[AC-1809] Update OrganizationAbility with Collection Management Settings (#3571)

* feat: Update OrganizationAbility with LimitCollectionCreationDeletion, refs AC-1809 * feat: Update OrganizationAbility constructor usage to pass feature flag state, refs AC-1809 * feat: Update EF retrieval of org abilities to include new property from database, refs AC-1809 * feat: Update sproc to include LimitCollectionCreationDeletion property and create migration, refs AC-1809 * feat: Inject ApplicationCache into handler accessing LimitCollectionCreationDeletion, refs AC-1809 * feat: remove collection management settings from CurrentContextOrganization and update tests, refs AC-1809 * feat: add AllowAdminAccessToAllCollectionItems to OrganizationAbility pipeline, refs AC-1809 --------- Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
2024-11-21 12:05:42 +01:00 · 2023-12-27 18:07:06 -06:00 · 2023-12-27 18:07:06 -06:00 · 71def39015
commit 71def39015
parent 2ab35e389c
12 changed files with 257 additions and 50 deletions
--- a/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
@ -4,6 +4,7 @@ using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@ -20,6 +21,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
    private readonly ICurrentContext _currentContext;
    private readonly ICollectionRepository _collectionRepository;
    private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;
    private Guid _targetOrganizationId;

    private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
@ -27,11 +29,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
    public BulkCollectionAuthorizationHandler(
        ICurrentContext currentContext,
        ICollectionRepository collectionRepository,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
    {
        _currentContext = currentContext;
        _collectionRepository = collectionRepository;
        _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
    }

    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@ -84,7 +88,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC

            case not null when requirement == BulkCollectionOperations.Update:
            case not null when requirement == BulkCollectionOperations.ModifyAccess:
-                await CanUpdateCollection(context, requirement, resources, org);
+                await CanUpdateCollectionAsync(context, requirement, resources, org);
                break;

            case not null when requirement == BulkCollectionOperations.Delete:
@ -96,10 +100,8 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
    private async Task CanCreateAsync(AuthorizationHandlerContext context, IAuthorizationRequirement requirement,
        CurrentContextOrganization? org)
    {
-        // If the limit collection management setting is disabled, allow any user to create collections
-        // Otherwise, Owners, Admins, and users with CreateNewCollections permission can always create collections
+        // Owners, Admins, and users with CreateNewCollections permission can always create collections
        if (org is
-        { LimitCollectionCreationDeletion: false } or
        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
        { Permissions.CreateNewCollections: true })
        {
@ -107,6 +109,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
            return;
        }

+        // If the limit collection management setting is disabled, allow any user to create collections
+        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
        // Allow provider users to create collections if they are a provider for the target organization
        if (await _currentContext.ProviderUserForOrgAsync(_targetOrganizationId))
        {
@ -182,7 +191,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
    /// <summary>
    /// Ensures the acting user is allowed to update the target collections or manage access permissions for them.
    /// </summary>
-    private async Task CanUpdateCollection(AuthorizationHandlerContext context,
+    private async Task CanUpdateCollectionAsync(AuthorizationHandlerContext context,
        IAuthorizationRequirement requirement, ICollection<Collection> resources,
        CurrentContextOrganization? org)
    {
@ -226,9 +235,10 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
            return;
        }

+        // Check for non-null org here: the user must be apart of the organization for this setting to take affect
        // The limit collection management setting is disabled,
        // ensure acting user has manage permissions for all collections being deleted
-        if (org is { LimitCollectionCreationDeletion: false })
+        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
        {
            var canManageCollections = await CanManageCollectionsAsync(resources, org);
            if (canManageCollections)
@ -261,4 +271,19 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
        // Check if the acting user has access to all target collections
        return targetCollections.All(tc => assignedCollectionIds.Contains(tc.Id));
    }
+
+    private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
+    {
+        // If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
+        // irrelevant
+        if (organization == null)
+        {
+            return null;
+        }
+
+        (await _applicationCacheService.GetOrganizationAbilitiesAsync())
+            .TryGetValue(organization.Id, out var organizationAbility);
+
+        return organizationAbility;
+    }
 }
--- a/src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
@ -3,6 +3,7 @@ using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;

