Merge branch 'main' into ac/ac-1682/data-migrations-for-deprecated-permissions

.github/CODEOWNERS

@@ -14,7 +14,12 @@
 
 # Database Operations for database changes
 src/Sql/** @bitwarden/dept-dbops
+util/EfShared/** @bitwarden/dept-dbops
 util/Migrator/** @bitwarden/dept-dbops
+util/MySqlMigrations/** @bitwarden/dept-dbops
+util/PostgresMigrations/** @bitwarden/dept-dbops
+util/SqlServerEFScaffold/** @bitwarden/dept-dbops
+util/SqliteMigrations/** @bitwarden/dept-dbops
 
 # Auth team
 **/Auth @bitwarden/team-auth-dev

dev/.gitignore

@@ -1,6 +1,6 @@
 .data
 secrets.json
-db
+*.db
 
 # Docker container configurations
 .env

perf/MicroBenchmarks/Identity/IdentityServer/RedisPersistedGrantStoreTests.cs

@@ -13,8 +13,11 @@ public class RedisPersistedGrantStoreTests
 {
     const string SQL = nameof(SQL);
     const string Redis = nameof(Redis);
+    const string Cosmos = nameof(Cosmos);
+
     private readonly IPersistedGrantStore _redisGrantStore;
     private readonly IPersistedGrantStore _sqlGrantStore;
+    private readonly IPersistedGrantStore _cosmosGrantStore;
     private readonly PersistedGrant _updateGrant;
 
     private IPersistedGrantStore _grantStore = null!;
@@ -45,12 +48,18 @@ public class RedisPersistedGrantStoreTests
         );
 
         var sqlConnectionString = "YOUR CONNECTION STRING HERE";
-
         _sqlGrantStore = new PersistedGrantStore(
             new GrantRepository(
                 sqlConnectionString,
                 sqlConnectionString
-            )
+            ),
+            g => new Bit.Core.Auth.Entities.Grant(g)
+        );
+
+        var cosmosConnectionString = "YOUR CONNECTION STRING HERE";
+        _cosmosGrantStore = new PersistedGrantStore(
+            new Bit.Core.Auth.Repositories.Cosmos.GrantRepository(cosmosConnectionString),
+            g => new Bit.Core.Auth.Models.Data.GrantItem(g)
         );
 
         var creationTime = new DateTime(638350407400000000, DateTimeKind.Utc);
@@ -69,7 +78,7 @@ public class RedisPersistedGrantStoreTests
         };
     }
 
-    [Params(Redis, SQL)]
+    [Params(Redis, SQL, Cosmos)]
     public string StoreType { get; set; } = null!;
 
     [GlobalSetup]
@@ -83,6 +92,10 @@ public class RedisPersistedGrantStoreTests
         {
             _grantStore = _sqlGrantStore;
         }
+        else if (StoreType == Cosmos)
+        {
+            _grantStore = _cosmosGrantStore;
+        }
         else
         {
             throw new InvalidProgramException();

src/Api/AdminConsole/Controllers/OrganizationAuthRequestsController.cs

@@ -1,14 +1,12 @@
 using Bit.Api.AdminConsole.Models.Request;
 using Bit.Api.AdminConsole.Models.Response;
 using Bit.Api.Models.Response;
-using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationAuth.Interfaces;
 using Bit.Core.Auth.Models.Api.Request.AuthRequest;
 using Bit.Core.Auth.Services;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
-using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
@@ -16,7 +14,6 @@ namespace Bit.Api.AdminConsole.Controllers;
 
 [Route("organizations/{orgId}/auth-requests")]
 [Authorize("Application")]
-[RequireFeature(FeatureFlagKeys.TrustedDeviceEncryption)]
 public class OrganizationAuthRequestsController : Controller
 {
     private readonly IAuthRequestRepository _authRequestRepository;

src/Api/AdminConsole/Controllers/OrganizationsController.cs

@@ -764,12 +764,6 @@ public class OrganizationsController : Controller
             throw new NotFoundException();
         }
 
-        if (model.Data.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption &&
-            !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
-        {
-            throw new BadRequestException(nameof(model.Data.MemberDecryptionType), "Invalid member decryption type.");
-        }
-
         var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id);
         ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig);
         organization.Identifier = model.Identifier;

src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs

@@ -56,6 +56,7 @@ public class OrganizationResponseModel : ResponseModel
         MaxAutoscaleSmServiceAccounts = organization.MaxAutoscaleSmServiceAccounts;
         LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
+        FlexibleCollections = organization.FlexibleCollections;
     }
 
     public Guid Id { get; set; }
@@ -97,6 +98,7 @@ public class OrganizationResponseModel : ResponseModel
     public int? MaxAutoscaleSmServiceAccounts { get; set; }
     public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    public bool FlexibleCollections { get; set; }
 }
 
 public class OrganizationSubscriptionResponseModel : OrganizationResponseModel

src/Api/AdminConsole/Models/Response/ProfileOrganizationResponseModel.cs

@@ -61,6 +61,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
         AccessSecretsManager = organization.AccessSecretsManager;
         LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
+        FlexibleCollections = organization.FlexibleCollections;
 
         if (organization.SsoConfig != null)
         {
@@ -116,4 +117,5 @@ public class ProfileOrganizationResponseModel : ResponseModel
     public bool AccessSecretsManager { get; set; }
     public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    public bool FlexibleCollections { get; set; }
 }

src/Api/AdminConsole/Public/Controllers/GroupsController.cs

@@ -110,7 +110,7 @@ public class GroupsController : Controller
     public async Task<IActionResult> Post([FromBody] GroupCreateUpdateRequestModel model)
     {
         var group = model.ToGroup(_currentContext.OrganizationId.Value);
-        var associations = model.Collections?.Select(c => c.ToSelectionReadOnly());
+        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection());
         var organization = await _organizationRepository.GetByIdAsync(_currentContext.OrganizationId.Value);
         await _createGroupCommand.CreateGroupAsync(group, organization, associations);
         var response = new GroupResponseModel(group, associations);
@@ -139,7 +139,7 @@ public class GroupsController : Controller
         }
 
         var updatedGroup = model.ToGroup(existingGroup);
-        var associations = model.Collections?.Select(c => c.ToSelectionReadOnly());
+        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection());
         var organization = await _organizationRepository.GetByIdAsync(_currentContext.OrganizationId.Value);
         await _updateGroupCommand.UpdateGroupAsync(updatedGroup, organization, associations);
         var response = new GroupResponseModel(updatedGroup, associations);

src/Api/AdminConsole/Public/Controllers/MembersController.cs

@@ -119,7 +119,7 @@ public class MembersController : Controller
     [ProducesResponseType(typeof(ErrorResponseModel), (int)HttpStatusCode.BadRequest)]
     public async Task<IActionResult> Post([FromBody] MemberCreateRequestModel model)
     {
-        var associations = model.Collections?.Select(c => c.ToSelectionReadOnly());
+        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection());
         var invite = new OrganizationUserInvite
         {
             Emails = new List<string> { model.Email },
@@ -154,7 +154,7 @@ public class MembersController : Controller
             return new NotFoundResult();
         }
         var updatedUser = model.ToOrganizationUser(existingUser);
-        var associations = model.Collections?.Select(c => c.ToSelectionReadOnly());
+        var associations = model.Collections?.Select(c => c.ToCollectionAccessSelection());
         await _organizationService.SaveUserAsync(updatedUser, null, associations, model.Groups);
         MemberResponseModel response = null;
         if (existingUser.UserId.HasValue)

src/Api/AdminConsole/Public/Models/AssociationWithPermissionsBaseModel.cs

@@ -15,4 +15,9 @@ public abstract class AssociationWithPermissionsBaseModel
     /// </summary>
     [Required]
     public bool? ReadOnly { get; set; }
+    /// <summary>
+    /// When true, the hide passwords permission will not allow the user or group to view passwords.
+    /// This prevents easy copy-and-paste of hidden items, however it may not completely prevent user access.
+    /// </summary>
+    public bool? HidePasswords { get; set; }
 }

src/Api/AdminConsole/Public/Models/Request/AssociationWithPermissionsRequestModel.cs

@@ -4,12 +4,13 @@ namespace Bit.Api.AdminConsole.Public.Models.Request;
 
 public class AssociationWithPermissionsRequestModel : AssociationWithPermissionsBaseModel
 {
-    public CollectionAccessSelection ToSelectionReadOnly()
+    public CollectionAccessSelection ToCollectionAccessSelection()
     {
         return new CollectionAccessSelection
         {
             Id = Id.Value,
-            ReadOnly = ReadOnly.Value
+            ReadOnly = ReadOnly.Value,
+            HidePasswords = HidePasswords.GetValueOrDefault()
         };
     }
 }

src/Api/AdminConsole/Public/Models/Response/AssociationWithPermissionsResponseModel.cs

