diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 1d66ccb4b6..7d87fce8f8 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -2,6 +2,10 @@
 #
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
+# The following owners will be the default owners for everything in the repo.
+# Unless a later match takes precedence
+* @bitwarden/tech-leads
+
 # DevOps for Actions and other workflow changes.
 .github/workflows @bitwarden/dept-devops
 
@@ -18,4 +22,14 @@ src/Identity @bitwarden/team-auth-dev
 bitwarden_license/src/Scim @bitwarden/team-admin-console-dev
 bitwarden_license/src/test/Scim.IntegrationTest @bitwarden/team-admin-console-dev
 bitwarden_license/src/test/Scim.ScimTest @bitwarden/team-admin-console-dev
-**/AdminConsole @bitwarden/team-admin-console-dev
\ No newline at end of file
+**/AdminConsole @bitwarden/team-admin-console-dev
+
+# Billing Team
+**/*billing* @bitwarden/team-billing-dev
+**/*subscription* @bitwarden/team-billing-dev
+**/*stripe* @bitwarden/team-billing-dev
+**/*paypal* @bitwarden/team-billing-dev
+**/*braintree* @bitwarden/team-billing-dev
+**/*bitpay* @bitwarden/team-billing-dev
+**/*freshdesk* @bitwarden/team-billing-dev
+**/*freshsales* @bitwarden/team-billing-dev
\ No newline at end of file
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b2acef85f1..c394585aa9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -277,7 +277,7 @@ jobs:
 
       - name: Retrieve github PAT secrets
         id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           keyvault: "bitwarden-ci"
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
@@ -528,7 +528,7 @@ jobs:
 
       - name: Retrieve github PAT secrets
         id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           keyvault: "bitwarden-ci"
           secrets: "github-pat-bitwarden-devops-bot-repo-scope"
@@ -603,7 +603,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         if: failure()
         with:
           keyvault: "bitwarden-ci"
diff --git a/.github/workflows/container-registry-purge.yml b/.github/workflows/container-registry-purge.yml
index e87a2edd05..3fef44b35a 100644
--- a/.github/workflows/container-registry-purge.yml
+++ b/.github/workflows/container-registry-purge.yml
@@ -92,7 +92,7 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         if: failure()
         with:
           keyvault: "bitwarden-ci"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6dcbd03e7..73c6a779f2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,7 +41,7 @@ jobs:
 
       - name: Check Release Version
         id: version
-        uses: bitwarden/gh-actions/release-version-check@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/release-version-check@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           release-type: ${{ github.event.inputs.release_type }}
           project-type: dotnet
@@ -89,7 +89,7 @@ jobs:
 
       - name: Download latest Release ${{ matrix.name }} asset
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build.yml
           workflow_conclusion: success
@@ -98,7 +98,7 @@ jobs:
 
       - name: Dry Run - Download latest Release ${{ matrix.name }} asset
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build.yml
           workflow_conclusion: success
@@ -274,7 +274,7 @@ jobs:
     steps:
       - name: Download latest Release Docker Stubs
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build.yml
           workflow_conclusion: success
@@ -287,7 +287,7 @@ jobs:
 
       - name: Dry Run - Download latest Release Docker Stubs
         if: ${{ github.event.inputs.release_type == 'Dry Run' }}
-        uses: bitwarden/gh-actions/download-artifacts@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/download-artifacts@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           workflow: build.yml
           workflow_conclusion: success
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
index d82a562502..65fa38dd57 100644
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -23,13 +23,13 @@ jobs:
 
       - name: Retrieve secrets
         id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/get-keyvault-secrets@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           keyvault: "bitwarden-ci"
           secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@d6f3f49f3345e29369fe57596a3ca8f94c4d2ca7 # v5.4.0
+        uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0
         with:
           gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
           passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
@@ -40,7 +40,7 @@ jobs:
         run: git switch -c version_bump_${{ github.event.inputs.version_number }}
 
