U.[Email],
        C.[Id] as CipherId
    FROM BaseCiphers C
    INNER JOIN CombinedPermissions P ON P.CipherId = C.[Id]
    INNER JOIN [dbo].[User] U ON U.[Id] = P.[UserId]
    WHERE P.[Manage] = 1
    ORDER BY U.[Email], C.[Id]
 END
--- a/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
+++ b/test/Core.Test/NotificationCenter/Commands/CreateNotificationCommandTest.cs
@ -69,4 +69,19 @@ public class CreateNotificationCommandTest
            .Received(0)
            .PushNotificationStatusAsync(Arg.Any<Notification>(), Arg.Any<NotificationStatus>());
    }
    [Theory]
    [BitAutoData]
    public async Task CreateAsync_Authorized_NotificationPushSkipped(
        SutProvider<CreateNotificationCommand> sutProvider,
        Notification notification)
    {
        Setup(sutProvider, notification, true);
        var newNotification = await sutProvider.Sut.CreateAsync(notification, false);
        await sutProvider.GetDependency<IPushNotificationService>()
            .Received(0)
            .PushNotificationAsync(newNotification);
    }
 }
--- a/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs
@ -704,4 +704,183 @@ public class CipherRepositoryTests
            Data = ""
        });
    }
    [DatabaseTheory, DatabaseData]
    public async Task GetUserSecurityTasksByCipherIdsAsync_Works(
        ICipherRepository cipherRepository,
        IUserRepository userRepository,
        ICollectionCipherRepository collectionCipherRepository,
        ICollectionRepository collectionRepository,
        IOrganizationRepository organizationRepository,
        IOrganizationUserRepository organizationUserRepository,
        IGroupRepository groupRepository
        )
    {
        // Users
        var user1 = await userRepository.CreateAsync(new User
        {
            Name = "Test User 1",
            Email = $"test+{Guid.NewGuid()}@email.com",
            ApiKey = "TEST",
            SecurityStamp = "stamp",
        });
        var user2 = await userRepository.CreateAsync(new User
        {
            Name = "Test User 2",
            Email = $"test+{Guid.NewGuid()}@email.com",
            ApiKey = "TEST",
            SecurityStamp = "stamp",
        });
        // Organization
        var organization = await organizationRepository.CreateAsync(new Organization
        {
            Name = "Test Organization",
            BillingEmail = user1.Email,
            Plan = "Test"
        });
        // Org Users
        var orgUser1 = await organizationUserRepository.CreateAsync(new OrganizationUser
        {
            UserId = user1.Id,
            OrganizationId = organization.Id,
            Status = OrganizationUserStatusType.Confirmed,
            Type = OrganizationUserType.Owner,
        });
        var orgUser2 = await organizationUserRepository.CreateAsync(new OrganizationUser
        {
            UserId = user2.Id,
            OrganizationId = organization.Id,
            Status = OrganizationUserStatusType.Confirmed,
            Type = OrganizationUserType.User,
        });
        // A group that will be assigned Edit permissions to any collections
        var editGroup = await groupRepository.CreateAsync(new Group
        {
            OrganizationId = organization.Id,
            Name = "Edit Group",
        });
        await groupRepository.UpdateUsersAsync(editGroup.Id, new[] { orgUser1.Id });
        // Add collections to Org
        var manageCollection = await collectionRepository.CreateAsync(new Collection
        {
            Name = "Manage Collection",
            OrganizationId = organization.Id
        });
        // Use a 2nd collection to differentiate between the two users
        var manageCollection2 = await collectionRepository.CreateAsync(new Collection
        {
            Name = "Manage Collection 2",
            OrganizationId = organization.Id
        });
        var viewOnlyCollection = await collectionRepository.CreateAsync(new Collection
        {
            Name = "View Only Collection",
            OrganizationId = organization.Id
        });
        // Ciphers
        var manageCipher1 = await cipherRepository.CreateAsync(new Cipher
        {
            Type = CipherType.Login,
            OrganizationId = organization.Id,
            Data = ""
        });
        var manageCipher2 = await cipherRepository.CreateAsync(new Cipher
        {
            Type = CipherType.Login,
            OrganizationId = organization.Id,
            Data = ""
        });
        var viewOnlyCipher = await cipherRepository.CreateAsync(new Cipher
        {
            Type = CipherType.Login,
            OrganizationId = organization.Id,
            Data = ""
        });
        await collectionCipherRepository.UpdateCollectionsForAdminAsync(manageCipher1.Id, organization.Id,
            new List<Guid> { manageCollection.Id });
        await collectionCipherRepository.UpdateCollectionsForAdminAsync(manageCipher2.Id, organization.Id,
            new List<Guid> { manageCollection2.Id });
        await collectionCipherRepository.UpdateCollectionsForAdminAsync(viewOnlyCipher.Id, organization.Id,