@@ -12,5 +12,6 @@ public class AssociationWithPermissionsResponseModel : AssociationWithPermission
         }
         Id = selection.Id;
         ReadOnly = selection.ReadOnly;
+        HidePasswords = selection.HidePasswords;
     }
 }

src/Api/Public/Controllers/CollectionsController.cs

@@ -89,7 +89,7 @@ public class CollectionsController : Controller
             return new NotFoundResult();
         }
         var updatedCollection = model.ToCollection(existingCollection);
-        var associations = model.Groups?.Select(c => c.ToSelectionReadOnly());
+        var associations = model.Groups?.Select(c => c.ToCollectionAccessSelection());
         await _collectionService.SaveAsync(updatedCollection, associations);
         var response = new CollectionResponseModel(updatedCollection, associations);
         return new JsonResult(response);

src/Core/AdminConsole/Entities/Organization.cs

@@ -91,6 +91,11 @@ public class Organization : ITableObject<Guid>, ISubscriber, IStorable, IStorabl
     /// </remarks>
     /// </summary>
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    /// <summary>
+    /// True if the organization is using the Flexible Collections permission changes, false otherwise.
+    /// For existing organizations, this must only be set to true once data migrations have been run for this organization.
+    /// </summary>
+    public bool FlexibleCollections { get; set; }
 
     public void SetNewId()
     {

src/Core/AdminConsole/Models/Data/Organizations/OrganizationAbility.cs

@@ -23,6 +23,7 @@ public class OrganizationAbility
         UsePolicies = organization.UsePolicies;
         LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
         AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
+        FlexibleCollections = organization.FlexibleCollections;
     }
 
     public Guid Id { get; set; }
@@ -39,4 +40,5 @@ public class OrganizationAbility
     public bool UsePolicies { get; set; }
     public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    public bool FlexibleCollections { get; set; }
 }

src/Core/AdminConsole/Models/Data/Organizations/OrganizationUsers/OrganizationUserOrganizationDetails.cs

@@ -50,4 +50,5 @@ public class OrganizationUserOrganizationDetails
     public int? SmServiceAccounts { get; set; }
     public bool LimitCollectionCreationDeletion { get; set; }
     public bool AllowAdminAccessToAllCollectionItems { get; set; }
+    public bool FlexibleCollections { get; set; }
 }

src/Core/Auth/Entities/Grant.cs

@@ -1,10 +1,28 @@
 #nullable enable
 using System.ComponentModel.DataAnnotations;
+using Bit.Core.Auth.Models.Data;
+using Duende.IdentityServer.Models;
 
 namespace Bit.Core.Auth.Entities;
 
-public class Grant
+public class Grant : IGrant
 {
+    public Grant() { }
+
+    public Grant(PersistedGrant pGrant)
+    {
+        Key = pGrant.Key;
+        Type = pGrant.Type;
+        SubjectId = pGrant.SubjectId;
+        SessionId = pGrant.SessionId;
+        ClientId = pGrant.ClientId;
+        Description = pGrant.Description;
+        CreationDate = pGrant.CreationTime;
+        ExpirationDate = pGrant.Expiration;
+        ConsumedDate = pGrant.ConsumedTime;
+        Data = pGrant.Data;
+    }
+
     public int Id { get; set; }
     [MaxLength(200)]
     public string Key { get; set; } = null!;

src/Core/Auth/Models/Data/GrantItem.cs

@@ -0,0 +1,77 @@
+using System.Text.Json.Serialization;
+using Bit.Core.Auth.Repositories.Cosmos;
+using Duende.IdentityServer.Models;
+
+namespace Bit.Core.Auth.Models.Data;
+
+public class GrantItem : IGrant
+{
+    public GrantItem() { }
+
+    public GrantItem(PersistedGrant pGrant)
+    {
+        Key = pGrant.Key;
+        Type = pGrant.Type;
+        SubjectId = pGrant.SubjectId;
+        SessionId = pGrant.SessionId;
+        ClientId = pGrant.ClientId;
+        Description = pGrant.Description;
+        CreationDate = pGrant.CreationTime;
+        ExpirationDate = pGrant.Expiration;
+        ConsumedDate = pGrant.ConsumedTime;
+        Data = pGrant.Data;
+        SetTtl();
+    }
+
+    public GrantItem(IGrant g)
+    {
+        Key = g.Key;
+        Type = g.Type;
+        SubjectId = g.SubjectId;
+        SessionId = g.SessionId;
+        ClientId = g.ClientId;
+        Description = g.Description;
+        CreationDate = g.CreationDate;
+        ExpirationDate = g.ExpirationDate;
+        ConsumedDate = g.ConsumedDate;
+        Data = g.Data;
+        SetTtl();
+    }
+
+    [JsonPropertyName("id")]
+    [JsonConverter(typeof(Base64IdStringConverter))]
+    public string Key { get; set; }
+    [JsonPropertyName("typ")]
+    public string Type { get; set; }
+    [JsonPropertyName("sub")]
+    public string SubjectId { get; set; }
+    [JsonPropertyName("sid")]
+    public string SessionId { get; set; }
+    [JsonPropertyName("cid")]
+    public string ClientId { get; set; }
+    [JsonPropertyName("des")]
+    public string Description { get; set; }
+    [JsonPropertyName("cre")]
+    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    [JsonPropertyName("exp")]
+    public DateTime? ExpirationDate { get; set; }
+    [JsonPropertyName("con")]
+    public DateTime? ConsumedDate { get; set; }
+    [JsonPropertyName("data")]
+    public string Data { get; set; }
+    // https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/how-to-time-to-live?tabs=dotnet-sdk-v3#set-time-to-live-on-an-item-using-an-sdk
+    [JsonPropertyName("ttl")]
+    public int Ttl { get; set; } = -1;
+
+    public void SetTtl()
+    {
+        if (ExpirationDate != null)
+        {
+            var sec = (ExpirationDate.Value - DateTime.UtcNow).TotalSeconds;
+            if (sec > 0)
+            {
+                Ttl = (int)sec;
+            }
+        }
+    }
+}

src/Core/Auth/Models/Data/IGrant.cs

@@ -0,0 +1,15 @@
+namespace Bit.Core.Auth.Models.Data;
+
+public interface IGrant
+{
+    string Key { get; set; }
+    string Type { get; set; }
+    string SubjectId { get; set; }
+    string SessionId { get; set; }
+    string ClientId { get; set; }
+    string Description { get; set; }
+    DateTime CreationDate { get; set; }
+    DateTime? ExpirationDate { get; set; }
+    DateTime? ConsumedDate { get; set; }
+    string Data { get; set; }
+}

src/Core/Auth/Repositories/Cosmos/Base64IdStringConverter.cs

@@ -0,0 +1,32 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Auth.Repositories.Cosmos;
+
+public class Base64IdStringConverter : JsonConverter<string>
+{
+    public override string Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options) =>
+        ToKey(reader.GetString());
+
+    public override void Write(Utf8JsonWriter writer, string value, JsonSerializerOptions options) =>
+        writer.WriteStringValue(ToId(value));
+
+    public static string ToId(string key)
+    {
+        if (key == null)
+        {
+            return null;
+        }
+        return CoreHelpers.TransformToBase64Url(key);
+    }
+
+    public static string ToKey(string id)
+    {
+        if (id == null)
+        {
+            return null;
+        }
+        return CoreHelpers.TransformFromBase64Url(id);
+    }
+}

src/Core/Auth/Repositories/Cosmos/GrantRepository.cs

@@ -0,0 +1,81 @@
+using System.Net;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Settings;
+using Bit.Core.Utilities;
+using Microsoft.Azure.Cosmos;
+
+namespace Bit.Core.Auth.Repositories.Cosmos;
+
+public class GrantRepository : IGrantRepository
+{
+    private readonly CosmosClient _client;
+    private readonly Database _database;
+    private readonly Container _container;
+
+    public GrantRepository(GlobalSettings globalSettings)
+        : this(globalSettings.IdentityServer.CosmosConnectionString)
+    { }
+
+    public GrantRepository(string cosmosConnectionString)
+    {
+        var options = new CosmosClientOptions
+        {
+            Serializer = new SystemTextJsonCosmosSerializer(new JsonSerializerOptions
+            {
+                DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
+                WriteIndented = false
+            })
+        };
+        // TODO: Perhaps we want to evaluate moving this to DI as a keyed service singleton in .NET 8
+        _client = new CosmosClient(cosmosConnectionString, options);
+        _database = _client.GetDatabase("identity");
+        _container = _database.GetContainer("grant");
+    }
+
+    public async Task<IGrant> GetByKeyAsync(string key)
+    {
+        var id = Base64IdStringConverter.ToId(key);
+        try
+        {
+            var response = await _container.ReadItemAsync<GrantItem>(id, new PartitionKey(id));
+            return response.Resource;
+        }
+        catch (CosmosException e)
+        {
+            if (e.StatusCode == HttpStatusCode.NotFound)
+            {
+                return null;
+            }
+            throw;
+        }
+    }
+
+    public Task<ICollection<IGrant>> GetManyAsync(string subjectId, string sessionId, string clientId, string type)
+        => throw new NotImplementedException();
+
+    public async Task SaveAsync(IGrant obj)
+    {
+        if (obj is not GrantItem item)
+        {
+            item = new GrantItem(obj);
+        }
+        item.SetTtl();
+        var id = Base64IdStringConverter.ToId(item.Key);
+        await _container.UpsertItemAsync(item, new PartitionKey(id), new ItemRequestOptions
+        {
+            // ref: https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/best-practice-dotnet#best-practices-for-write-heavy-workloads
+            EnableContentResponseOnWrite = false
+        });
+    }
+
+    public async Task DeleteByKeyAsync(string key)
+    {
+        var id = Base64IdStringConverter.ToId(key);
+        await _container.DeleteItemAsync<IGrant>(id, new PartitionKey(id));
+    }
+
+    public Task DeleteManyAsync(string subjectId, string sessionId, string clientId, string type)
+        => throw new NotImplementedException();
+}