       - name: Bump Version - Props
-        uses: bitwarden/gh-actions/version-bump@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+        uses: bitwarden/gh-actions/version-bump@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
         with:
           version: ${{ github.event.inputs.version_number }}
           file_path: "Directory.Build.props"
diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
index d6f21ba717..49388c11f8 100644
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@@ -8,4 +8,4 @@ on:
 
 jobs:
   call-workflow:
-    uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@fdcf1fcec3b04762ce48216cbf3af32498bed74c
+    uses: bitwarden/gh-actions/.github/workflows/workflow-linter.yml@f1125802b1ccae8c601d7c4f61ce39ea254b10c8
diff --git a/Directory.Build.props b/Directory.Build.props
index 952cacd42b..6820a03e37 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
-    <Version>2023.9.0</Version>
+    <Version>2023.9.1</Version>
     <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
     <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
     <ImplicitUsings>enable</ImplicitUsings>
diff --git a/src/Api/Controllers/CollectionsController.cs b/src/Api/Controllers/CollectionsController.cs
index 419ee8d816..e4010d0018 100644
--- a/src/Api/Controllers/CollectionsController.cs
+++ b/src/Api/Controllers/CollectionsController.cs
@@ -161,7 +161,7 @@ public class CollectionsController : Controller
         var groups = model.Groups?.Select(g => g.ToSelectionReadOnly());
         var users = model.Users?.Select(g => g.ToSelectionReadOnly());
 
-        await _collectionService.SaveAsync(collection, groups, users, _currentContext.UserId);
+        await _collectionService.SaveAsync(collection, groups, users);
         return new CollectionResponseModel(collection);
     }
 
diff --git a/src/Api/Models/Response/Organizations/OrganizationResponseModel.cs b/src/Api/Models/Response/Organizations/OrganizationResponseModel.cs
index 7c3993c587..982ca7cd28 100644
--- a/src/Api/Models/Response/Organizations/OrganizationResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationResponseModel.cs
@@ -118,6 +118,7 @@ public class OrganizationSubscriptionResponseModel : OrganizationResponseModel
     {
         Subscription = subscription.Subscription != null ? new BillingSubscription(subscription.Subscription) : null;
         UpcomingInvoice = subscription.UpcomingInvoice != null ? new BillingSubscriptionUpcomingInvoice(subscription.UpcomingInvoice) : null;
+        Discount = subscription.Discount != null ? new BillingCustomerDiscount(subscription.Discount) : null;
         Expiration = DateTime.UtcNow.AddYears(1); // Not used, so just give it a value.
 
         if (hideSensitiveData)
@@ -148,6 +149,7 @@ public class OrganizationSubscriptionResponseModel : OrganizationResponseModel
 
     public string StorageName { get; set; }
     public double? StorageGb { get; set; }
+    public BillingCustomerDiscount Discount { get; set; }
     public BillingSubscription Subscription { get; set; }
     public BillingSubscriptionUpcomingInvoice UpcomingInvoice { get; set; }
 
diff --git a/src/Api/Models/Response/SubscriptionResponseModel.cs b/src/Api/Models/Response/SubscriptionResponseModel.cs
index 4c0ee9338b..042da2e9e6 100644
--- a/src/Api/Models/Response/SubscriptionResponseModel.cs
+++ b/src/Api/Models/Response/SubscriptionResponseModel.cs
@@ -14,6 +14,7 @@ public class SubscriptionResponseModel : ResponseModel
         Subscription = subscription.Subscription != null ? new BillingSubscription(subscription.Subscription) : null;
         UpcomingInvoice = subscription.UpcomingInvoice != null ?
             new BillingSubscriptionUpcomingInvoice(subscription.UpcomingInvoice) : null;
+        Discount = subscription.Discount != null ? new BillingCustomerDiscount(subscription.Discount) : null;
         StorageName = user.Storage.HasValue ? CoreHelpers.ReadableBytesSize(user.Storage.Value) : null;
         StorageGb = user.Storage.HasValue ? Math.Round(user.Storage.Value / 1073741824D, 2) : 0; // 1 GB
         MaxStorageGb = user.MaxStorageGb;
@@ -41,11 +42,24 @@ public class SubscriptionResponseModel : ResponseModel
     public short? MaxStorageGb { get; set; }
     public BillingSubscriptionUpcomingInvoice UpcomingInvoice { get; set; }
     public BillingSubscription Subscription { get; set; }
+    public BillingCustomerDiscount Discount { get; set; }
     public UserLicense License { get; set; }
     public DateTime? Expiration { get; set; }
     public bool UsingInAppPurchase { get; set; }
 }
 