@ -16,15 +17,18 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
 {
    private readonly ICurrentContext _currentContext;
    private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;

    private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);

    public GroupAuthorizationHandler(
        ICurrentContext currentContext,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
    {
        _currentContext = currentContext;
        _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
    }

    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@ -62,10 +66,8 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
    private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
        CurrentContextOrganization? org)
    {
-        // If the limit collection management setting is disabled, allow any user to read all groups
-        // Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
+        // Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
        if (org is
-        { LimitCollectionCreationDeletion: false } or
        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
        { Permissions.ManageGroups: true } or
        { Permissions.ManageUsers: true } or
@ -77,10 +79,33 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
            return;
        }

+        // Check for non-null org here: the user must be apart of the organization for this setting to take affect
+        // If the limit collection management setting is disabled, allow any user to read all groups
+        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
        // Allow provider users to read all groups if they are a provider for the target organization
        if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
        {
            context.Succeed(requirement);
        }
    }
+
+    private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
+    {
+        // If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
+        // irrelevant
+        if (organization == null)
+        {
+            return null;
+        }
+
+        (await _applicationCacheService.GetOrganizationAbilitiesAsync())
+            .TryGetValue(organization.Id, out var organizationAbility);
+
+        return organizationAbility;
+    }
 }
--- a/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
@ -3,6 +3,7 @@ using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;

@ -16,15 +17,18 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
 {
    private readonly ICurrentContext _currentContext;
    private readonly IFeatureService _featureService;
+    private readonly IApplicationCacheService _applicationCacheService;

    private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);

    public OrganizationUserAuthorizationHandler(
        ICurrentContext currentContext,
-        IFeatureService featureService)
+        IFeatureService featureService,
+        IApplicationCacheService applicationCacheService)
    {
        _currentContext = currentContext;
        _featureService = featureService;
+        _applicationCacheService = applicationCacheService;
    }

    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@ -64,7 +68,6 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
        // If the limit collection management setting is disabled, allow any user to read all organization users
        // Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all organization users
        if (org is
-        { LimitCollectionCreationDeletion: false } or
        { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
        { Permissions.ManageGroups: true } or
        { Permissions.ManageUsers: true } or
@ -76,10 +79,33 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
            return;
        }

+        // Check for non-null org here: the user must be apart of the organization for this setting to take affect
+        // If the limit collection management setting is disabled, allow any user to read all organization users
+        if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
        // Allow provider users to read all organization users if they are a provider for the target organization
        if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
        {
            context.Succeed(requirement);
        }
    }
+
+    private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
+    {
+        // If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
+        // irrelevant
+        if (organization == null)
+        {
+            return null;
+        }
+
+        (await _applicationCacheService.GetOrganizationAbilitiesAsync())
+            .TryGetValue(organization.Id, out var organizationAbility);
+
+        return organizationAbility;
+    }
 }
--- a/src/Core/AdminConsole/Context/CurrentContextOrganization.cs
+++ b/src/Core/AdminConsole/Context/CurrentContextOrganization.cs
@ -15,14 +15,10 @@ public class CurrentContextOrganization
        Type = orgUser.Type;
        Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(orgUser.Permissions);
        AccessSecretsManager = orgUser.AccessSecretsManager && orgUser.UseSecretsManager && orgUser.Enabled;
-        LimitCollectionCreationDeletion = orgUser.LimitCollectionCreationDeletion;
-        AllowAdminAccessToAllCollectionItems = orgUser.AllowAdminAccessToAllCollectionItems;
    }

    public Guid Id { get; set; }
    public OrganizationUserType Type { get; set; }
    public Permissions Permissions { get; set; } = new();
    public bool AccessSecretsManager { get; set; }
-    public bool LimitCollectionCreationDeletion { get; set; }
-    public bool AllowAdminAccessToAllCollectionItems { get; set; }
 }
--- a/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
+++ b/src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs
@ -21,6 +21,8 @@ public class OrganizationAbility
        UseResetPassword = organization.UseResetPassword;
        UseCustomPermissions = organization.UseCustomPermissions;
        UsePolicies = organization.UsePolicies;
+        LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
+        AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
    }

