[AC-1174] Bulk Collection Management (#3229)

* [AC-1174] Update SelectionReadOnlyRequestModel to use Guid for Id property * [AC-1174] Introduce initial bulk-access collection endpoint * [AC-1174] Introduce BulkAddCollectionAccessCommand and validation logic/tests * [AC-1174] Add CreateOrUpdateAccessMany method to CollectionRepository * [AC-1174] Add event logs for bulk add collection access command * [AC-1174] Add User_BumpAccountRevisionDateByCollectionIds and database migration script * [AC-1174] Implement EF repository method * [AC-1174] Improve null checks * [AC-1174] Remove unnecessary BulkCollectionAccessRequestModel helpers * [AC-1174] Add unit tests for new controller endpoint * [AC-1174] Fix formatting * [AC-1174] Remove comment * [AC-1174] Remove redundant organizationId parameter * [AC-1174] Ensure user and group Ids are distinct * [AC-1174] Cleanup tests based on PR feedback * [AC-1174] Formatting * [AC-1174] Update CollectionGroup alias in the sproc * [AC-1174] Add some additional comments to SQL sproc * [AC-1174] Add comment explaining additional SaveChangesAsync call --------- Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2025-07-01 16:12:49 -05:00 · 2023-09-26 09:30:07 -07:00
parent 2c7d02dcbb
commit 5d431adbd4
16 changed files with 943 additions and 5 deletions
--- a/src/Api/Controllers/CollectionsController.cs
+++ b/src/Api/Controllers/CollectionsController.cs
@ -20,23 +20,26 @@ public class CollectionsController : Controller
    private readonly ICollectionService _collectionService;
    private readonly IDeleteCollectionCommand _deleteCollectionCommand;
    private readonly IUserService _userService;
    private readonly ICurrentContext _currentContext;
    private readonly IAuthorizationService _authorizationService;
    private readonly ICurrentContext _currentContext;
    private readonly IBulkAddCollectionAccessCommand _bulkAddCollectionAccessCommand;
    public CollectionsController(
        ICollectionRepository collectionRepository,
        ICollectionService collectionService,
        IDeleteCollectionCommand deleteCollectionCommand,
        IUserService userService,
        IAuthorizationService authorizationService,
        ICurrentContext currentContext,
-        IAuthorizationService authorizationService)
+        IBulkAddCollectionAccessCommand bulkAddCollectionAccessCommand)
    {
        _collectionRepository = collectionRepository;
        _collectionService = collectionService;
        _deleteCollectionCommand = deleteCollectionCommand;
        _userService = userService;
        _currentContext = currentContext;
        _authorizationService = authorizationService;
        _currentContext = currentContext;
        _bulkAddCollectionAccessCommand = bulkAddCollectionAccessCommand;
    }
    [HttpGet("{id}")]
@ -190,6 +193,29 @@ public class CollectionsController : Controller
        await _collectionRepository.UpdateUsersAsync(collection.Id, model?.Select(g => g.ToSelectionReadOnly()));
    }
    [HttpPost("bulk-access")]
    public async Task PostBulkCollectionAccess([FromBody] BulkCollectionAccessRequestModel model)
    {
        var collections = await _collectionRepository.GetManyByManyIdsAsync(model.CollectionIds);
        if (collections.Count != model.CollectionIds.Count())
        {
            throw new NotFoundException("One or more collections not found.");
        }
        var result = await _authorizationService.AuthorizeAsync(User, collections, CollectionOperations.ModifyAccess);
        if (!result.Succeeded)
        {
            throw new NotFoundException();
        }
        await _bulkAddCollectionAccessCommand.AddAccessAsync(
            collections,
            model.Users?.Select(u => u.ToSelectionReadOnly()).ToList(),
            model.Groups?.Select(g => g.ToSelectionReadOnly()).ToList());
    }
    [HttpDelete("{id}")]
    [HttpPost("{id}/delete")]
    public async Task Delete(Guid orgId, Guid id)
--- a/src/Api/Models/Request/BulkCollectionAccessRequestModel.cs
+++ b/src/Api/Models/Request/BulkCollectionAccessRequestModel.cs
@ -0,0 +1,8 @@
 namespace Bit.Api.Models.Request;
 public class BulkCollectionAccessRequestModel
 {
    public IEnumerable<Guid> CollectionIds { get; set; }
    public IEnumerable<SelectionReadOnlyRequestModel> Groups { get; set; }
    public IEnumerable<SelectionReadOnlyRequestModel> Users { get; set; }
 }
--- a/src/Api/Models/Request/SelectionReadOnlyRequestModel.cs
+++ b/src/Api/Models/Request/SelectionReadOnlyRequestModel.cs
@ -6,7 +6,7 @@ namespace Bit.Api.Models.Request;
 public class SelectionReadOnlyRequestModel
 {
    [Required]
-    public string Id { get; set; }
+    public Guid Id { get; set; }
    public bool ReadOnly { get; set; }
    public bool HidePasswords { get; set; }
    public bool Manage { get; set; }
@ -15,7 +15,7 @@ public class SelectionReadOnlyRequestModel
    {
        return new CollectionAccessSelection
        {
-            Id = new Guid(Id),
+            Id = Id,
            ReadOnly = ReadOnly,
            HidePasswords = HidePasswords,
            Manage = Manage,
--- a/src/Core/OrganizationFeatures/OrganizationCollections/BulkAddCollectionAccessCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationCollections/BulkAddCollectionAccessCommand.cs
@ -0,0 +1,95 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 namespace Bit.Core.OrganizationFeatures.OrganizationCollections;
 public class BulkAddCollectionAccessCommand : IBulkAddCollectionAccessCommand
 {
    private readonly ICollectionRepository _collectionRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly IGroupRepository _groupRepository;