src/Core/Auth/Repositories/IGrantRepository.cs

@@ -1,12 +1,12 @@
-using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
 
 namespace Bit.Core.Auth.Repositories;
 
 public interface IGrantRepository
 {
-    Task<Grant> GetByKeyAsync(string key);
+    Task<IGrant> GetByKeyAsync(string key);
-    Task<ICollection<Grant>> GetManyAsync(string subjectId, string sessionId, string clientId, string type);
+    Task<ICollection<IGrant>> GetManyAsync(string subjectId, string sessionId, string clientId, string type);
-    Task SaveAsync(Grant obj);
+    Task SaveAsync(IGrant obj);
     Task DeleteByKeyAsync(string key);
     Task DeleteManyAsync(string subjectId, string sessionId, string clientId, string type);
 }

src/Core/Settings/GlobalSettings.cs

@@ -327,6 +327,7 @@ public class GlobalSettings : IGlobalSettings
         public string CertificateThumbprint { get; set; }
         public string CertificatePassword { get; set; }
         public string RedisConnectionString { get; set; }
+        public string CosmosConnectionString { get; set; }
         public string LicenseKey { get; set; } = "eyJhbGciOiJQUzI1NiIsImtpZCI6IklkZW50aXR5U2VydmVyTGljZW5zZWtleS83Y2VhZGJiNzgxMzA0NjllODgwNjg5MTAyNTQxNGYxNiIsInR5cCI6ImxpY2Vuc2Urand0In0.eyJpc3MiOiJodHRwczovL2R1ZW5kZXNvZnR3YXJlLmNvbSIsImF1ZCI6IklkZW50aXR5U2VydmVyIiwiaWF0IjoxNzAxODIwODAwLCJleHAiOjE3MzM0NDMyMDAsImNvbXBhbnlfbmFtZSI6IkJpdHdhcmRlbiBJbmMuIiwiY29udGFjdF9pbmZvIjoiY29udGFjdEBkdWVuZGVzb2Z0d2FyZS5jb20iLCJlZGl0aW9uIjoiU3RhcnRlciIsImlkIjoiNDMxOSIsImZlYXR1cmUiOlsiaXN2IiwidW5saW1pdGVkX2NsaWVudHMiXSwicHJvZHVjdCI6IkJpdHdhcmRlbiJ9.iLA771PffgIh0ClRS8OWHbg2cAgjhgOkUjRRkLNr9dpQXhYZkVKdpUn-Gw9T7grsGcAx0f4p-TQmtcCpbN9EJCF5jlF0-NfsRTp_gmCgQ5eXyiE4DzJp2OCrz_3STf07N1dILwhD3nk9rzcA6SRQ4_kja8wAMHKnD5LisW98r5DfRDBecRs16KS5HUhg99DRMR5fd9ntfydVMTC_E23eEOHVLsR4YhiSXaEINPjFDG1czyOBClJItDW8g9X8qlClZegr630UjnKKg06A4usoL25VFHHn8Ew3v-_-XdlWoWsIpMMVvacwZT8rwkxjIesFNsXG6yzuROIhaxAvB1297A";
     }
 

src/Core/Utilities/CoreHelpers.cs

@@ -338,16 +338,50 @@ public static class CoreHelpers
         return Encoding.UTF8.GetString(Base64UrlDecode(input));
     }
 
+    /// <summary>
+    /// Encodes a Base64 URL formatted string.
+    /// </summary>
+    /// <param name="input">Byte data</param>
+    /// <returns>Base64 URL formatted string</returns>
     public static string Base64UrlEncode(byte[] input)
     {
-        var output = Convert.ToBase64String(input)
+        // Standard base64 encoder
+        var standardB64 = Convert.ToBase64String(input);
+        return TransformToBase64Url(standardB64);
+    }
+
+    /// <summary>
+    /// Transforms a Base64 standard formatted string to a Base64 URL formatted string.
+    /// </summary>
+    /// <param name="input">Base64 standard formatted string</param>
+    /// <returns>Base64 URL formatted string</returns>
+    public static string TransformToBase64Url(string input)
+    {
+        var output = input
             .Replace('+', '-')
             .Replace('/', '_')
             .Replace("=", string.Empty);
         return output;
     }
 
+    /// <summary>
+    /// Decodes a Base64 URL formatted string.
+    /// </summary>
+    /// <param name="input">Base64 URL formatted string</param>
+    /// <returns>Data as bytes</returns>
     public static byte[] Base64UrlDecode(string input)
+    {
+        var standardB64 = TransformFromBase64Url(input);
+        // Standard base64 decoder
+        return Convert.FromBase64String(standardB64);
+    }
+
+    /// <summary>
+    /// Transforms a Base64 URL formatted string to a Base64 standard formatted string.
+    /// </summary>
+    /// <param name="input">Base64 URL formatted string</param>
+    /// <returns>Base64 standard formatted string</returns>
+    public static string TransformFromBase64Url(string input)
     {
         var output = input;
         // 62nd char of encoding
@@ -370,8 +404,8 @@ public static class CoreHelpers
                 throw new InvalidOperationException("Illegal base64url string!");
         }
 
-        // Standard base64 decoder
+        // Standard base64 string output
-        return Convert.FromBase64String(output);
+        return output;
     }
 
     public static string PunyEncode(string text)

src/Core/Utilities/SystemTextJsonCosmosSerializer.cs

@@ -0,0 +1,40 @@
+using System.Text.Json;
+using Azure.Core.Serialization;
+using Microsoft.Azure.Cosmos;
+
+namespace Bit.Core.Utilities;
+
+// ref: https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/SystemTextJson/CosmosSystemTextJsonSerializer.cs
+public class SystemTextJsonCosmosSerializer : CosmosSerializer
+{
+    private readonly JsonObjectSerializer _systemTextJsonSerializer;
+
+    public SystemTextJsonCosmosSerializer(JsonSerializerOptions jsonSerializerOptions)
+    {
+        _systemTextJsonSerializer = new JsonObjectSerializer(jsonSerializerOptions);
+    }
+
+    public override T FromStream<T>(Stream stream)
+    {
+        using (stream)
+        {
+            if (stream.CanSeek && stream.Length == 0)
+            {
+                return default;
+            }
+            if (typeof(Stream).IsAssignableFrom(typeof(T)))
+            {
+                return (T)(object)stream;
+            }
+            return (T)_systemTextJsonSerializer.Deserialize(stream, typeof(T), default);
+        }
+    }
+
+    public override Stream ToStream<T>(T input)
+    {
+        var streamPayload = new MemoryStream();
+        _systemTextJsonSerializer.Serialize(streamPayload, input, input.GetType(), default);
+        streamPayload.Position = 0;
+        return streamPayload;
+    }
+}

src/Identity/IdentityServer/PersistedGrantStore.cs

@@ -1,18 +1,24 @@
-using Bit.Core.Auth.Repositories;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
 using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Stores;
-using Grant = Bit.Core.Auth.Entities.Grant;
 
 namespace Bit.Identity.IdentityServer;
 
 public class PersistedGrantStore : IPersistedGrantStore
 {
     private readonly IGrantRepository _grantRepository;
+    private readonly Func<PersistedGrant, IGrant> _toGrant;
+    private readonly IPersistedGrantStore _fallbackGrantStore;
 
     public PersistedGrantStore(
-        IGrantRepository grantRepository)
+        IGrantRepository grantRepository,
+        Func<PersistedGrant, IGrant> toGrant,
+        IPersistedGrantStore fallbackGrantStore = null)
     {
         _grantRepository = grantRepository;
+        _toGrant = toGrant;
+        _fallbackGrantStore = fallbackGrantStore;
     }
 
     public async Task<PersistedGrant> GetAsync(string key)
@@ -20,6 +26,11 @@ public class PersistedGrantStore : IPersistedGrantStore
         var grant = await _grantRepository.GetByKeyAsync(key);
         if (grant == null)
         {
+            if (_fallbackGrantStore != null)
+            {
+                // It wasn't found, there is a chance is was instead stored in the fallback store
+                return await _fallbackGrantStore.GetAsync(key);
+            }
             return null;
         }
 