+public class BillingCustomerDiscount
+{
+    public BillingCustomerDiscount(SubscriptionInfo.BillingCustomerDiscount discount)
+    {
+        Id = discount.Id;
+        Active = discount.Active;
+    }
+
+    public string Id { get; set; }
+    public bool Active { get; set; }
+}
+
 public class BillingSubscription
 {
     public BillingSubscription(SubscriptionInfo.BillingSubscription sub)
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index b248821f34..7d3a71c155 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -20,7 +20,7 @@ public static class Constants
     /// </summary>
     public const int OrganizationSelfHostSubscriptionGracePeriodDays = 60;
 
-    public const string CipherKeyEncryptionMinimumVersion = "2023.9.1";
+    public const string CipherKeyEncryptionMinimumVersion = "2023.9.2";
 }
 
 public static class TokenPurposes
diff --git a/src/Core/Models/Business/SubscriptionInfo.cs b/src/Core/Models/Business/SubscriptionInfo.cs
index c72e291de0..87fe3157c2 100644
--- a/src/Core/Models/Business/SubscriptionInfo.cs
+++ b/src/Core/Models/Business/SubscriptionInfo.cs
@@ -5,10 +5,25 @@ namespace Bit.Core.Models.Business;
 
 public class SubscriptionInfo
 {
+    public BillingCustomerDiscount Discount { get; set; }
     public BillingSubscription Subscription { get; set; }
     public BillingUpcomingInvoice UpcomingInvoice { get; set; }
     public bool UsingInAppPurchase { get; set; }
 
+    public class BillingCustomerDiscount
+    {
+        public BillingCustomerDiscount() { }
+
+        public BillingCustomerDiscount(Discount discount)
+        {
+            Id = discount.Id;
+            Active = discount.Start != null && discount.End == null;
+        }
+
+        public string Id { get; }
+        public bool Active { get; }
+    }
+
     public class BillingSubscription
     {
         public BillingSubscription(Subscription sub)
diff --git a/src/Core/Services/ICollectionService.cs b/src/Core/Services/ICollectionService.cs
index 931993dacb..4d392a7722 100644
--- a/src/Core/Services/ICollectionService.cs
+++ b/src/Core/Services/ICollectionService.cs
@@ -5,7 +5,7 @@ namespace Bit.Core.Services;
 
 public interface ICollectionService
 {
-    Task SaveAsync(Collection collection, IEnumerable<CollectionAccessSelection> groups = null, IEnumerable<CollectionAccessSelection> users = null, Guid? assignUserId = null);
+    Task SaveAsync(Collection collection, IEnumerable<CollectionAccessSelection> groups = null, IEnumerable<CollectionAccessSelection> users = null);
     Task DeleteUserAsync(Collection collection, Guid organizationUserId);
     Task<IEnumerable<Collection>> GetOrganizationCollectionsAsync(Guid organizationId);
 }
diff --git a/src/Core/Services/Implementations/CollectionService.cs b/src/Core/Services/Implementations/CollectionService.cs
index 6525fdc210..b2beccbbce 100644
--- a/src/Core/Services/Implementations/CollectionService.cs
+++ b/src/Core/Services/Implementations/CollectionService.cs
@@ -41,7 +41,7 @@ public class CollectionService : ICollectionService
     }
 
     public async Task SaveAsync(Collection collection, IEnumerable<CollectionAccessSelection> groups = null,
-        IEnumerable<CollectionAccessSelection> users = null, Guid? assignUserId = null)
+        IEnumerable<CollectionAccessSelection> users = null)
     {
         var org = await _organizationRepository.GetByIdAsync(collection.OrganizationId);
         if (org == null)
@@ -49,6 +49,16 @@ public class CollectionService : ICollectionService
             throw new BadRequestException("Organization not found");
         }
 