    private readonly IEventService _eventService;
    public BulkAddCollectionAccessCommand(
        ICollectionRepository collectionRepository,
        IOrganizationUserRepository organizationUserRepository,
        IGroupRepository groupRepository,
        IEventService eventService)
    {
        _collectionRepository = collectionRepository;
        _organizationUserRepository = organizationUserRepository;
        _groupRepository = groupRepository;
        _eventService = eventService;
    }
    public async Task AddAccessAsync(ICollection<Collection> collections,
        ICollection<CollectionAccessSelection> users,
        ICollection<CollectionAccessSelection> groups)
    {
        await ValidateRequestAsync(collections, users, groups);
        await _collectionRepository.CreateOrUpdateAccessForManyAsync(
            collections.First().OrganizationId,
            collections.Select(c => c.Id),
            users,
            groups
        );
        await _eventService.LogCollectionEventsAsync(collections.Select(c =>
            (c, EventType.Collection_Updated, (DateTime?)DateTime.UtcNow)));
    }
    private async Task ValidateRequestAsync(ICollection<Collection> collections, ICollection<CollectionAccessSelection> usersAccess, ICollection<CollectionAccessSelection> groupsAccess)
    {
        if (collections == null || collections.Count == 0)
        {
            throw new BadRequestException("No collections were provided.");
        }
        var orgId = collections.First().OrganizationId;
        if (collections.Any(c => c.OrganizationId != orgId))
        {
            throw new BadRequestException("All collections must belong to the same organization.");
        }
        var collectionUserIds = usersAccess?.Select(u => u.Id).Distinct().ToList();
        if (collectionUserIds is { Count: > 0 })
        {
            var users = await _organizationUserRepository.GetManyAsync(collectionUserIds);
            if (users.Count != collectionUserIds.Count)
            {
                throw new BadRequestException("One or more users do not exist.");
            }
            if (users.Any(u => u.OrganizationId != orgId))
            {
                throw new BadRequestException("One or more users do not belong to the same organization as the collection being assigned.");
            }
        }
        var collectionGroupIds = groupsAccess?.Select(g => g.Id).Distinct().ToList();
        if (collectionGroupIds is { Count: > 0 })
        {
            var groups = await _groupRepository.GetManyByManyIds(collectionGroupIds);
            if (groups.Count != collectionGroupIds.Count)
            {
                throw new BadRequestException("One or more groups do not exist.");
            }
            if (groups.Any(g => g.OrganizationId != orgId))
            {
                throw new BadRequestException("One or more groups do not belong to the same organization as the collection being assigned.");
            }
        }
    }
 }
--- a/src/Core/OrganizationFeatures/OrganizationCollections/Interfaces/IBulkAddCollectionAccessCommand.cs
+++ b/src/Core/OrganizationFeatures/OrganizationCollections/Interfaces/IBulkAddCollectionAccessCommand.cs
@ -0,0 +1,10 @@
 using Bit.Core.Entities;
 using Bit.Core.Models.Data;
 namespace Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
 public interface IBulkAddCollectionAccessCommand
 {
    Task AddAccessAsync(ICollection<Collection> collections,
        ICollection<CollectionAccessSelection> users, ICollection<CollectionAccessSelection> groups);
 }
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@ -98,6 +98,7 @@ public static class OrganizationServiceCollectionExtensions
    public static void AddOrganizationCollectionCommands(this IServiceCollection services)
    {
        services.AddScoped<IDeleteCollectionCommand, DeleteCollectionCommand>();
        services.AddScoped<IBulkAddCollectionAccessCommand, BulkAddCollectionAccessCommand>();
    }
    private static void AddOrganizationGroupCommands(this IServiceCollection services)
--- a/src/Core/Repositories/ICollectionRepository.cs
+++ b/src/Core/Repositories/ICollectionRepository.cs
@ -20,4 +20,6 @@ public interface ICollectionRepository : IRepository<Collection, Guid>
    Task UpdateUsersAsync(Guid id, IEnumerable<CollectionAccessSelection> users);
    Task<ICollection<CollectionAccessSelection>> GetManyUsersByIdAsync(Guid id);
    Task DeleteManyAsync(IEnumerable<Guid> collectionIds);
    Task CreateOrUpdateAccessForManyAsync(Guid organizationId, IEnumerable<Guid> collectionIds,
        IEnumerable<CollectionAccessSelection> users, IEnumerable<CollectionAccessSelection> groups);
 }
--- a/src/Infrastructure.Dapper/Repositories/CollectionRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/CollectionRepository.cs
@ -252,6 +252,21 @@ public class CollectionRepository : Repository<Collection, Guid>, ICollectionRep
        }
    }
    public async Task CreateOrUpdateAccessForManyAsync(Guid organizationId, IEnumerable<Guid> collectionIds,
        IEnumerable<CollectionAccessSelection> users, IEnumerable<CollectionAccessSelection> groups)
    {
        using (var connection = new SqlConnection(ConnectionString))
        {
            var usersArray = users != null ? users.ToArrayTVP() : Enumerable.Empty<CollectionAccessSelection>().ToArrayTVP();
            var groupsArray = groups != null ? groups.ToArrayTVP() : Enumerable.Empty<CollectionAccessSelection>().ToArrayTVP();