@@ -47,28 +58,11 @@ public class PersistedGrantStore : IPersistedGrantStore
 
     public async Task StoreAsync(PersistedGrant pGrant)
     {
-        var grant = ToGrant(pGrant);
+        var grant = _toGrant(pGrant);
         await _grantRepository.SaveAsync(grant);
     }
 
-    private Grant ToGrant(PersistedGrant pGrant)
+    private PersistedGrant ToPersistedGrant(IGrant grant)
-    {
-        return new Grant
-        {
-            Key = pGrant.Key,
-            Type = pGrant.Type,
-            SubjectId = pGrant.SubjectId,
-            SessionId = pGrant.SessionId,
-            ClientId = pGrant.ClientId,
-            Description = pGrant.Description,
-            CreationDate = pGrant.CreationTime,
-            ExpirationDate = pGrant.Expiration,
-            ConsumedDate = pGrant.ConsumedTime,
-            Data = pGrant.Data
-        };
-    }
-
-    private PersistedGrant ToPersistedGrant(Grant grant)
     {
         return new PersistedGrant
         {

src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs

@@ -1,12 +1,10 @@
-using Bit.Core;
+using Bit.Core.Auth.Entities;
-using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Response;
 using Bit.Core.Auth.Utilities;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Identity.Utilities;
 
 namespace Bit.Identity.IdentityServer;
@@ -20,7 +18,6 @@ namespace Bit.Identity.IdentityServer;
 public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
 {
     private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
     private readonly IDeviceRepository _deviceRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
 
@@ -31,13 +28,11 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
 
     public UserDecryptionOptionsBuilder(
         ICurrentContext currentContext,
-        IFeatureService featureService,
         IDeviceRepository deviceRepository,
         IOrganizationUserRepository organizationUserRepository
     )
     {
         _currentContext = currentContext;
-        _featureService = featureService;
         _deviceRepository = deviceRepository;
         _organizationUserRepository = organizationUserRepository;
     }
@@ -95,7 +90,7 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
     private async Task BuildTrustedDeviceOptions()
     {
         // TrustedDeviceEncryption only exists for SSO, if that changes then these guards should change
-        if (_ssoConfig == null || !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
+        if (_ssoConfig == null)
         {
             return;
         }

src/Identity/Utilities/ServiceCollectionExtensions.cs

@@ -1,4 +1,5 @@
-using Bit.Core.IdentityServer;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
 using Bit.Identity.IdentityServer;
@@ -51,31 +52,58 @@ public static class ServiceCollectionExtensions
             .AddIdentityServerCertificate(env, globalSettings)
             .AddExtensionGrantValidator<WebAuthnGrantValidator>();
 
-        if (CoreHelpers.SettingHasValue(globalSettings.IdentityServer.RedisConnectionString))
+        if (CoreHelpers.SettingHasValue(globalSettings.IdentityServer.CosmosConnectionString))
         {
-            // If we have redis, prefer it
+            services.AddSingleton<IPersistedGrantStore>(sp => BuildCosmosGrantStore(sp, globalSettings));
-
+        }
-            // Add the original persisted grant store via it's implementation type
+        else if (CoreHelpers.SettingHasValue(globalSettings.IdentityServer.RedisConnectionString))
-            // so we can inject it right after.
-            services.AddSingleton<PersistedGrantStore>();
-
-            services.AddSingleton<IPersistedGrantStore>(sp =>
         {
-                return new RedisPersistedGrantStore(
+            services.AddSingleton<IPersistedGrantStore>(sp => BuildRedisGrantStore(sp, globalSettings));
-                    // TODO: .NET 8 create a keyed service for this connection multiplexer and even PersistedGrantStore
-                    ConnectionMultiplexer.Connect(globalSettings.IdentityServer.RedisConnectionString),
-                    sp.GetRequiredService<ILogger<RedisPersistedGrantStore>>(),
-                    sp.GetRequiredService<PersistedGrantStore>() // Fallback grant store
-                );
-            });
         }
         else
         {
-            // Use the original grant store
+            services.AddTransient<IPersistedGrantStore>(sp => BuildSqlGrantStore(sp));
-            identityServerBuilder.AddPersistedGrantStore<PersistedGrantStore>();
         }
 
         services.AddTransient<ICorsPolicyService, CustomCorsPolicyService>();
         return identityServerBuilder;
     }
+
+    private static PersistedGrantStore BuildCosmosGrantStore(IServiceProvider sp, GlobalSettings globalSettings)
+    {
+        if (!CoreHelpers.SettingHasValue(globalSettings.IdentityServer.CosmosConnectionString))
+        {
+            throw new ArgumentException("No cosmos config string available.");
+        }
+        return new PersistedGrantStore(
+            // TODO: Perhaps we want to evaluate moving this repo to DI as a keyed service singleton in .NET 8
+            new Core.Auth.Repositories.Cosmos.GrantRepository(globalSettings),
+            g => new Core.Auth.Models.Data.GrantItem(g),
+            fallbackGrantStore: BuildRedisGrantStore(sp, globalSettings, true));
+    }
+
+    private static RedisPersistedGrantStore BuildRedisGrantStore(IServiceProvider sp,
+        GlobalSettings globalSettings, bool allowNull = false)
+    {
+        if (!CoreHelpers.SettingHasValue(globalSettings.IdentityServer.RedisConnectionString))
+        {
+            if (allowNull)
+            {
+                return null;
+            }
+            throw new ArgumentException("No redis config string available.");
+        }
+
+        return new RedisPersistedGrantStore(
+            // TODO: .NET 8 create a keyed service for this connection multiplexer and even PersistedGrantStore
+            ConnectionMultiplexer.Connect(globalSettings.IdentityServer.RedisConnectionString),
+            sp.GetRequiredService<ILogger<RedisPersistedGrantStore>>(),
+            fallbackGrantStore: BuildSqlGrantStore(sp));
+    }
+
+    private static PersistedGrantStore BuildSqlGrantStore(IServiceProvider sp)
+    {
+        return new PersistedGrantStore(sp.GetRequiredService<IGrantRepository>(),
+            g => new Core.Auth.Entities.Grant(g));
+    }
 }

src/Infrastructure.Dapper/Auth/Repositories/GrantRepository.cs

@@ -1,5 +1,6 @@
 using System.Data;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Settings;
 using Bit.Infrastructure.Dapper.Repositories;
@@ -18,7 +19,7 @@ public class GrantRepository : BaseRepository, IGrantRepository
         : base(connectionString, readOnlyConnectionString)
     { }
 
-    public async Task<Grant> GetByKeyAsync(string key)
+    public async Task<IGrant> GetByKeyAsync(string key)
     {
         using (var connection = new SqlConnection(ConnectionString))
         {
@@ -31,7 +32,7 @@ public class GrantRepository : BaseRepository, IGrantRepository
         }
     }
 
-    public async Task<ICollection<Grant>> GetManyAsync(string subjectId, string sessionId,
+    public async Task<ICollection<IGrant>> GetManyAsync(string subjectId, string sessionId,
         string clientId, string type)
     {
         using (var connection = new SqlConnection(ConnectionString))
@@ -41,12 +42,17 @@ public class GrantRepository : BaseRepository, IGrantRepository
                 new { SubjectId = subjectId, SessionId = sessionId, ClientId = clientId, Type = type },
                 commandType: CommandType.StoredProcedure);
 
-            return results.ToList();
+            return results.ToList<IGrant>();
         }
     }
 
-    public async Task SaveAsync(Grant obj)
+    public async Task SaveAsync(IGrant obj)
     {
+        if (obj is not Grant gObj)
+        {
+            throw new ArgumentException(null, nameof(obj));
+        }
+
         using (var connection = new SqlConnection(ConnectionString))
         {
             var results = await connection.ExecuteAsync(

src/Infrastructure.EntityFramework/AdminConsole/Configurations/OrganizationEntityTypeConfiguration.cs

@@ -0,0 +1,29 @@
+using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.AdminConsole.Configurations;
+
+public class OrganizationEntityTypeConfiguration : IEntityTypeConfiguration<Organization>
+{
+    public void Configure(EntityTypeBuilder<Organization> builder)
+    {
+        builder
+            .Property(o => o.Id)
+            .ValueGeneratedNever();
+
+        builder.Property(c => c.LimitCollectionCreationDeletion)
+            .ValueGeneratedNever()
+            .HasDefaultValue(true);
+
+        builder.Property(c => c.AllowAdminAccessToAllCollectionItems)
+            .ValueGeneratedNever()
+            .HasDefaultValue(true);
+
+        NpgsqlIndexBuilderExtensions.IncludeProperties(
+            builder.HasIndex(o => new { o.Id, o.Enabled }),
+            o => o.UseTotp);
+
+        builder.ToTable(nameof(Organization));
+    }
+}

src/Infrastructure.EntityFramework/AdminConsole/Configurations/PolicyEntityTypeConfiguration.cs