            new List<Guid> { viewOnlyCollection.Id });
        await collectionRepository.UpdateUsersAsync(manageCollection.Id, new List<CollectionAccessSelection>
        {
            new()
            {
                Id = orgUser1.Id,
                HidePasswords = false,
                ReadOnly = false,
                Manage = true
            },
             new()
            {
                Id = orgUser2.Id,
                HidePasswords = false,
                ReadOnly = false,
                Manage = true
            }
        });
        // Only add second user to the second manage collection
        await collectionRepository.UpdateUsersAsync(manageCollection2.Id, new List<CollectionAccessSelection>
        {
            new()
            {
                Id = orgUser2.Id,
                HidePasswords = false,
                ReadOnly = false,
                Manage = true
            },
        });
        await collectionRepository.UpdateUsersAsync(viewOnlyCollection.Id, new List<CollectionAccessSelection>
        {
            new()
            {
                Id = orgUser1.Id,
                HidePasswords = false,
                ReadOnly = false,
                Manage = false
            }
        });
        var securityTasks = new List<SecurityTask>
        {
            new SecurityTask { CipherId = manageCipher1.Id, Id = Guid.NewGuid() },
            new SecurityTask { CipherId = manageCipher2.Id, Id = Guid.NewGuid() },
            new SecurityTask { CipherId = viewOnlyCipher.Id, Id = Guid.NewGuid() }
        };
        var userSecurityTaskCiphers = await cipherRepository.GetUserSecurityTasksByCipherIdsAsync(organization.Id, securityTasks);
        Assert.NotEmpty(userSecurityTaskCiphers);
        Assert.Equal(3, userSecurityTaskCiphers.Count);
        var user1TaskCiphers = userSecurityTaskCiphers.Where(t => t.UserId == user1.Id);
        Assert.Single(user1TaskCiphers);
        Assert.Equal(user1.Email, user1TaskCiphers.First().Email);
        Assert.Equal(user1.Id, user1TaskCiphers.First().UserId);
        Assert.Equal(manageCipher1.Id, user1TaskCiphers.First().CipherId);
        var user2TaskCiphers = userSecurityTaskCiphers.Where(t => t.UserId == user2.Id);
        Assert.NotNull(user2TaskCiphers);
        Assert.Equal(2, user2TaskCiphers.Count());
        Assert.Equal(user2.Email, user2TaskCiphers.Last().Email);
        Assert.Equal(user2.Id, user2TaskCiphers.Last().UserId);
        Assert.Contains(user2TaskCiphers, t => t.CipherId == manageCipher1.Id && t.TaskId == securityTasks[0].Id);
        Assert.Contains(user2TaskCiphers, t => t.CipherId == manageCipher2.Id && t.TaskId == securityTasks[1].Id);
    }
 }
--- a/util/Migrator/DbScripts/2025-02-11_00_UserSecurityTasks_GetManyByCipherIds.sql
+++ b/util/Migrator/DbScripts/2025-02-11_00_UserSecurityTasks_GetManyByCipherIds.sql
@ -0,0 +1,68 @@
 CREATE OR ALTER PROCEDURE [dbo].[UserSecurityTasks_GetManyByCipherIds]
    @OrganizationId UNIQUEIDENTIFIER,
    @CipherIds AS [dbo].[GuidIdArray] READONLY
 AS
 BEGIN
    SET NOCOUNT ON
    ;WITH BaseCiphers AS (
        SELECT C.[Id], C.[OrganizationId]
        FROM [dbo].[Cipher] C
        INNER JOIN @CipherIds CI ON C.[Id] = CI.[Id]
        INNER JOIN [dbo].[Organization] O ON
            O.[Id] = C.[OrganizationId]
            AND O.[Id] = @OrganizationId
            AND O.[Enabled] = 1
    ),
    UserPermissions AS (
        SELECT DISTINCT
            CC.[CipherId],
            OU.[UserId],
            COALESCE(CU.[Manage], 0) as [Manage]
        FROM [dbo].[CollectionCipher] CC
        INNER JOIN [dbo].[CollectionUser] CU ON
            CU.[CollectionId] = CC.[CollectionId]
        INNER JOIN [dbo].[OrganizationUser] OU ON
            CU.[OrganizationUserId] = OU.[Id]
            AND OU.[OrganizationId] = @OrganizationId
        WHERE COALESCE(CU.[Manage], 0) = 1
    ),
    GroupPermissions AS (
        SELECT DISTINCT
            CC.[CipherId],
            OU.[UserId],
            COALESCE(CG.[Manage], 0) as [Manage]
        FROM [dbo].[CollectionCipher] CC
        INNER JOIN [dbo].[CollectionGroup] CG ON
            CG.[CollectionId] = CC.[CollectionId]
        INNER JOIN [dbo].[GroupUser] GU ON
            GU.[GroupId] = CG.[GroupId]
        INNER JOIN [dbo].[OrganizationUser] OU ON
            GU.[OrganizationUserId] = OU.[Id]
            AND OU.[OrganizationId] = @OrganizationId
        WHERE COALESCE(CG.[Manage], 0) = 1
            AND NOT EXISTS (
                SELECT 1
                FROM UserPermissions UP
                WHERE UP.[CipherId] = CC.[CipherId]
                AND UP.[UserId] = OU.[UserId]
            )
    ),
    CombinedPermissions AS (
        SELECT CipherId, UserId, [Manage]
        FROM UserPermissions
        UNION
        SELECT CipherId, UserId, [Manage]
        FROM GroupPermissions
    )
    SELECT
        P.[UserId],
        U.[Email],
        C.[Id] as CipherId
    FROM BaseCiphers C
    INNER JOIN CombinedPermissions P ON P.CipherId = C.[Id]
    INNER JOIN [dbo].[User] U ON U.[Id] = P.[UserId]
    WHERE P.[Manage] = 1
    ORDER BY U.[Email], C.[Id]
 END
 GO