            var results = await connection.ExecuteAsync(
                $"[{Schema}].[Collection_CreateOrUpdateAccessForMany]",
                new { OrganizationId = organizationId, CollectionIds = collectionIds.ToGuidIdArrayTVP(), Users = usersArray, Groups = groupsArray },
                commandType: CommandType.StoredProcedure);
        }
    }
    public async Task CreateUserAsync(Guid collectionId, Guid organizationUserId)
    {
        using (var connection = new SqlConnection(ConnectionString))
--- a/src/Infrastructure.EntityFramework/Repositories/CollectionRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/CollectionRepository.cs
@ -473,6 +473,97 @@ public class CollectionRepository : Repository<Core.Entities.Collection, Collect
        }
    }
    public async Task CreateOrUpdateAccessForManyAsync(Guid organizationId, IEnumerable<Guid> collectionIds,
        IEnumerable<CollectionAccessSelection> users, IEnumerable<CollectionAccessSelection> groups)
    {
        using (var scope = ServiceScopeFactory.CreateScope())
        {
            var dbContext = GetDatabaseContext(scope);
            var collectionIdsList = collectionIds.ToList();
            if (users != null)
            {
                var existingCollectionUsers = await dbContext.CollectionUsers
                    .Where(cu => collectionIdsList.Contains(cu.CollectionId))
                    .ToDictionaryAsync(x => (x.CollectionId, x.OrganizationUserId));
                var requestedUsers = users.ToList();
                foreach (var collectionId in collectionIdsList)
                {
                    foreach (var requestedUser in requestedUsers)
                    {
                        if (!existingCollectionUsers.TryGetValue(
                                (collectionId, requestedUser.Id),
                                out var existingCollectionUser)
                            )
                        {
                            // This is a brand new entry
                            dbContext.CollectionUsers.Add(new CollectionUser
                            {
                                CollectionId = collectionId,
                                OrganizationUserId = requestedUser.Id,
                                HidePasswords = requestedUser.HidePasswords,
                                ReadOnly = requestedUser.ReadOnly,
                                Manage = requestedUser.Manage
                            });
                            continue;
                        }
                        // It already exists, update it
                        existingCollectionUser.HidePasswords = requestedUser.HidePasswords;
                        existingCollectionUser.ReadOnly = requestedUser.ReadOnly;
                        existingCollectionUser.Manage = requestedUser.Manage;
                        dbContext.CollectionUsers.Update(existingCollectionUser);
                    }
                }
            }
            if (groups != null)
            {
                var existingCollectionGroups = await dbContext.CollectionGroups
                    .Where(cu => collectionIdsList.Contains(cu.CollectionId))
                    .ToDictionaryAsync(x => (x.CollectionId, x.GroupId));
                var requestedGroups = groups.ToList();
                foreach (var collectionId in collectionIdsList)
                {
                    foreach (var requestedGroup in requestedGroups)
                    {
                        if (!existingCollectionGroups.TryGetValue(
                                (collectionId, requestedGroup.Id),
                                out var existingCollectionGroup)
                           )
                        {
                            // This is a brand new entry
                            dbContext.CollectionGroups.Add(new CollectionGroup()
                            {
                                CollectionId = collectionId,
                                GroupId = requestedGroup.Id,
                                HidePasswords = requestedGroup.HidePasswords,
                                ReadOnly = requestedGroup.ReadOnly,
                                Manage = requestedGroup.Manage
                            });
                            continue;
                        }
                        // It already exists, update it
                        existingCollectionGroup.HidePasswords = requestedGroup.HidePasswords;
                        existingCollectionGroup.ReadOnly = requestedGroup.ReadOnly;
                        existingCollectionGroup.Manage = requestedGroup.Manage;
                        dbContext.CollectionGroups.Update(existingCollectionGroup);
                    }
                }
            }
            // Need to save the new collection users/groups before running the bump revision code
            await dbContext.SaveChangesAsync();
            await dbContext.UserBumpAccountRevisionDateByCollectionIdsAsync(collectionIdsList, organizationId);
            await dbContext.SaveChangesAsync();
        }
    }
    private async Task ReplaceCollectionGroupsAsync(DatabaseContext dbContext, Core.Entities.Collection collection, IEnumerable<CollectionAccessSelection> groups)
    {
        var groupsInOrg = dbContext.Groups.Where(g => g.OrganizationId == collection.OrganizationId);
--- a/src/Infrastructure.EntityFramework/Repositories/DatabaseContextExtensions.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/DatabaseContextExtensions.cs
@ -74,6 +74,39 @@ public static class DatabaseContextExtensions