@@ -0,0 +1,26 @@
+using Bit.Infrastructure.EntityFramework.AdminConsole.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.AdminConsole.Configurations;
+
+public class PolicyEntityTypeConfiguration : IEntityTypeConfiguration<Policy>
+{
+    public void Configure(EntityTypeBuilder<Policy> builder)
+    {
+        builder
+            .Property(p => p.Id)
+            .ValueGeneratedNever();
+
+        builder
+            .HasIndex(p => p.OrganizationId)
+            .IsClustered(false);
+
+        builder
+            .HasIndex(p => new { p.OrganizationId, p.Type })
+            .IsUnique()
+            .IsClustered(false);
+
+        builder.ToTable(nameof(Policy));
+    }
+}

src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs

@@ -90,7 +90,8 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
                 UseCustomPermissions = e.UseCustomPermissions,
                 UsePolicies = e.UsePolicies,
                 LimitCollectionCreationDeletion = e.LimitCollectionCreationDeletion,
-                AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems
+                AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems,
+                FlexibleCollections = e.FlexibleCollections
             }).ToListAsync();
         }
     }

src/Infrastructure.EntityFramework/Auth/Repositories/GrantRepository.cs

@@ -1,4 +1,5 @@
 using AutoMapper;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Infrastructure.EntityFramework.Auth.Models;
 using Bit.Infrastructure.EntityFramework.Repositories;
@@ -42,7 +43,7 @@ public class GrantRepository : BaseEntityFrameworkRepository, IGrantRepository
         }
     }
 
-    public async Task<Core.Auth.Entities.Grant> GetByKeyAsync(string key)
+    public async Task<IGrant> GetByKeyAsync(string key)
     {
         using (var scope = ServiceScopeFactory.CreateScope())
         {
@@ -55,7 +56,7 @@ public class GrantRepository : BaseEntityFrameworkRepository, IGrantRepository
         }
     }
 
-    public async Task<ICollection<Core.Auth.Entities.Grant>> GetManyAsync(string subjectId, string sessionId, string clientId, string type)
+    public async Task<ICollection<IGrant>> GetManyAsync(string subjectId, string sessionId, string clientId, string type)
     {
         using (var scope = ServiceScopeFactory.CreateScope())
         {
@@ -67,26 +68,31 @@ public class GrantRepository : BaseEntityFrameworkRepository, IGrantRepository
                             g.Type == type
                         select g;
             var grants = await query.ToListAsync();
-            return (ICollection<Core.Auth.Entities.Grant>)grants;
+            return (ICollection<IGrant>)grants;
         }
     }
 
-    public async Task SaveAsync(Core.Auth.Entities.Grant obj)
+    public async Task SaveAsync(IGrant obj)
     {
+        if (obj is not Core.Auth.Entities.Grant gObj)
+        {
+            throw new ArgumentException(null, nameof(obj));
+        }
+
         using (var scope = ServiceScopeFactory.CreateScope())
         {
             var dbContext = GetDatabaseContext(scope);
             var existingGrant = await (from g in dbContext.Grants
-                                       where g.Key == obj.Key
+                                       where g.Key == gObj.Key
                                        select g).FirstOrDefaultAsync();
             if (existingGrant != null)
             {
-                obj.Id = existingGrant.Id;
+                gObj.Id = existingGrant.Id;
-                dbContext.Entry(existingGrant).CurrentValues.SetValues(obj);
+                dbContext.Entry(existingGrant).CurrentValues.SetValues(gObj);
             }
             else
             {
-                var entity = Mapper.Map<Grant>(obj);
+                var entity = Mapper.Map<Grant>(gObj);
                 await dbContext.AddAsync(entity);
                 await dbContext.SaveChangesAsync();
             }

src/Infrastructure.EntityFramework/Configurations/DeviceEntityTypeConfiguration.cs

@@ -0,0 +1,26 @@
+using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Configurations;
+
+public class DeviceEntityTypeConfiguration : IEntityTypeConfiguration<Device>
+{
+    public void Configure(EntityTypeBuilder<Device> builder)
+    {
+        builder
+            .HasIndex(d => d.UserId)
+            .IsClustered(false);
+
+        builder
+            .HasIndex(d => new { d.UserId, d.Identifier })
+            .IsUnique()
+            .IsClustered(false);
+
+        builder
+            .HasIndex(d => d.Identifier)
+            .IsClustered(false);
+
+        builder.ToTable(nameof(Device));
+    }
+}

src/Infrastructure.EntityFramework/Configurations/EventEntityTypeConfiguration.cs

@@ -0,0 +1,21 @@
+using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Configurations;
+
+public class EventEntityTypeConfiguration : IEntityTypeConfiguration<Event>
+{
+    public void Configure(EntityTypeBuilder<Event> builder)
+    {
+        builder
+            .Property(e => e.Id)
+            .ValueGeneratedNever();
+
+        builder
+            .HasIndex(e => new { e.Date, e.OrganizationId, e.ActingUserId, e.CipherId })
+            .IsClustered(false);
+
+        builder.ToTable(nameof(Event));
+    }
+}

src/Infrastructure.EntityFramework/Configurations/OrganizationSponsorshipEntityTypeConfiguration.cs

@@ -0,0 +1,21 @@
+using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Configurations;
+
+public class OrganizationSponsorshipEntityTypeConfiguration : IEntityTypeConfiguration<OrganizationSponsorship>
+{
+    public void Configure(EntityTypeBuilder<OrganizationSponsorship> builder)
+    {
+        builder
+            .Property(o => o.Id)
+            .ValueGeneratedNever();
+
+        builder
+            .HasIndex(o => o.SponsoringOrganizationUserId)
+            .IsClustered(false);
+
+        builder.ToTable(nameof(OrganizationSponsorship));
+    }
+}

src/Infrastructure.EntityFramework/Configurations/OrganizationUserEntityTypeConfiguration.cs

@@ -0,0 +1,29 @@
+using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Configurations;
+
+public class OrganizationUserEntityTypeConfiguration : IEntityTypeConfiguration<OrganizationUser>
+{
+    public void Configure(EntityTypeBuilder<OrganizationUser> builder)
+    {
+        builder
+            .Property(ou => ou.Id)
+            .ValueGeneratedNever();
+
+        NpgsqlIndexBuilderExtensions.IncludeProperties(
+            builder.HasIndex(ou => new { ou.UserId, ou.OrganizationId, ou.Status }).IsClustered(false),
+            ou => ou.AccessAll);
+
+        builder
+            .HasIndex(ou => ou.OrganizationId)
+            .IsClustered(false);
+
+        builder
+            .HasIndex(ou => ou.UserId)
+            .IsClustered(false);
+
+        builder.ToTable(nameof(OrganizationUser));
+    }
+}

src/Infrastructure.EntityFramework/Configurations/TransactionEntityTypeConfiguration.cs

@@ -0,0 +1,25 @@
+using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Configurations;
+
+public class TransactionEntityTypeConfiguration : IEntityTypeConfiguration<Transaction>
+{
+    public void Configure(EntityTypeBuilder<Transaction> builder)
+    {
+        builder
+            .Property(t => t.Id)
+            .ValueGeneratedNever();
+
+        builder
+            .HasIndex(t => t.UserId)
+            .IsClustered(false);
+
+        builder
+            .HasIndex(t => new { t.UserId, t.OrganizationId, t.CreationDate })
+            .IsClustered(false);
+
+        builder.ToTable(nameof(Transaction));
+    }
+}

src/Infrastructure.EntityFramework/Configurations/UserEntityTypeConfiguration.cs

@@ -0,0 +1,26 @@
+using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Configurations;
+
+public class UserEntityTypeConfiguration : IEntityTypeConfiguration<User>
+{
+    public void Configure(EntityTypeBuilder<User> builder)
+    {
+        builder
+            .Property(u => u.Id)
+            .ValueGeneratedNever();
+
+        builder
+            .HasIndex(u => u.Email)
+            .IsUnique()
+            .IsClustered(false);
+
+        builder
+            .HasIndex(u => new { u.Premium, u.PremiumExpirationDate, u.RenewalReminderDate })
+            .IsClustered(false);
+
+        builder.ToTable(nameof(User));
+    }
+}