+        var groupsList = groups?.ToList();
+        var usersList = users?.ToList();
+        var groupHasManageAccess = groupsList?.Any(g => g.Manage) ?? false;
+        var userHasManageAccess = usersList?.Any(u => u.Manage) ?? false;
+        if (!groupHasManageAccess && !userHasManageAccess)
+        {
+            throw new BadRequestException(
+                "At least one member or group must have can manage permission.");
+        }
+
         if (collection.Id == default(Guid))
         {
             if (org.MaxCollections.HasValue)
@@ -61,26 +71,13 @@ public class CollectionService : ICollectionService
                 }
             }
 
-            await _collectionRepository.CreateAsync(collection, org.UseGroups ? groups : null, users);
-
-            // Assign a user to the newly created collection.
-            if (assignUserId.HasValue)
-            {
-                var orgUser = await _organizationUserRepository.GetByOrganizationAsync(org.Id, assignUserId.Value);
-                if (orgUser != null && orgUser.Status == Enums.OrganizationUserStatusType.Confirmed)
-                {
-                    await _collectionRepository.UpdateUsersAsync(collection.Id,
-                        new List<CollectionAccessSelection> {
-                            new CollectionAccessSelection { Id = orgUser.Id, Manage = true} });
-                }
-            }
-
+            await _collectionRepository.CreateAsync(collection, org.UseGroups ? groupsList : null, usersList);
             await _eventService.LogCollectionEventAsync(collection, Enums.EventType.Collection_Created);
             await _referenceEventService.RaiseEventAsync(new ReferenceEvent(ReferenceEventType.CollectionCreated, org, _currentContext));
         }
         else
         {
-            await _collectionRepository.ReplaceAsync(collection, org.UseGroups ? groups : null, users);
+            await _collectionRepository.ReplaceAsync(collection, org.UseGroups ? groupsList : null, usersList);
             await _eventService.LogCollectionEventAsync(collection, Enums.EventType.Collection_Updated);
         }
     }
diff --git a/src/Core/Services/Implementations/StripePaymentService.cs b/src/Core/Services/Implementations/StripePaymentService.cs
index 4d2eb4ef85..33610bee72 100644
--- a/src/Core/Services/Implementations/StripePaymentService.cs
+++ b/src/Core/Services/Implementations/StripePaymentService.cs
@@ -1557,10 +1557,19 @@ public class StripePaymentService : IPaymentService
     {
         var subscriptionInfo = new SubscriptionInfo();
 
-        if (subscriber.IsUser() && !string.IsNullOrWhiteSpace(subscriber.GatewayCustomerId))
+        if (!string.IsNullOrWhiteSpace(subscriber.GatewayCustomerId))
         {
             var customer = await _stripeAdapter.CustomerGetAsync(subscriber.GatewayCustomerId);
-            subscriptionInfo.UsingInAppPurchase = customer.Metadata.ContainsKey("appleReceipt");
+
+            if (customer.Discount != null)
+            {
+                subscriptionInfo.Discount = new SubscriptionInfo.BillingCustomerDiscount(customer.Discount);
+            }
+
+            if (subscriber.IsUser())
+            {
+                subscriptionInfo.UsingInAppPurchase = customer.Metadata.ContainsKey("appleReceipt");
+            }
         }
 
         if (!string.IsNullOrWhiteSpace(subscriber.GatewaySubscriptionId))
diff --git a/test/Api.Test/Controllers/CollectionsControllerTests.cs b/test/Api.Test/Controllers/CollectionsControllerTests.cs
index d4e5aeac16..3bfaa8b02c 100644
--- a/test/Api.Test/Controllers/CollectionsControllerTests.cs
+++ b/test/Api.Test/Controllers/CollectionsControllerTests.cs
@@ -40,7 +40,7 @@ public class CollectionsControllerTests
         await sutProvider.GetDependency<ICollectionService>()
             .Received(1)
             .SaveAsync(Arg.Any<Collection>(), Arg.Any<IEnumerable<CollectionAccessSelection>>(),
-                Arg.Any<IEnumerable<CollectionAccessSelection>>(), null);
+                Arg.Any<IEnumerable<CollectionAccessSelection>>());
     }
 