        UpdateUserRevisionDate(users);
    }
    public static async Task UserBumpAccountRevisionDateByCollectionIdsAsync(this DatabaseContext context, IEnumerable<Guid> collectionIds, Guid organizationId)
    {
        var query = from u in context.Users
                    from c in context.Collections
                    join ou in context.OrganizationUsers
                        on u.Id equals ou.UserId
                    join cu in context.CollectionUsers
                        on new { ou.AccessAll, OrganizationUserId = ou.Id, CollectionId = c.Id } equals
                        new { AccessAll = false, cu.OrganizationUserId, cu.CollectionId } into cu_g
                    from cu in cu_g.DefaultIfEmpty()
                    join gu in context.GroupUsers
                        on new { CollectionId = (Guid?)cu.CollectionId, ou.AccessAll, OrganizationUserId = ou.Id } equals
                        new { CollectionId = (Guid?)null, AccessAll = false, gu.OrganizationUserId } into gu_g
                    from gu in gu_g.DefaultIfEmpty()
                    join g in context.Groups
                        on gu.GroupId equals g.Id into g_g
                    from g in g_g.DefaultIfEmpty()
                    join cg in context.CollectionGroups
                        on new { g.AccessAll, gu.GroupId, CollectionId = c.Id } equals
                        new { AccessAll = false, cg.GroupId, cg.CollectionId } into cg_g
                    from cg in cg_g.DefaultIfEmpty()
                    where ou.OrganizationId == organizationId && collectionIds.Contains(c.Id) &&
                      ou.Status == OrganizationUserStatusType.Confirmed &&
                        (cu.CollectionId != null ||
                        cg.CollectionId != null ||
                        ou.AccessAll == true ||
                        g.AccessAll == true)
                    select u;
        var users = await query.ToListAsync();
        UpdateUserRevisionDate(users);
    }
    public static async Task UserBumpAccountRevisionDateByOrganizationUserIdAsync(this DatabaseContext context, Guid organizationUserId)
    {
        var query = from u in context.Users
--- a/Procedures/Collection_CreateOrUpdateAccessForMany.sql
+++ b/Procedures/Collection_CreateOrUpdateAccessForMany.sql
@ -0,0 +1,97 @@
 CREATE PROCEDURE [dbo].[Collection_CreateOrUpdateAccessForMany]
 	@OrganizationId UNIQUEIDENTIFIER,
 	@CollectionIds AS [dbo].[GuidIdArray] READONLY,
    @Groups AS [dbo].[SelectionReadOnlyArray] READONLY,
    @Users AS [dbo].[SelectionReadOnlyArray] READONLY
 AS
 BEGIN
 	SET NOCOUNT ON
 	 -- Groups
 	;WITH [NewCollectionGroups] AS (
 		SELECT
 			cId.[Id] AS [CollectionId],
 			cg.[Id] AS [GroupId],
 			cg.[ReadOnly],
 			cg.[HidePasswords],
 			cg.[Manage]
 		FROM
 			@Groups AS cg
 		CROSS JOIN -- Create a CollectionGroup record for every CollectionId
 			@CollectionIds cId
 		INNER JOIN
 			[dbo].[Group] g ON cg.[Id] = g.[Id]
 		WHERE
 			g.[OrganizationId] = @OrganizationId
 	)
    MERGE
    	[dbo].[CollectionGroup] as [Target]
 	USING
 		[NewCollectionGroups] AS [Source]
 	ON
 		[Target].[CollectionId] = [Source].[CollectionId]
 		AND [Target].[GroupId] = [Source].[GroupId]
    -- Update the target if any values are different from the source
 	WHEN MATCHED AND EXISTS(
 		SELECT [Source].[ReadOnly], [Source].[HidePasswords], [Source].[Manage]
 		EXCEPT
 		SELECT [Target].[ReadOnly], [Target].[HidePasswords], [Target].[Manage]
 	) THEN UPDATE SET
 		[Target].[ReadOnly] = [Source].[ReadOnly],
 		[Target].[HidePasswords] = [Source].[HidePasswords],
 		[Target].[Manage] = [Source].[Manage]
 	WHEN NOT MATCHED BY TARGET
 		THEN INSERT VALUES
 		(
 			[Source].[CollectionId],
 			[Source].[GroupId],
 			[Source].[ReadOnly],
 			[Source].[HidePasswords],
 			[Source].[Manage]
 		);
 	-- Users
 	;WITH [NewCollectionUsers] AS (
 		SELECT
 			cId.[Id] AS [CollectionId],
 			cu.[Id] AS [OrganizationUserId],
 			cu.[ReadOnly],
 			cu.[HidePasswords],
 			cu.[Manage]
 		FROM
 			@Users AS cu
 		CROSS JOIN -- Create a CollectionUser record for every CollectionId
 			@CollectionIds cId
 		INNER JOIN
 			[dbo].[OrganizationUser] u ON cu.[Id] = u.[Id]
 		WHERE
 			u.[OrganizationId] = @OrganizationId
 	)
    MERGE
    	[dbo].[CollectionUser] as [Target]
 	USING
 		[NewCollectionUsers] AS [Source]
 	ON
 		[Target].[CollectionId] = [Source].[CollectionId]
 		AND [Target].[OrganizationUserId] = [Source].[OrganizationUserId]
    -- Update the target if any values are different from the source
 	WHEN MATCHED AND EXISTS(
 		SELECT [Source].[ReadOnly], [Source].[HidePasswords], [Source].[Manage]
 		EXCEPT
 		SELECT [Target].[ReadOnly], [Target].[HidePasswords], [Target].[Manage]
 	) THEN UPDATE SET
 		[Target].[ReadOnly] = [Source].[ReadOnly],
 		[Target].[HidePasswords] = [Source].[HidePasswords],
 		[Target].[Manage] = [Source].[Manage]
 	WHEN NOT MATCHED BY TARGET
 		THEN INSERT VALUES
 		(
 			[Source].[CollectionId],
 			[Source].[OrganizationUserId],
 			[Source].[ReadOnly],
 			[Source].[HidePasswords],
 			[Source].[Manage]
 		);
    EXEC [dbo].[User_BumpAccountRevisionDateByCollectionIds] @CollectionIds, @OrganizationId
 END
--- a/Procedures/User_BumpAccountRevisionDateByCollectionIds.sql
+++ b/Procedures/User_BumpAccountRevisionDateByCollectionIds.sql
@ -0,0 +1,35 @@
 CREATE PROCEDURE [dbo].[User_BumpAccountRevisionDateByCollectionIds]
 	@CollectionIds AS [dbo].[GuidIdArray] READONLY,
 	@OrganizationId UNIQUEIDENTIFIER
 AS
 BEGIN
 	SET NOCOUNT ON
 UPDATE
    U
 SET