src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs

@@ -77,25 +77,17 @@ public class DatabaseContext : DbContext
         var eCollectionCipher = builder.Entity<CollectionCipher>();
         var eCollectionUser = builder.Entity<CollectionUser>();
         var eCollectionGroup = builder.Entity<CollectionGroup>();
-        var eDevice = builder.Entity<Device>();
         var eEmergencyAccess = builder.Entity<EmergencyAccess>();
-        var eEvent = builder.Entity<Event>();
         var eFolder = builder.Entity<Folder>();
         var eGroup = builder.Entity<Group>();
         var eGroupUser = builder.Entity<GroupUser>();
         var eInstallation = builder.Entity<Installation>();
-        var eOrganization = builder.Entity<Organization>();
-        var eOrganizationSponsorship = builder.Entity<OrganizationSponsorship>();
-        var eOrganizationUser = builder.Entity<OrganizationUser>();
-        var ePolicy = builder.Entity<Policy>();
         var eProvider = builder.Entity<Provider>();
         var eProviderUser = builder.Entity<ProviderUser>();
         var eProviderOrganization = builder.Entity<ProviderOrganization>();
-        var eSend = builder.Entity<Send>();
         var eSsoConfig = builder.Entity<SsoConfig>();
         var eSsoUser = builder.Entity<SsoUser>();
         var eTaxRate = builder.Entity<TaxRate>();
-        var eTransaction = builder.Entity<Transaction>();
         var eUser = builder.Entity<User>();
         var eOrganizationApiKey = builder.Entity<OrganizationApiKey>();
         var eOrganizationConnection = builder.Entity<OrganizationConnection>();
@@ -105,26 +97,12 @@ public class DatabaseContext : DbContext
         eCipher.Property(c => c.Id).ValueGeneratedNever();
         eCollection.Property(c => c.Id).ValueGeneratedNever();
         eEmergencyAccess.Property(c => c.Id).ValueGeneratedNever();
-        eEvent.Property(c => c.Id).ValueGeneratedNever();
         eFolder.Property(c => c.Id).ValueGeneratedNever();
         eGroup.Property(c => c.Id).ValueGeneratedNever();
         eInstallation.Property(c => c.Id).ValueGeneratedNever();
-        eOrganization.Property(c => c.Id).ValueGeneratedNever();
-        eOrganization.Property(c => c.LimitCollectionCreationDeletion)
-            .ValueGeneratedNever()
-            .HasDefaultValue(true);
-        eOrganization.Property(c => c.AllowAdminAccessToAllCollectionItems)
-            .ValueGeneratedNever()
-            .HasDefaultValue(true);
-        eOrganizationSponsorship.Property(c => c.Id).ValueGeneratedNever();
-        eOrganizationUser.Property(c => c.Id).ValueGeneratedNever();
-        ePolicy.Property(c => c.Id).ValueGeneratedNever();
         eProvider.Property(c => c.Id).ValueGeneratedNever();
         eProviderUser.Property(c => c.Id).ValueGeneratedNever();
         eProviderOrganization.Property(c => c.Id).ValueGeneratedNever();
-        eSend.Property(c => c.Id).ValueGeneratedNever();
-        eTransaction.Property(c => c.Id).ValueGeneratedNever();
-        eUser.Property(c => c.Id).ValueGeneratedNever();
         eOrganizationApiKey.Property(c => c.Id).ValueGeneratedNever();
         eOrganizationConnection.Property(c => c.Id).ValueGeneratedNever();
         eOrganizationDomain.Property(ar => ar.Id).ValueGeneratedNever();
@@ -148,33 +126,24 @@ public class DatabaseContext : DbContext
             builder.HasCollation(postgresIndetermanisticCollation, locale: "en-u-ks-primary", provider: "icu", deterministic: false);
             eUser.Property(e => e.Email).UseCollation(postgresIndetermanisticCollation);
             eSsoUser.Property(e => e.ExternalId).UseCollation(postgresIndetermanisticCollation);
-            eOrganization.Property(e => e.Identifier).UseCollation(postgresIndetermanisticCollation);
+            builder.Entity<Organization>().Property(e => e.Identifier).UseCollation(postgresIndetermanisticCollation);
             //
         }
 
         eCipher.ToTable(nameof(Cipher));
         eCollection.ToTable(nameof(Collection));
         eCollectionCipher.ToTable(nameof(CollectionCipher));
-        eDevice.ToTable(nameof(Device));
         eEmergencyAccess.ToTable(nameof(EmergencyAccess));
-        eEvent.ToTable(nameof(Event));
         eFolder.ToTable(nameof(Folder));
         eGroup.ToTable(nameof(Group));
         eGroupUser.ToTable(nameof(GroupUser));
         eInstallation.ToTable(nameof(Installation));
-        eOrganization.ToTable(nameof(Organization));
-        eOrganizationSponsorship.ToTable(nameof(OrganizationSponsorship));
-        eOrganizationUser.ToTable(nameof(OrganizationUser));
-        ePolicy.ToTable(nameof(Policy));
         eProvider.ToTable(nameof(Provider));
         eProviderUser.ToTable(nameof(ProviderUser));
         eProviderOrganization.ToTable(nameof(ProviderOrganization));
-        eSend.ToTable(nameof(Send));
         eSsoConfig.ToTable(nameof(SsoConfig));
         eSsoUser.ToTable(nameof(SsoUser));
         eTaxRate.ToTable(nameof(TaxRate));
-        eTransaction.ToTable(nameof(Transaction));
-        eUser.ToTable(nameof(User));
         eOrganizationApiKey.ToTable(nameof(OrganizationApiKey));
         eOrganizationConnection.ToTable(nameof(OrganizationConnection));
         eOrganizationDomain.ToTable(nameof(OrganizationDomain));

src/Infrastructure.EntityFramework/Tools/Configurations/SendEntityTypeConfiguration.cs

@@ -0,0 +1,29 @@
+using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+
+namespace Bit.Infrastructure.EntityFramework.Tools.Configurations;
+
+public class SendEntityTypeConfiguration : IEntityTypeConfiguration<Send>
+{
+    public void Configure(EntityTypeBuilder<Send> builder)
+    {
+        builder
+            .Property(s => s.Id)
+            .ValueGeneratedNever();
+
+        builder
+            .HasIndex(s => s.UserId)
+            .IsClustered(false);
+
+        builder
+            .HasIndex(s => new { s.UserId, s.OrganizationId })
+            .IsClustered(false);
+
+        builder
+            .HasIndex(s => s.DeletionDate)
+            .IsClustered(false);
+
+        builder.ToTable(nameof(Send));
+    }
+}

src/Sql/dbo/Stored Procedures/Organization_Create.sql

@@ -52,7 +52,8 @@
     @MaxAutoscaleSmServiceAccounts INT = null,
     @SecretsManagerBeta BIT = 0,
     @LimitCollectionCreationDeletion BIT = 1,
-    @AllowAdminAccessToAllCollectionItems BIT = 1
+    @AllowAdminAccessToAllCollectionItems BIT = 1,
+    @FlexibleCollections BIT = 0
 AS
 BEGIN
     SET NOCOUNT ON
@@ -112,7 +113,8 @@ BEGIN
         [MaxAutoscaleSmServiceAccounts],
         [SecretsManagerBeta],
         [LimitCollectionCreationDeletion],
-        [AllowAdminAccessToAllCollectionItems]
+        [AllowAdminAccessToAllCollectionItems],
+        [FlexibleCollections]
     )
     VALUES
     (
@@ -169,6 +171,7 @@ BEGIN
         @MaxAutoscaleSmServiceAccounts,
         @SecretsManagerBeta,
         @LimitCollectionCreationDeletion,
-        @AllowAdminAccessToAllCollectionItems
+        @AllowAdminAccessToAllCollectionItems,
+        @FlexibleCollections
     )
 END

src/Sql/dbo/Stored Procedures/Organization_ReadAbilities.sql

@@ -22,7 +22,8 @@ BEGIN
         [UsePolicies],
         [Enabled],
         [LimitCollectionCreationDeletion],
-        [AllowAdminAccessToAllCollectionItems]
+        [AllowAdminAccessToAllCollectionItems],
+        [FlexibleCollections]
     FROM
         [dbo].[Organization]
 END

src/Sql/dbo/Stored Procedures/Organization_Update.sql

@@ -52,7 +52,8 @@
     @MaxAutoscaleSmServiceAccounts INT = null,
     @SecretsManagerBeta BIT = 0,
     @LimitCollectionCreationDeletion BIT = 1,
-    @AllowAdminAccessToAllCollectionItems BIT = 1
+    @AllowAdminAccessToAllCollectionItems BIT = 1,
+    @FlexibleCollections BIT = 0
 AS
 BEGIN
     SET NOCOUNT ON
@@ -112,7 +113,8 @@ BEGIN
         [MaxAutoscaleSmServiceAccounts] = @MaxAutoscaleSmServiceAccounts,
         [SecretsManagerBeta] = @SecretsManagerBeta,
         [LimitCollectionCreationDeletion] = @LimitCollectionCreationDeletion,
-        [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems
+        [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems,
+        [FlexibleCollections] = @FlexibleCollections
     WHERE
         [Id] = @Id
 END

src/Sql/dbo/Tables/Organization.sql

@@ -53,6 +53,7 @@
     [SecretsManagerBeta]            BIT              NOT NULL CONSTRAINT [DF_Organization_SecretsManagerBeta] DEFAULT (0),
     [LimitCollectionCreationDeletion]   BIT              NOT NULL CONSTRAINT [DF_Organization_LimitCollectionCreationDeletion] DEFAULT (1),
     [AllowAdminAccessToAllCollectionItems]   BIT              NOT NULL CONSTRAINT [DF_Organization_AllowAdminAccessToAllCollectionItems] DEFAULT (1),
+    [FlexibleCollections]           BIT             NOT NULL CONSTRAINT [DF_Organization_FlexibleCollections] DEFAULT (0)
     CONSTRAINT [PK_Organization] PRIMARY KEY CLUSTERED ([Id] ASC)
 );
 

src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql

@@ -46,7 +46,8 @@ SELECT
     O.[SmSeats],
     O.[SmServiceAccounts],
     O.[LimitCollectionCreationDeletion],
-    O.[AllowAdminAccessToAllCollectionItems]
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[FlexibleCollections]
 FROM
     [dbo].[OrganizationUser] OU
 LEFT JOIN

test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs

@@ -1,18 +1,15 @@
 using System.Security.Claims;
 using System.Text.Json;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Api.Request.Accounts;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
-using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Bit.IntegrationTestCommon.Factories;
 using Bit.Test.Common.Helpers;
@@ -383,36 +380,6 @@ public class IdentityServerSsoTests
 