     [Theory, BitAutoData]
diff --git a/test/Core.Test/AutoFixture/CollectionAccessSelectionFixtures.cs b/test/Core.Test/AutoFixture/CollectionAccessSelectionFixtures.cs
new file mode 100644
index 0000000000..54b7fb034f
--- /dev/null
+++ b/test/Core.Test/AutoFixture/CollectionAccessSelectionFixtures.cs
@@ -0,0 +1,37 @@
+using System.Reflection;
+using AutoFixture;
+using AutoFixture.Xunit2;
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.Test.AutoFixture;
+
+public class CollectionAccessSelectionCustomization : ICustomization
+{
+    public bool Manage { get; set; }
+
+    public CollectionAccessSelectionCustomization(bool manage)
+    {
+        Manage = manage;
+    }
+
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customize<CollectionAccessSelection>(composer => composer
+            .With(o => o.Manage, Manage));
+    }
+}
+
+public class CollectionAccessSelectionCustomizeAttribute : CustomizeAttribute
+{
+    private readonly bool _manage;
+
+    public CollectionAccessSelectionCustomizeAttribute(bool manage = false)
+    {
+        _manage = manage;
+    }
+
+    public override ICustomization GetCustomization(ParameterInfo parameter)
+    {
+        return new CollectionAccessSelectionCustomization(_manage);
+    }
+}
diff --git a/test/Core.Test/Services/CollectionServiceTests.cs b/test/Core.Test/Services/CollectionServiceTests.cs
index d5b5f15ccd..0ce0a90dc4 100644
--- a/test/Core.Test/Services/CollectionServiceTests.cs
+++ b/test/Core.Test/Services/CollectionServiceTests.cs
@@ -5,6 +5,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture;
 using Bit.Core.Test.AutoFixture.OrganizationFixtures;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -18,23 +19,7 @@ namespace Bit.Core.Test.Services;
 public class CollectionServiceTest
 {
     [Theory, BitAutoData]
-    public async Task SaveAsync_DefaultId_CreatesCollectionInTheRepository(Collection collection, Organization organization, SutProvider<CollectionService> sutProvider)
-    {
-        collection.Id = default;
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
-        var utcNow = DateTime.UtcNow;
-
-        await sutProvider.Sut.SaveAsync(collection);
-
-        await sutProvider.GetDependency<ICollectionRepository>().Received().CreateAsync(collection, null, null);
-        await sutProvider.GetDependency<IEventService>().Received()
-            .LogCollectionEventAsync(collection, EventType.Collection_Created);
-        Assert.True(collection.CreationDate - utcNow < TimeSpan.FromSeconds(1));
-        Assert.True(collection.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_DefaultIdWithUsers_CreatesCollectionInTheRepository(Collection collection, Organization organization, IEnumerable<CollectionAccessSelection> users, SutProvider<CollectionService> sutProvider)
+    public async Task SaveAsync_DefaultIdWithUsers_CreatesCollectionInTheRepository(Collection collection, Organization organization, [CollectionAccessSelectionCustomize(true)] IEnumerable<CollectionAccessSelection> users, SutProvider<CollectionService> sutProvider)
     {
         collection.Id = default;
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
@@ -42,7 +27,9 @@ public class CollectionServiceTest
 
         await sutProvider.Sut.SaveAsync(collection, null, users);
 