    U.[AccountRevisionDate] = GETUTCDATE()
    FROM
        [dbo].[User] U
    INNER JOIN
    	[dbo].[Collection] C ON C.[Id] IN (SELECT [Id] FROM @CollectionIds)
    INNER JOIN
    [dbo].[OrganizationUser] OU ON OU.[UserId] = U.[Id]
    LEFT JOIN
    [dbo].[CollectionUser] CU ON OU.[AccessAll] = 0 AND CU.[OrganizationUserId] = OU.[Id] AND CU.[CollectionId] = C.[Id]
    LEFT JOIN
    [dbo].[GroupUser] GU ON CU.[CollectionId] IS NULL AND OU.[AccessAll] = 0 AND GU.[OrganizationUserId] = OU.[Id]
    LEFT JOIN
    [dbo].[Group] G ON G.[Id] = GU.[GroupId]
    LEFT JOIN
    [dbo].[CollectionGroup] CG ON G.[AccessAll] = 0 AND CG.[GroupId] = GU.[GroupId] AND CG.[CollectionId] = C.[Id]
 WHERE
    OU.[OrganizationId] = @OrganizationId
  AND OU.[Status] = 2 -- 2 = Confirmed
  AND (
    CU.[CollectionId] IS NOT NULL
   OR CG.[CollectionId] IS NOT NULL
   OR OU.[AccessAll] = 1
   OR G.[AccessAll] = 1
    )
 END
--- a/test/Api.Test/Controllers/CollectionsControllerTests.cs
+++ b/test/Api.Test/Controllers/CollectionsControllerTests.cs
@ -221,4 +221,120 @@ public class CollectionsControllerTests
            .DidNotReceiveWithAnyArgs()
            .DeleteManyAsync((IEnumerable<Collection>)default);
    }
    [Theory, BitAutoData]
    public async Task PostBulkCollectionAccess_Success(User actingUser, ICollection<Collection> collections, SutProvider<CollectionsController> sutProvider)
    {
        // Arrange
        var userId = Guid.NewGuid();
        var groupId = Guid.NewGuid();
        var model = new BulkCollectionAccessRequestModel
        {
            CollectionIds = collections.Select(c => c.Id),
            Users = new[] { new SelectionReadOnlyRequestModel { Id = userId, Manage = true } },
            Groups = new[] { new SelectionReadOnlyRequestModel { Id = groupId, ReadOnly = true } },
        };
        sutProvider.GetDependency<ICollectionRepository>()
            .GetManyByManyIdsAsync(model.CollectionIds)
            .Returns(collections);
        sutProvider.GetDependency<ICurrentContext>()
            .UserId.Returns(actingUser.Id);
        sutProvider.GetDependency<IAuthorizationService>().AuthorizeAsync(
                Arg.Any<ClaimsPrincipal>(), ExpectedCollectionAccess(),
                Arg.Is<IEnumerable<IAuthorizationRequirement>>(
                    r => r.Contains(CollectionOperations.ModifyAccess)
                ))
            .Returns(AuthorizationResult.Success());
        IEnumerable<Collection> ExpectedCollectionAccess() => Arg.Is<IEnumerable<Collection>>(cols => cols.SequenceEqual(collections));
        // Act
        await sutProvider.Sut.PostBulkCollectionAccess(model);
        // Assert
        await sutProvider.GetDependency<IAuthorizationService>().Received().AuthorizeAsync(
            Arg.Any<ClaimsPrincipal>(),
            ExpectedCollectionAccess(),
            Arg.Is<IEnumerable<IAuthorizationRequirement>>(
                r => r.Contains(CollectionOperations.ModifyAccess))
            );
        await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().Received()
            .AddAccessAsync(
                Arg.Is<ICollection<Collection>>(g => g.SequenceEqual(collections)),
                Arg.Is<ICollection<CollectionAccessSelection>>(u => u.All(c => c.Id == userId && c.Manage)),
                Arg.Is<ICollection<CollectionAccessSelection>>(g => g.All(c => c.Id == groupId && c.ReadOnly)));
    }
    [Theory, BitAutoData]
    public async Task PostBulkCollectionAccess_CollectionsNotFound_Throws(User actingUser, ICollection<Collection> collections, SutProvider<CollectionsController> sutProvider)
    {
        var userId = Guid.NewGuid();
        var groupId = Guid.NewGuid();
        var model = new BulkCollectionAccessRequestModel
        {
            CollectionIds = collections.Select(c => c.Id),
            Users = new[] { new SelectionReadOnlyRequestModel { Id = userId, Manage = true } },
            Groups = new[] { new SelectionReadOnlyRequestModel { Id = groupId, ReadOnly = true } },
        };
        sutProvider.GetDependency<ICurrentContext>()
            .UserId.Returns(actingUser.Id);
        sutProvider.GetDependency<ICollectionRepository>()
            .GetManyByManyIdsAsync(model.CollectionIds)
            .Returns(collections.Skip(1).ToList());
        var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PostBulkCollectionAccess(model));
        Assert.Equal("One or more collections not found.", exception.Message);
        await sutProvider.GetDependency<IAuthorizationService>().DidNotReceiveWithAnyArgs().AuthorizeAsync(
            Arg.Any<ClaimsPrincipal>(),
            Arg.Any<IEnumerable<Collection>>(),
            Arg.Any<IEnumerable<IAuthorizationRequirement>>()
        );
        await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().DidNotReceiveWithAnyArgs()
            .AddAccessAsync(default, default, default);
    }
    [Theory, BitAutoData]
    public async Task PostBulkCollectionAccess_AccessDenied_Throws(User actingUser, ICollection<Collection> collections, SutProvider<CollectionsController> sutProvider)
    {
        var userId = Guid.NewGuid();
        var groupId = Guid.NewGuid();
        var model = new BulkCollectionAccessRequestModel
        {
            CollectionIds = collections.Select(c => c.Id),
            Users = new[] { new SelectionReadOnlyRequestModel { Id = userId, Manage = true } },
            Groups = new[] { new SelectionReadOnlyRequestModel { Id = groupId, ReadOnly = true } },
        };
        sutProvider.GetDependency<ICurrentContext>()
            .UserId.Returns(actingUser.Id);