     }
 
-
-    [Fact]
-    public async Task SsoLogin_TrustedDeviceEncryption_FlagTurnedOff_DoesNotReturnOption()
-    {
-        // This creates SsoConfig that HAS enabled trusted device encryption which should have only been
-        // done with the feature flag turned on but we are testing that even if they have done that, this will turn off
-        // if returning as an option if the flag has later been turned off.  We should be very careful turning the flag
-        // back off.
-        using var responseBody = await RunSuccessTestAsync(async factory =>
-        {
-            await UpdateUserAsync(factory, user => user.MasterPassword = null);
-        }, MemberDecryptionType.TrustedDeviceEncryption, trustedDeviceEnabled: false);
-
-        // Assert
-        // If the organization has selected TrustedDeviceEncryption but the user still has their master password
-        // they can decrypt with either option
-        var root = responseBody.RootElement;
-        AssertHelper.AssertJsonProperty(root, "access_token", JsonValueKind.String);
-        var userDecryptionOptions = AssertHelper.AssertJsonProperty(root, "UserDecryptionOptions", JsonValueKind.Object);
-
-        // Expected to look like:
-        // "UserDecryptionOptions": {
-        //   "Object": "userDecryptionOptions"
-        //   "HasMasterPassword": false
-        // }
-
-        // Should only have 2 properties
-        Assert.Equal(2, userDecryptionOptions.EnumerateObject().Count());
-    }
-
     [Fact]
     public async Task SsoLogin_KeyConnector_ReturnsOptions()
     {
@@ -511,12 +478,6 @@ public class IdentityServerSsoTests
                 .Returns(authorizationCode);
         });
 
-        factory.SubstitueService<IFeatureService>(service =>
-        {
-            service.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, Arg.Any<ICurrentContext>())
-                .Returns(trustedDeviceEnabled);
-        });
-
         // This starts the server and finalizes services
         var registerResponse = await factory.RegisterAsync(new RegisterRequestModel
         {

test/Identity.Test/IdentityServer/UserDecryptionOptionsBuilderTests.cs

@@ -1,11 +1,9 @@
-using Bit.Core;
+using Bit.Core.Auth.Entities;
-using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Identity.IdentityServer;
 using Bit.Identity.Utilities;
 using Bit.Test.Common.AutoFixture.Attributes;
@@ -17,7 +15,6 @@ namespace Bit.Identity.Test.IdentityServer;
 public class UserDecryptionOptionsBuilderTests
 {
     private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
     private readonly IDeviceRepository _deviceRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly UserDecryptionOptionsBuilder _builder;
@@ -25,10 +22,9 @@ public class UserDecryptionOptionsBuilderTests
     public UserDecryptionOptionsBuilderTests()
     {
         _currentContext = Substitute.For<ICurrentContext>();
-        _featureService = Substitute.For<IFeatureService>();
         _deviceRepository = Substitute.For<IDeviceRepository>();
         _organizationUserRepository = Substitute.For<IOrganizationUserRepository>();
-        _builder = new UserDecryptionOptionsBuilder(_currentContext, _featureService, _deviceRepository, _organizationUserRepository);
+        _builder = new UserDecryptionOptionsBuilder(_currentContext, _deviceRepository, _organizationUserRepository);
     }
 
     [Theory]
@@ -79,7 +75,6 @@ public class UserDecryptionOptionsBuilderTests
     [Theory, BitAutoData]
     public async Task Build_WhenTrustedDeviceIsEnabled_ShouldReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
 
@@ -91,23 +86,9 @@ public class UserDecryptionOptionsBuilderTests
         Assert.False(result.TrustedDeviceOption!.HasManageResetPasswordPermission);
     }
 
-    // TODO: Remove when FeatureFlagKeys.TrustedDeviceEncryption is removed
-    [Theory, BitAutoData]
-    public async Task Build_WhenTrustedDeviceIsEnabledButFeatureFlagIsDisabled_ShouldNotReturnTrustedDeviceOptions(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
-    {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(false);
-        configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
-        ssoConfig.Data = configurationData.Serialize();
-
-        var result = await _builder.WithSso(ssoConfig).WithDevice(device).BuildAsync();
-
-        Assert.Null(result.TrustedDeviceOption);
-    }
-
     [Theory, BitAutoData]
     public async Task Build_WhenDeviceIsTrusted_ShouldReturnKeys(SsoConfig ssoConfig, SsoConfigurationData configurationData, Device device)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
         device.EncryptedPrivateKey = "encryptedPrivateKey";
@@ -123,7 +104,6 @@ public class UserDecryptionOptionsBuilderTests
     [Theory, BitAutoData]
     public async Task Build_WhenHasLoginApprovingDevice_ShouldApprovingDeviceTrue(SsoConfig ssoConfig, SsoConfigurationData configurationData, User user, Device device, Device approvingDevice)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
         approvingDevice.Type = LoginApprovingDeviceTypes.Types.First();
@@ -140,7 +120,6 @@ public class UserDecryptionOptionsBuilderTests
         SsoConfigurationData configurationData,
         CurrentContextOrganization organization)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
         ssoConfig.OrganizationId = organization.Id;
@@ -159,7 +138,6 @@ public class UserDecryptionOptionsBuilderTests
         OrganizationUser organizationUser,
         User user)
     {
-        _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext).Returns(true);
         configurationData.MemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption;
         ssoConfig.Data = configurationData.Serialize();
         organizationUser.ResetPasswordKey = "resetPasswordKey";