-        await sutProvider.GetDependency<ICollectionRepository>().Received().CreateAsync(collection, null, users);
+        await sutProvider.GetDependency<ICollectionRepository>().Received()
+            .CreateAsync(collection, Arg.Is<List<CollectionAccessSelection>>(l => l == null),
+                Arg.Is<List<CollectionAccessSelection>>(l => l.Any(i => i.Manage == true)));
         await sutProvider.GetDependency<IEventService>().Received()
             .LogCollectionEventAsync(collection, EventType.Collection_Created);
         Assert.True(collection.CreationDate - utcNow < TimeSpan.FromSeconds(1));
@@ -51,7 +38,7 @@ public class CollectionServiceTest
 
     [Theory, BitAutoData]
     public async Task SaveAsync_DefaultIdWithGroupsAndUsers_CreateCollectionWithGroupsAndUsersInRepository(Collection collection,
-        IEnumerable<CollectionAccessSelection> groups, IEnumerable<CollectionAccessSelection> users, Organization organization, SutProvider<CollectionService> sutProvider)
+        [CollectionAccessSelectionCustomize(true)] IEnumerable<CollectionAccessSelection> groups, IEnumerable<CollectionAccessSelection> users, Organization organization, SutProvider<CollectionService> sutProvider)
     {
         collection.Id = default;
         organization.UseGroups = true;
@@ -60,7 +47,9 @@ public class CollectionServiceTest
 
         await sutProvider.Sut.SaveAsync(collection, groups, users);
 
-        await sutProvider.GetDependency<ICollectionRepository>().Received().CreateAsync(collection, groups, users);
+        await sutProvider.GetDependency<ICollectionRepository>().Received()
+            .CreateAsync(collection, Arg.Is<List<CollectionAccessSelection>>(l => l.Any(i => i.Manage == true)),
+                Arg.Any<List<CollectionAccessSelection>>());
         await sutProvider.GetDependency<IEventService>().Received()
             .LogCollectionEventAsync(collection, EventType.Collection_Created);
         Assert.True(collection.CreationDate - utcNow < TimeSpan.FromSeconds(1));
@@ -68,15 +57,17 @@ public class CollectionServiceTest
     }
 
     [Theory, BitAutoData]
-    public async Task SaveAsync_NonDefaultId_ReplacesCollectionInRepository(Collection collection, Organization organization, SutProvider<CollectionService> sutProvider)
+    public async Task SaveAsync_NonDefaultId_ReplacesCollectionInRepository(Collection collection, Organization organization, [CollectionAccessSelectionCustomize(true)] IEnumerable<CollectionAccessSelection> users, SutProvider<CollectionService> sutProvider)
     {
         var creationDate = collection.CreationDate;
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
         var utcNow = DateTime.UtcNow;
 
-        await sutProvider.Sut.SaveAsync(collection);
+        await sutProvider.Sut.SaveAsync(collection, null, users);
 
-        await sutProvider.GetDependency<ICollectionRepository>().Received().ReplaceAsync(collection, null, null);
+        await sutProvider.GetDependency<ICollectionRepository>().Received().ReplaceAsync(collection,
+            Arg.Is<List<CollectionAccessSelection>>(l => l == null),
+            Arg.Is<List<CollectionAccessSelection>>(l => l.Any(i => i.Manage == true)));
         await sutProvider.GetDependency<IEventService>().Received()
             .LogCollectionEventAsync(collection, EventType.Collection_Updated);
         Assert.Equal(collection.CreationDate, creationDate);
@@ -84,39 +75,20 @@ public class CollectionServiceTest
     }
 
     [Theory, BitAutoData]
-    public async Task SaveAsync_OrganizationNotUseGroup_CreateCollectionWithoutGroupsInRepository(Collection collection, IEnumerable<CollectionAccessSelection> groups,
+    public async Task SaveAsync_OrganizationNotUseGroup_CreateCollectionWithoutGroupsInRepository(Collection collection,
+        IEnumerable<CollectionAccessSelection> groups, [CollectionAccessSelectionCustomize(true)] IEnumerable<CollectionAccessSelection> users,
         Organization organization, SutProvider<CollectionService> sutProvider)
     {
         collection.Id = default;
+        organization.UseGroups = false;
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
         var utcNow = DateTime.UtcNow;
 