        sutProvider.GetDependency<ICollectionRepository>()
            .GetManyByManyIdsAsync(model.CollectionIds)
            .Returns(collections);
        sutProvider.GetDependency<IAuthorizationService>().AuthorizeAsync(
                Arg.Any<ClaimsPrincipal>(), ExpectedCollectionAccess(),
                Arg.Is<IEnumerable<IAuthorizationRequirement>>(
                    r => r.Contains(CollectionOperations.ModifyAccess)
                ))
            .Returns(AuthorizationResult.Failed());
        IEnumerable<Collection> ExpectedCollectionAccess() => Arg.Is<IEnumerable<Collection>>(cols => cols.SequenceEqual(collections));
        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PostBulkCollectionAccess(model));
        await sutProvider.GetDependency<IAuthorizationService>().Received().AuthorizeAsync(
            Arg.Any<ClaimsPrincipal>(),
            ExpectedCollectionAccess(),
            Arg.Is<IEnumerable<IAuthorizationRequirement>>(
                r => r.Contains(CollectionOperations.ModifyAccess))
            );
        await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().DidNotReceiveWithAnyArgs()
            .AddAccessAsync(default, default, default);
    }
 }
--- a/test/Core.Test/OrganizationFeatures/OrganizationCollections/BulkAddCollectionAccessCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationCollections/BulkAddCollectionAccessCommandTests.cs
@ -0,0 +1,271 @@
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.OrganizationFeatures.OrganizationCollections;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Test.Vault.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
 namespace Bit.Core.Test.OrganizationFeatures.OrganizationCollections;
 [SutProviderCustomize]
 public class BulkAddCollectionAccessCommandTests
 {
    [Theory, BitAutoData, CollectionCustomization]
    public async Task AddAccessAsync_Success(SutProvider<BulkAddCollectionAccessCommand> sutProvider,
        Organization org,
        ICollection<Collection> collections,
        ICollection<OrganizationUser> organizationUsers,
        ICollection<Group> groups,
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
        sutProvider.GetDependency<IOrganizationUserRepository>()
            .GetManyAsync(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
            )
            .Returns(organizationUsers);
        sutProvider.GetDependency<IGroupRepository>()
            .GetManyByManyIds(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionGroups.Select(u => u.GroupId)))
            )
            .Returns(groups);
        var userAccessSelections = ToAccessSelection(collectionUsers);
        var groupAccessSelections = ToAccessSelection(collectionGroups);
        await sutProvider.Sut.AddAccessAsync(collections,
            userAccessSelections,
            groupAccessSelections
        );
        await sutProvider.GetDependency<IOrganizationUserRepository>().Received().GetManyAsync(
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(userAccessSelections.Select(u => u.Id)))
        );
        await sutProvider.GetDependency<IGroupRepository>().Received().GetManyByManyIds(
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(groupAccessSelections.Select(g => g.Id)))
        );
        await sutProvider.GetDependency<ICollectionRepository>().Received().CreateOrUpdateAccessForManyAsync(
            org.Id,
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collections.Select(c => c.Id))),
            userAccessSelections,
            groupAccessSelections);
        await sutProvider.GetDependency<IEventService>().Received().LogCollectionEventsAsync(
            Arg.Is<IEnumerable<(Collection, EventType, DateTime?)>>(
                events => events.All(e =>
                    collections.Contains(e.Item1) &&
                    e.Item2 == EventType.Collection_Updated &&
                    e.Item3.HasValue
                )
            )
        );
    }
    [Theory, BitAutoData, CollectionCustomization]
    public async Task ValidateRequestAsync_NoCollectionsProvided_Failure(SutProvider<BulkAddCollectionAccessCommand> sutProvider)
    {
        var exception =
            await Assert.ThrowsAsync<BadRequestException>(
                () => sutProvider.Sut.AddAccessAsync(null, null, null));
        Assert.Contains("No collections were provided.", exception.Message);
        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().GetManyByManyIdsAsync(default);
        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs().GetManyAsync(default);
        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyByManyIds(default);
    }
    [Theory, BitAutoData, CollectionCustomization]
    public async Task ValidateRequestAsync_NoCollection_Failure(SutProvider<BulkAddCollectionAccessCommand> sutProvider,
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.AddAccessAsync(Enumerable.Empty<Collection>().ToList(),
            ToAccessSelection(collectionUsers),
            ToAccessSelection(collectionGroups)
        ));
        Assert.Contains("No collections were provided.", exception.Message);
        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs().GetManyAsync(default);
        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyByManyIds(default);
    }
    [Theory, BitAutoData, CollectionCustomization]
    public async Task ValidateRequestAsync_DifferentOrgs_Failure(SutProvider<BulkAddCollectionAccessCommand> sutProvider,
        ICollection<Collection> collections,
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