    public Guid Id { get; set; }
@ -35,4 +37,6 @@ public class OrganizationAbility
    public bool UseResetPassword { get; set; }
    public bool UseCustomPermissions { get; set; }
    public bool UsePolicies { get; set; }
+    public bool LimitCollectionCreationDeletion { get; set; }
+    public bool AllowAdminAccessToAllCollectionItems { get; set; }
 }
--- a/src/Core/Context/CurrentContext.cs
+++ b/src/Core/Context/CurrentContext.cs
@ -54,7 +54,7 @@ public class CurrentContext : ICurrentContext
    {
        _providerOrganizationRepository = providerOrganizationRepository;
        _providerUserRepository = providerUserRepository;
-        _featureService = featureService;
+        _featureService = featureService; ;
    }

    public async virtual Task BuildAsync(HttpContext httpContext, GlobalSettings globalSettings)
@ -383,15 +383,10 @@ public class CurrentContext : ICurrentContext
            throw new FeatureUnavailableException("Flexible Collections is ON when it should be OFF.");
        }

-        var canCreateNewCollections = false;
        var org = GetOrganization(orgId);
-        if (org != null)
-        {
-            canCreateNewCollections = !org.LimitCollectionCreationDeletion || org.Permissions.CreateNewCollections;
-        }
        return await EditAssignedCollections(orgId)
               || await DeleteAssignedCollections(orgId)
-               || canCreateNewCollections;
+               || (org != null && org.Permissions.CreateNewCollections);
    }

    public async Task<bool> ManageGroups(Guid orgId)
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
@ -88,7 +88,9 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                UseResetPassword = e.UseResetPassword,
                UseScim = e.UseScim,
                UseCustomPermissions = e.UseCustomPermissions,
-                UsePolicies = e.UsePolicies
+                UsePolicies = e.UsePolicies,
+                LimitCollectionCreationDeletion = e.LimitCollectionCreationDeletion,
+                AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems
            }).ToListAsync();
        }
    }
--- a/Procedures/Organization_ReadAbilities.sql
+++ b/Procedures/Organization_ReadAbilities.sql
@ -20,7 +20,9 @@ BEGIN
        [UseScim],
        [UseResetPassword],
        [UsePolicies],
-        [Enabled]
+        [Enabled],
+        [LimitCollectionCreationDeletion],
+        [AllowAdminAccessToAllCollectionItems]
    FROM
        [dbo].[Organization]
 END
--- a/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
@ -6,7 +6,9 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
 using Bit.Core.Test.Vault.AutoFixture;
 using Bit.Test.Common.AutoFixture;
@ -31,9 +33,10 @@ public class BulkCollectionAuthorizationHandlerTests
        CurrentContextOrganization organization)
    {
        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { BulkCollectionOperations.Create },
            new ClaimsPrincipal(),
@ -41,6 +44,7 @@ public class BulkCollectionAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);

        await sutProvider.Sut.HandleAsync(context);

@ -56,7 +60,8 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
+
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, false);

        var context = new AuthorizationHandlerContext(
            new[] { BulkCollectionOperations.Create },
@ -65,6 +70,7 @@ public class BulkCollectionAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);

        await sutProvider.Sut.HandleAsync(context);

@ -83,7 +89,6 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = false,
@ -92,6 +97,8 @@ public class BulkCollectionAuthorizationHandlerTests
            ManageUsers = false
        };

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { BulkCollectionOperations.Create },
            new ClaimsPrincipal(),
@ -99,6 +106,8 @@ public class BulkCollectionAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);

        await sutProvider.Sut.HandleAsync(context);