-        await sutProvider.Sut.SaveAsync(collection, groups);
+        await sutProvider.Sut.SaveAsync(collection, groups, users);
 
-        await sutProvider.GetDependency<ICollectionRepository>().Received().CreateAsync(collection, null, null);
-        await sutProvider.GetDependency<IEventService>().Received()
-            .LogCollectionEventAsync(collection, EventType.Collection_Created);
-        Assert.True(collection.CreationDate - utcNow < TimeSpan.FromSeconds(1));
-        Assert.True(collection.RevisionDate - utcNow < TimeSpan.FromSeconds(1));
-    }
-
-    [Theory, BitAutoData]
-    public async Task SaveAsync_DefaultIdWithUserId_UpdateUserInCollectionRepository(Collection collection,
-        Organization organization, OrganizationUser organizationUser, SutProvider<CollectionService> sutProvider)
-    {
-        collection.Id = default;
-        organizationUser.Status = OrganizationUserStatusType.Confirmed;
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
-        sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationAsync(organization.Id, organizationUser.Id)
-            .Returns(organizationUser);
-        var utcNow = DateTime.UtcNow;
-
-        await sutProvider.Sut.SaveAsync(collection, null, null, organizationUser.Id);
-
-        await sutProvider.GetDependency<ICollectionRepository>().Received().CreateAsync(collection, null, null);
-        await sutProvider.GetDependency<IOrganizationUserRepository>().Received()
-            .GetByOrganizationAsync(organization.Id, organizationUser.Id);
-        await sutProvider.GetDependency<ICollectionRepository>().Received().UpdateUsersAsync(collection.Id, Arg.Any<List<CollectionAccessSelection>>());
+        await sutProvider.GetDependency<ICollectionRepository>().Received().CreateAsync(collection,
+            Arg.Is<List<CollectionAccessSelection>>(l => l == null),
+            Arg.Is<List<CollectionAccessSelection>>(l => l.Any(i => i.Manage == true)));
         await sutProvider.GetDependency<IEventService>().Received()
             .LogCollectionEventAsync(collection, EventType.Collection_Created);
         Assert.True(collection.CreationDate - utcNow < TimeSpan.FromSeconds(1));
@@ -135,14 +107,31 @@ public class CollectionServiceTest
     }
 
     [Theory, BitAutoData]
-    public async Task SaveAsync_ExceedsOrganizationMaxCollections_ThrowsBadRequest(Collection collection, Organization organization, SutProvider<CollectionService> sutProvider)
+    public async Task SaveAsync_NoManageAccess_ThrowsBadRequest(Collection collection, Organization organization,
+        [CollectionAccessSelectionCustomize] IEnumerable<CollectionAccessSelection> users, SutProvider<CollectionService> sutProvider)
+    {
+        collection.Id = default;
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SaveAsync(collection, null, users));
+        Assert.Contains("At least one member or group must have can manage permission.", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default, default, default);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCollectionEventAsync(default, default);
+    }
+
+    [Theory, BitAutoData]
+    public async Task SaveAsync_ExceedsOrganizationMaxCollections_ThrowsBadRequest(Collection collection,
+        Organization organization, [CollectionAccessSelectionCustomize(true)] IEnumerable<CollectionAccessSelection> users,
+        SutProvider<CollectionService> sutProvider)
     {
         collection.Id = default;
         sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
         sutProvider.GetDependency<ICollectionRepository>().GetCountByOrganizationIdAsync(organization.Id)
             .Returns(organization.MaxCollections.Value);
 
-        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SaveAsync(collection));
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.SaveAsync(collection, null, users));
         Assert.Equal($@"You have reached the maximum number of collections ({organization.MaxCollections.Value}) for this organization.", ex.Message);
         await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default);
         await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default, default, default);