        collections.First().OrganizationId = Guid.NewGuid();
        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.AddAccessAsync(collections,
            ToAccessSelection(collectionUsers),
            ToAccessSelection(collectionGroups)
        ));
        Assert.Contains("All collections must belong to the same organization.", exception.Message);
        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs().GetManyAsync(default);
        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyByManyIds(default);
    }
    [Theory, BitAutoData, CollectionCustomization]
    public async Task ValidateRequestAsync_MissingUser_Failure(SutProvider<BulkAddCollectionAccessCommand> sutProvider,
        IList<Collection> collections,
        IList<OrganizationUser> organizationUsers,
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
        organizationUsers.RemoveAt(0);
        sutProvider.GetDependency<IOrganizationUserRepository>()
            .GetManyAsync(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
            )
            .Returns(organizationUsers);
        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.AddAccessAsync(collections,
            ToAccessSelection(collectionUsers),
            ToAccessSelection(collectionGroups)
        ));
        Assert.Contains("One or more users do not exist.", exception.Message);
        await sutProvider.GetDependency<IOrganizationUserRepository>().Received().GetManyAsync(
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
        );
        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyByManyIds(default);
    }
    [Theory, BitAutoData, CollectionCustomization]
    public async Task ValidateRequestAsync_UserWrongOrg_Failure(SutProvider<BulkAddCollectionAccessCommand> sutProvider,
        IList<Collection> collections,
        IList<OrganizationUser> organizationUsers,
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
        organizationUsers.First().OrganizationId = Guid.NewGuid();
        sutProvider.GetDependency<IOrganizationUserRepository>()
            .GetManyAsync(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
            )
            .Returns(organizationUsers);
        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.AddAccessAsync(collections,
            ToAccessSelection(collectionUsers),
            ToAccessSelection(collectionGroups)
        ));
        Assert.Contains("One or more users do not belong to the same organization as the collection being assigned.", exception.Message);
        await sutProvider.GetDependency<IOrganizationUserRepository>().Received().GetManyAsync(
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
        );
        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyByManyIds(default);
    }
    [Theory, BitAutoData, CollectionCustomization]
    public async Task ValidateRequestAsync_MissingGroup_Failure(SutProvider<BulkAddCollectionAccessCommand> sutProvider,
        IList<Collection> collections,
        IList<OrganizationUser> organizationUsers,
        IList<Group> groups,
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
        groups.RemoveAt(0);
        sutProvider.GetDependency<IOrganizationUserRepository>()
            .GetManyAsync(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
            )
            .Returns(organizationUsers);
        sutProvider.GetDependency<IGroupRepository>()
            .GetManyByManyIds(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionGroups.Select(u => u.GroupId)))
            )
            .Returns(groups);
        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.AddAccessAsync(collections,
            ToAccessSelection(collectionUsers),
            ToAccessSelection(collectionGroups)
        ));
        Assert.Contains("One or more groups do not exist.", exception.Message);
        await sutProvider.GetDependency<IOrganizationUserRepository>().Received().GetManyAsync(
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
        );
        await sutProvider.GetDependency<IGroupRepository>().Received().GetManyByManyIds(
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionGroups.Select(u => u.GroupId)))
        );
    }
    [Theory, BitAutoData, CollectionCustomization]
    public async Task ValidateRequestAsync_GroupWrongOrg_Failure(SutProvider<BulkAddCollectionAccessCommand> sutProvider,
        IList<Collection> collections,
        IList<OrganizationUser> organizationUsers,
        IList<Group> groups,
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
        groups.First().OrganizationId = Guid.NewGuid();
        sutProvider.GetDependency<IOrganizationUserRepository>()
            .GetManyAsync(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
            )
            .Returns(organizationUsers);
        sutProvider.GetDependency<IGroupRepository>()
            .GetManyByManyIds(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionGroups.Select(u => u.GroupId)))
            )
            .Returns(groups);
        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.AddAccessAsync(collections,
            ToAccessSelection(collectionUsers),
            ToAccessSelection(collectionGroups)
        ));
        Assert.Contains("One or more groups do not belong to the same organization as the collection being assigned.", exception.Message);
        await sutProvider.GetDependency<IOrganizationUserRepository>().Received().GetManyAsync(
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
        );