@ -111,6 +120,8 @@ public class BulkCollectionAuthorizationHandlerTests
        ICollection<Collection> collections,
        SutProvider<BulkCollectionAuthorizationHandler> sutProvider)
    {
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(collections.First().OrganizationId, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { BulkCollectionOperations.Create },
            new ClaimsPrincipal(),
@ -119,6 +130,8 @@ public class BulkCollectionAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);

        await sutProvider.Sut.HandleAsync(context);
        Assert.False(context.HasSucceeded);
@ -134,7 +147,6 @@ public class BulkCollectionAuthorizationHandlerTests
        CurrentContextOrganization organization)
    {
        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

        var operationsToTest = new[]
@ -217,7 +229,6 @@ public class BulkCollectionAuthorizationHandlerTests
        }

        organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
        organization.Permissions = new Permissions();

        var operationsToTest = new[]
@ -254,7 +265,6 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
        organization.Permissions = new Permissions();

        var operationsToTest = new[]
@ -293,7 +303,6 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = false,
@ -367,7 +376,6 @@ public class BulkCollectionAuthorizationHandlerTests
        CurrentContextOrganization organization)
    {
        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
@ -431,7 +439,6 @@ public class BulkCollectionAuthorizationHandlerTests
        }

        organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
        organization.Permissions = new Permissions();

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
@ -462,7 +469,6 @@ public class BulkCollectionAuthorizationHandlerTests
        }

        organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = false;
        organization.Permissions = new Permissions();

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
@ -491,7 +497,6 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = false,
@ -543,7 +548,6 @@ public class BulkCollectionAuthorizationHandlerTests
        CurrentContextOrganization organization)
    {
        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

        var operationsToTest = new[]
@ -661,7 +665,6 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = false;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = false,
@ -742,9 +745,10 @@ public class BulkCollectionAuthorizationHandlerTests
        CurrentContextOrganization organization)
    {
        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { BulkCollectionOperations.Delete },
            new ClaimsPrincipal(),
@ -752,6 +756,8 @@ public class BulkCollectionAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+            .Returns(organizationAbilities);

        await sutProvider.Sut.HandleAsync(context);

@ -767,12 +773,13 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = OrganizationUserType.Custom;
-        organization.LimitCollectionCreationDeletion = false;
        organization.Permissions = new Permissions
        {
            DeleteAnyCollection = true
        };

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { BulkCollectionOperations.Delete },
            new ClaimsPrincipal(),
@ -780,6 +787,8 @@ public class BulkCollectionAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+            .Returns(organizationAbilities);

        await sutProvider.Sut.HandleAsync(context);

@ -797,9 +806,13 @@ public class BulkCollectionAuthorizationHandlerTests
        organization.Type = OrganizationUserType.User;
        organization.Permissions = new Permissions();

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, false);
+
        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId, Arg.Any<bool>()).Returns(collections);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+            .Returns(organizationAbilities);

        foreach (var c in collections)
        {
@ -828,7 +841,6 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = false,
@ -837,6 +849,8 @@ public class BulkCollectionAuthorizationHandlerTests
            ManageUsers = false
        };

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { BulkCollectionOperations.Delete },
            new ClaimsPrincipal(),
@ -844,6 +858,9 @@ public class BulkCollectionAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+            .Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);

        await sutProvider.Sut.HandleAsync(context);

@ -864,6 +881,7 @@ public class BulkCollectionAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);

        await sutProvider.Sut.HandleAsync(context);
        Assert.False(context.HasSucceeded);
@ -919,6 +937,16 @@ public class BulkCollectionAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();
        var orgId = collections.First().OrganizationId;

+        var organizationAbilities = new Dictionary<Guid, OrganizationAbility>
+        {
+            { collections.First().OrganizationId,
+                new OrganizationAbility
+                {
+                    LimitCollectionCreationDeletion = true
+                }
+            }
+        };
+
        var operationsToTest = new[]
        {
            BulkCollectionOperations.Create,
@ -933,6 +961,8 @@ public class BulkCollectionAuthorizationHandlerTests
        {
            sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
            sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgId).Returns((CurrentContextOrganization)null);
+            sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync()
+                .Returns(organizationAbilities);
            sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(true);