        await sutProvider.GetDependency<IGroupRepository>().Received().GetManyByManyIds(
            Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionGroups.Select(u => u.GroupId)))
        );
    }
    private static ICollection<CollectionAccessSelection> ToAccessSelection(IEnumerable<CollectionUser> collectionUsers)
    {
        return collectionUsers.Select(cu => new CollectionAccessSelection
        {
            Id = cu.OrganizationUserId,
            Manage = cu.Manage,
            HidePasswords = cu.HidePasswords,
            ReadOnly = cu.ReadOnly
        }).ToList();
    }
    private static ICollection<CollectionAccessSelection> ToAccessSelection(IEnumerable<CollectionGroup> collectionGroups)
    {
        return collectionGroups.Select(cg => new CollectionAccessSelection
        {
            Id = cg.GroupId,
            Manage = cg.Manage,
            HidePasswords = cg.HidePasswords,
            ReadOnly = cg.ReadOnly
        }).ToList();
    }
 }
--- a/test/Core.Test/Vault/AutoFixture/CollectionFixture.cs
+++ b/test/Core.Test/Vault/AutoFixture/CollectionFixture.cs
@ -17,6 +17,9 @@ public class CollectionCustomization : ICustomization
    {
        var orgId = Guid.NewGuid();
        fixture.Customize<Organization>(composer => composer
            .With(o => o.Id, orgId));
        fixture.Customize<CurrentContextOrganization>(composer => composer
            .With(o => o.Id, orgId));
--- a/util/Migrator/DbScripts/2023-08-25_00_BulkAddCollectionAccess.sql
+++ b/util/Migrator/DbScripts/2023-08-25_00_BulkAddCollectionAccess.sql
@ -0,0 +1,135 @@
 CREATE OR ALTER PROCEDURE [dbo].[User_BumpAccountRevisionDateByCollectionIds]
 	@CollectionIds AS [dbo].[GuidIdArray] READONLY,
 	@OrganizationId UNIQUEIDENTIFIER
 AS
 BEGIN
 	SET NOCOUNT ON
 UPDATE
    U
 SET
    U.[AccountRevisionDate] = GETUTCDATE()
    FROM
        [dbo].[User] U
    INNER JOIN
    	[dbo].[Collection] C ON C.[Id] IN (SELECT [Id] FROM @CollectionIds)
    INNER JOIN
    [dbo].[OrganizationUser] OU ON OU.[UserId] = U.[Id]
    LEFT JOIN
    [dbo].[CollectionUser] CU ON OU.[AccessAll] = 0 AND CU.[OrganizationUserId] = OU.[Id] AND CU.[CollectionId] = C.[Id]
    LEFT JOIN
    [dbo].[GroupUser] GU ON CU.[CollectionId] IS NULL AND OU.[AccessAll] = 0 AND GU.[OrganizationUserId] = OU.[Id]
    LEFT JOIN
    [dbo].[Group] G ON G.[Id] = GU.[GroupId]
    LEFT JOIN
    [dbo].[CollectionGroup] CG ON G.[AccessAll] = 0 AND CG.[GroupId] = GU.[GroupId] AND CG.[CollectionId] = C.[Id]
 WHERE
    OU.[OrganizationId] = @OrganizationId
  AND OU.[Status] = 2 -- 2 = Confirmed
  AND (
    CU.[CollectionId] IS NOT NULL
   OR CG.[CollectionId] IS NOT NULL
   OR OU.[AccessAll] = 1
   OR G.[AccessAll] = 1
    )
 END
 GO
 CREATE OR ALTER PROCEDURE [dbo].[Collection_CreateOrUpdateAccessForMany]
 	@OrganizationId UNIQUEIDENTIFIER,
 	@CollectionIds AS [dbo].[GuidIdArray] READONLY,
    @Groups AS [dbo].[SelectionReadOnlyArray] READONLY,
    @Users AS [dbo].[SelectionReadOnlyArray] READONLY
 AS
 BEGIN
 	SET NOCOUNT ON
 	 -- Groups
 	;WITH [NewCollectionGroups] AS (
 		SELECT
 			cId.[Id] AS [CollectionId],
 			cg.[Id] AS [GroupId],
 			cg.[ReadOnly],
 			cg.[HidePasswords],
 			cg.[Manage]
 		FROM
 			@Groups AS cg
 		CROSS JOIN -- Create a CollectionGroup record for every CollectionId
 			@CollectionIds cId
 		INNER JOIN
 			[dbo].[Group] g ON cg.[Id] = g.[Id]
 		WHERE
 			g.[OrganizationId] = @OrganizationId
 	)
    MERGE
    	[dbo].[CollectionGroup] as [Target]
 	USING
 		[NewCollectionGroups] AS [Source]
 	ON
 		[Target].[CollectionId] = [Source].[CollectionId]
 		AND [Target].[GroupId] = [Source].[GroupId]
    -- Update the target if any values are different from the source
 	WHEN MATCHED AND EXISTS(
 		SELECT [Source].[ReadOnly], [Source].[HidePasswords], [Source].[Manage]
 		EXCEPT
 		SELECT [Target].[ReadOnly], [Target].[HidePasswords], [Target].[Manage]
 	) THEN UPDATE SET
 		[Target].[ReadOnly] = [Source].[ReadOnly],
 		[Target].[HidePasswords] = [Source].[HidePasswords],
 		[Target].[Manage] = [Source].[Manage]
 	WHEN NOT MATCHED BY TARGET
 		THEN INSERT VALUES
 		(
 			[Source].[CollectionId],
 			[Source].[GroupId],
 			[Source].[ReadOnly],
 			[Source].[HidePasswords],
 			[Source].[Manage]
 		);
 	-- Users
 	;WITH [NewCollectionUsers] AS (
 		SELECT
 			cId.[Id] AS [CollectionId],
 			cu.[Id] AS [OrganizationUserId],
 			cu.[ReadOnly],
 			cu.[HidePasswords],
 			cu.[Manage]
 		FROM
 			@Users AS cu
 		CROSS JOIN -- Create a CollectionUser record for every CollectionId
 			@CollectionIds cId
 		INNER JOIN
 			[dbo].[OrganizationUser] u ON cu.[Id] = u.[Id]
 		WHERE
 			u.[OrganizationId] = @OrganizationId
 	)
    MERGE
    	[dbo].[CollectionUser] as [Target]
 	USING
 		[NewCollectionUsers] AS [Source]
 	ON
 		[Target].[CollectionId] = [Source].[CollectionId]
 		AND [Target].[OrganizationUserId] = [Source].[OrganizationUserId]
    -- Update the target if any values are different from the source
 	WHEN MATCHED AND EXISTS(
 		SELECT [Source].[ReadOnly], [Source].[HidePasswords], [Source].[Manage]
 		EXCEPT
 		SELECT [Target].[ReadOnly], [Target].[HidePasswords], [Target].[Manage]
 	) THEN UPDATE SET
 		[Target].[ReadOnly] = [Source].[ReadOnly],
 		[Target].[HidePasswords] = [Source].[HidePasswords],
 		[Target].[Manage] = [Source].[Manage]
 	WHEN NOT MATCHED BY TARGET
 		THEN INSERT VALUES
 		(
 			[Source].[CollectionId],
 			[Source].[OrganizationUserId],
 			[Source].[ReadOnly],
 			[Source].[HidePasswords],
 			[Source].[Manage]
 		);
    EXEC [dbo].[User_BumpAccountRevisionDateByCollectionIds] @CollectionIds, @OrganizationId
 END
 GO