            var context = new AuthorizationHandlerContext(
@ -950,4 +980,18 @@ public class BulkCollectionAuthorizationHandlerTests
            sutProvider.Recreate();
        }
    }
+
+    private static Dictionary<Guid, OrganizationAbility> ArrangeOrganizationAbilitiesDictionary(Guid orgId,
+        bool limitCollectionCreationDeletion)
+    {
+        return new Dictionary<Guid, OrganizationAbility>
+        {
+            { orgId,
+                new OrganizationAbility
+                {
+                    LimitCollectionCreationDeletion = limitCollectionCreationDeletion
+                }
+            }
+        };
+    }
 }
--- a/test/Api.Test/Vault/AuthorizationHandlers/GroupAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/GroupAuthorizationHandlerTests.cs
@ -4,6 +4,8 @@ using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@ -26,9 +28,10 @@ public class GroupAuthorizationHandlerTests
        CurrentContextOrganization organization)
    {
        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { GroupOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
@ -36,6 +39,7 @@ public class GroupAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);

        await sutProvider.Sut.HandleAsync(context);

@ -48,9 +52,10 @@ public class GroupAuthorizationHandlerTests
        SutProvider<GroupAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
    {
        organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { GroupOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
@ -59,6 +64,7 @@ public class GroupAuthorizationHandlerTests
        sutProvider.GetDependency<ICurrentContext>()
            .UserId
            .Returns(userId);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
        sutProvider.GetDependency<ICurrentContext>()
            .ProviderUserForOrgAsync(organization.Id)
            .Returns(true);
@ -83,7 +89,6 @@ public class GroupAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = OrganizationUserType.Custom;
-        organization.LimitCollectionCreationDeletion = limitCollectionCreationDeletion;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = editAnyCollection,
@ -92,6 +97,8 @@ public class GroupAuthorizationHandlerTests
            ManageUsers = manageUsers
        };

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, limitCollectionCreationDeletion);
+
        var context = new AuthorizationHandlerContext(
            new[] { GroupOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
@ -99,6 +106,7 @@ public class GroupAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);

        await sutProvider.Sut.HandleAsync(context);

@ -116,7 +124,6 @@ public class GroupAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = false,
@ -126,6 +133,8 @@ public class GroupAuthorizationHandlerTests
            AccessImportExport = false
        };

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { GroupOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
@ -133,6 +142,8 @@ public class GroupAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);

        await sutProvider.Sut.HandleAsync(context);

@ -145,6 +156,8 @@ public class GroupAuthorizationHandlerTests
        Guid organizationId,
        SutProvider<GroupAuthorizationHandler> sutProvider)
    {
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organizationId, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { GroupOperations.ReadAll(organizationId) },
            new ClaimsPrincipal(),
@ -153,6 +166,8 @@ public class GroupAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);

        await sutProvider.Sut.HandleAsync(context);
        Assert.False(context.HasSucceeded);
@ -194,4 +209,18 @@ public class GroupAuthorizationHandlerTests
        Assert.False(context.HasSucceeded);
        Assert.True(context.HasFailed);
    }
+
+    private static Dictionary<Guid, OrganizationAbility> ArrangeOrganizationAbilitiesDictionary(Guid orgId,
+        bool limitCollectionCreationDeletion)
+    {
+        return new Dictionary<Guid, OrganizationAbility>
+        {
+            { orgId,
+                new OrganizationAbility
+                {
+                    LimitCollectionCreationDeletion = limitCollectionCreationDeletion
+                }
+            }
+        };
+    }
 }
--- a/test/Api.Test/Vault/AuthorizationHandlers/OrganizationUserAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/OrganizationUserAuthorizationHandlerTests.cs
@ -4,6 +4,8 @@ using Bit.Core;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@ -26,9 +28,10 @@ public class OrganizationUserAuthorizationHandlerTests
        CurrentContextOrganization organization)
    {
        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { OrganizationUserOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
@ -36,6 +39,7 @@ public class OrganizationUserAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);

        await sutProvider.Sut.HandleAsync(context);

@ -48,9 +52,10 @@ public class OrganizationUserAuthorizationHandlerTests
        SutProvider<OrganizationUserAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
    {
        organization.Type = OrganizationUserType.User;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions();

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { OrganizationUserOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
@ -59,6 +64,7 @@ public class OrganizationUserAuthorizationHandlerTests
        sutProvider.GetDependency<ICurrentContext>()
            .UserId
            .Returns(userId);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
        sutProvider.GetDependency<ICurrentContext>()
            .ProviderUserForOrgAsync(organization.Id)
            .Returns(true);
@ -83,7 +89,6 @@ public class OrganizationUserAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = OrganizationUserType.Custom;
-        organization.LimitCollectionCreationDeletion = limitCollectionCreationDeletion;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = editAnyCollection,
@ -92,6 +97,8 @@ public class OrganizationUserAuthorizationHandlerTests
            ManageUsers = manageUsers
        };

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, limitCollectionCreationDeletion);
+
        var context = new AuthorizationHandlerContext(
            new[] { OrganizationUserOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
@ -99,6 +106,7 @@ public class OrganizationUserAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);

        await sutProvider.Sut.HandleAsync(context);

@ -116,7 +124,6 @@ public class OrganizationUserAuthorizationHandlerTests
        var actingUserId = Guid.NewGuid();

        organization.Type = userType;
-        organization.LimitCollectionCreationDeletion = true;
        organization.Permissions = new Permissions
        {
            EditAnyCollection = false,
@ -125,6 +132,8 @@ public class OrganizationUserAuthorizationHandlerTests
            ManageUsers = false
        };

+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organization.Id, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { OrganizationUserOperations.ReadAll(organization.Id) },
            new ClaimsPrincipal(),
@ -132,6 +141,8 @@ public class OrganizationUserAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);

        await sutProvider.Sut.HandleAsync(context);

@ -144,6 +155,8 @@ public class OrganizationUserAuthorizationHandlerTests
        Guid organizationId,
        SutProvider<OrganizationUserAuthorizationHandler> sutProvider)
    {
+        var organizationAbilities = ArrangeOrganizationAbilitiesDictionary(organizationId, true);
+
        var context = new AuthorizationHandlerContext(
            new[] { OrganizationUserOperations.ReadAll(organizationId) },
            new ClaimsPrincipal(),
@ -152,6 +165,8 @@ public class OrganizationUserAuthorizationHandlerTests

        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilitiesAsync().Returns(organizationAbilities);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);

        await sutProvider.Sut.HandleAsync(context);
        Assert.False(context.HasSucceeded);
@ -191,4 +206,18 @@ public class OrganizationUserAuthorizationHandlerTests

        Assert.True(context.HasFailed);
    }
+
+    private static Dictionary<Guid, OrganizationAbility> ArrangeOrganizationAbilitiesDictionary(Guid orgId,
+        bool limitCollectionCreationDeletion)
+    {
+        return new Dictionary<Guid, OrganizationAbility>
+        {
+            { orgId,
+                new OrganizationAbility
+                {
+                    LimitCollectionCreationDeletion = limitCollectionCreationDeletion
+                }
+            }
+        };
+    }
 }
--- a/util/Migrator/DbScripts/2023-12-21_00_OrganizationAbilitiesWithCollectionManagementSettings.sql
+++ b/util/Migrator/DbScripts/2023-12-21_00_OrganizationAbilitiesWithCollectionManagementSettings.sql
@ -0,0 +1,30 @@
+--Update stored procedure to include LimitCollectionCreationDeletion property
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadAbilities]
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [Id],
+        [UseEvents],
+        [Use2fa],
+        CASE
+            WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
+                1
+            ELSE
+                0
+            END AS [Using2fa],
+        [UsersGetPremium],
+        [UseCustomPermissions],
+        [UseSso],
+        [UseKeyConnector],
+        [UseScim],
+        [UseResetPassword],
+        [UsePolicies],
+        [Enabled],
+        [LimitCollectionCreationDeletion],
+        [AllowAdminAccessToAllCollectionItems]
+    FROM
+        [dbo].[Organization]
+END
+GO