util/Migrator/DbScripts/2024-01-11_00_OrganizationFlexibleCollectionsColumn.sql

@@ -0,0 +1,413 @@
+--Add column 'FlexibleCollections' to 'Organization' table
+IF COL_LENGTH('[dbo].[Organization]', 'FlexibleCollections') IS NULL
+BEGIN
+ALTER TABLE
+    [dbo].[Organization]
+    ADD
+    [FlexibleCollections] BIT NOT NULL CONSTRAINT [DF_Organization_FlexibleCollections] DEFAULT (0)
+END
+GO
+
+/**
+  ORGANIZATION STORED PROCEDURES
+ */
+
+--Alter `Organization_Create` sproc to include new column and default value
+CREATE OR ALTER PROCEDURE [dbo].[Organization_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @Identifier NVARCHAR(50),
+    @Name NVARCHAR(50),
+    @BusinessName NVARCHAR(50),
+    @BusinessAddress1 NVARCHAR(50),
+    @BusinessAddress2 NVARCHAR(50),
+    @BusinessAddress3 NVARCHAR(50),
+    @BusinessCountry VARCHAR(2),
+    @BusinessTaxNumber NVARCHAR(30),
+    @BillingEmail NVARCHAR(256),
+    @Plan NVARCHAR(50),
+    @PlanType TINYINT,
+    @Seats INT,
+    @MaxCollections SMALLINT,
+    @UsePolicies BIT,
+    @UseSso BIT,
+    @UseGroups BIT,
+    @UseDirectory BIT,
+    @UseEvents BIT,
+    @UseTotp BIT,
+    @Use2fa BIT,
+    @UseApi BIT,
+    @UseResetPassword BIT,
+    @SelfHost BIT,
+    @UsersGetPremium BIT,
+    @Storage BIGINT,
+    @MaxStorageGb SMALLINT,
+    @Gateway TINYINT,
+    @GatewayCustomerId VARCHAR(50),
+    @GatewaySubscriptionId VARCHAR(50),
+    @ReferenceData VARCHAR(MAX),
+    @Enabled BIT,
+    @LicenseKey VARCHAR(100),
+    @PublicKey VARCHAR(MAX),
+    @PrivateKey VARCHAR(MAX),
+    @TwoFactorProviders NVARCHAR(MAX),
+    @ExpirationDate DATETIME2(7),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @OwnersNotifiedOfAutoscaling DATETIME2(7),
+    @MaxAutoscaleSeats INT,
+    @UseKeyConnector BIT = 0,
+    @UseScim BIT = 0,
+    @UseCustomPermissions BIT = 0,
+    @UseSecretsManager BIT = 0,
+    @Status TINYINT = 0,
+    @UsePasswordManager BIT = 1,
+    @SmSeats INT = null,
+    @SmServiceAccounts INT = null,
+    @MaxAutoscaleSmSeats INT= null,
+    @MaxAutoscaleSmServiceAccounts INT = null,
+    @SecretsManagerBeta BIT = 0,
+    @LimitCollectionCreationDeletion BIT = 1,
+    @AllowAdminAccessToAllCollectionItems BIT = 1,
+    @FlexibleCollections BIT = 0
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[Organization]
+    (
+        [Id],
+        [Identifier],
+        [Name],
+        [BusinessName],
+        [BusinessAddress1],
+        [BusinessAddress2],
+        [BusinessAddress3],
+        [BusinessCountry],
+        [BusinessTaxNumber],
+        [BillingEmail],
+        [Plan],
+        [PlanType],
+        [Seats],
+        [MaxCollections],
+        [UsePolicies],
+        [UseSso],
+        [UseGroups],
+        [UseDirectory],
+        [UseEvents],
+        [UseTotp],
+        [Use2fa],
+        [UseApi],
+        [UseResetPassword],
+        [SelfHost],
+        [UsersGetPremium],
+        [Storage],
+        [MaxStorageGb],
+        [Gateway],
+        [GatewayCustomerId],
+        [GatewaySubscriptionId],
+        [ReferenceData],
+        [Enabled],
+        [LicenseKey],
+        [PublicKey],
+        [PrivateKey],
+        [TwoFactorProviders],
+        [ExpirationDate],
+        [CreationDate],
+        [RevisionDate],
+        [OwnersNotifiedOfAutoscaling],
+        [MaxAutoscaleSeats],
+        [UseKeyConnector],
+        [UseScim],
+        [UseCustomPermissions],
+        [UseSecretsManager],
+        [Status],
+        [UsePasswordManager],
+        [SmSeats],
+        [SmServiceAccounts],
+        [MaxAutoscaleSmSeats],
+        [MaxAutoscaleSmServiceAccounts],
+        [SecretsManagerBeta],
+        [LimitCollectionCreationDeletion],
+        [AllowAdminAccessToAllCollectionItems],
+        [FlexibleCollections]
+    )
+    VALUES
+    (
+        @Id,
+        @Identifier,
+        @Name,
+        @BusinessName,
+        @BusinessAddress1,
+        @BusinessAddress2,
+        @BusinessAddress3,
+        @BusinessCountry,
+        @BusinessTaxNumber,
+        @BillingEmail,
+        @Plan,
+        @PlanType,
+        @Seats,
+        @MaxCollections,
+        @UsePolicies,
+        @UseSso,
+        @UseGroups,
+        @UseDirectory,
+        @UseEvents,
+        @UseTotp,
+        @Use2fa,
+        @UseApi,
+        @UseResetPassword,
+        @SelfHost,
+        @UsersGetPremium,
+        @Storage,
+        @MaxStorageGb,
+        @Gateway,
+        @GatewayCustomerId,
+        @GatewaySubscriptionId,
+        @ReferenceData,
+        @Enabled,
+        @LicenseKey,
+        @PublicKey,
+        @PrivateKey,
+        @TwoFactorProviders,
+        @ExpirationDate,
+        @CreationDate,
+        @RevisionDate,
+        @OwnersNotifiedOfAutoscaling,
+        @MaxAutoscaleSeats,
+        @UseKeyConnector,
+        @UseScim,
+        @UseCustomPermissions,
+        @UseSecretsManager,
+        @Status,
+        @UsePasswordManager,
+        @SmSeats,
+        @SmServiceAccounts,
+        @MaxAutoscaleSmSeats,
+        @MaxAutoscaleSmServiceAccounts,
+        @SecretsManagerBeta,
+        @LimitCollectionCreationDeletion,
+        @AllowAdminAccessToAllCollectionItems,
+        @FlexibleCollections
+    )
+END
+GO
+
+
+--Alter `Organization_Update` sproc to include new column and default value
+CREATE OR ALTER PROCEDURE [dbo].[Organization_Update]
+    @Id UNIQUEIDENTIFIER,
+    @Identifier NVARCHAR(50),
+    @Name NVARCHAR(50),
+    @BusinessName NVARCHAR(50),
+    @BusinessAddress1 NVARCHAR(50),
+    @BusinessAddress2 NVARCHAR(50),
+    @BusinessAddress3 NVARCHAR(50),
+    @BusinessCountry VARCHAR(2),
+    @BusinessTaxNumber NVARCHAR(30),
+    @BillingEmail NVARCHAR(256),
+    @Plan NVARCHAR(50),
+    @PlanType TINYINT,
+    @Seats INT,
+    @MaxCollections SMALLINT,
+    @UsePolicies BIT,
+    @UseSso BIT,
+    @UseGroups BIT,
+    @UseDirectory BIT,
+    @UseEvents BIT,
+    @UseTotp BIT,
+    @Use2fa BIT,
+    @UseApi BIT,
+    @UseResetPassword BIT,
+    @SelfHost BIT,
+    @UsersGetPremium BIT,
+    @Storage BIGINT,
+    @MaxStorageGb SMALLINT,
+    @Gateway TINYINT,
+    @GatewayCustomerId VARCHAR(50),
+    @GatewaySubscriptionId VARCHAR(50),
+    @ReferenceData VARCHAR(MAX),
+    @Enabled BIT,
+    @LicenseKey VARCHAR(100),
+    @PublicKey VARCHAR(MAX),
+    @PrivateKey VARCHAR(MAX),
+    @TwoFactorProviders NVARCHAR(MAX),
+    @ExpirationDate DATETIME2(7),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7),
+    @OwnersNotifiedOfAutoscaling DATETIME2(7),
+    @MaxAutoscaleSeats INT,
+    @UseKeyConnector BIT = 0,
+    @UseScim BIT = 0,
+    @UseCustomPermissions BIT = 0,
+    @UseSecretsManager BIT = 0,
+    @Status TINYINT = 0,
+    @UsePasswordManager BIT = 1,
+    @SmSeats INT = null,
+    @SmServiceAccounts INT = null,
+    @MaxAutoscaleSmSeats INT = null,
+    @MaxAutoscaleSmServiceAccounts INT = null,
+    @SecretsManagerBeta BIT = 0,
+    @LimitCollectionCreationDeletion BIT = 1,
+    @AllowAdminAccessToAllCollectionItems BIT = 1,
+    @FlexibleCollections BIT = 0
+AS
+BEGIN
+    SET NOCOUNT ON
+
+UPDATE
+    [dbo].[Organization]
+SET
+    [Identifier] = @Identifier,
+    [Name] = @Name,
+    [BusinessName] = @BusinessName,
+    [BusinessAddress1] = @BusinessAddress1,
+    [BusinessAddress2] = @BusinessAddress2,
+    [BusinessAddress3] = @BusinessAddress3,
+    [BusinessCountry] = @BusinessCountry,
+    [BusinessTaxNumber] = @BusinessTaxNumber,
+    [BillingEmail] = @BillingEmail,
+    [Plan] = @Plan,
+    [PlanType] = @PlanType,
+    [Seats] = @Seats,
+    [MaxCollections] = @MaxCollections,
+    [UsePolicies] = @UsePolicies,
+    [UseSso] = @UseSso,
+    [UseGroups] = @UseGroups,
+    [UseDirectory] = @UseDirectory,
+    [UseEvents] = @UseEvents,
+    [UseTotp] = @UseTotp,
+    [Use2fa] = @Use2fa,
+    [UseApi] = @UseApi,
+    [UseResetPassword] = @UseResetPassword,
+    [SelfHost] = @SelfHost,
+    [UsersGetPremium] = @UsersGetPremium,
+    [Storage] = @Storage,
+    [MaxStorageGb] = @MaxStorageGb,
+    [Gateway] = @Gateway,
+    [GatewayCustomerId] = @GatewayCustomerId,
+    [GatewaySubscriptionId] = @GatewaySubscriptionId,
+    [ReferenceData] = @ReferenceData,
+    [Enabled] = @Enabled,
+    [LicenseKey] = @LicenseKey,
+    [PublicKey] = @PublicKey,
+    [PrivateKey] = @PrivateKey,
+    [TwoFactorProviders] = @TwoFactorProviders,
+    [ExpirationDate] = @ExpirationDate,
+    [CreationDate] = @CreationDate,
+    [RevisionDate] = @RevisionDate,
+    [OwnersNotifiedOfAutoscaling] = @OwnersNotifiedOfAutoscaling,
+    [MaxAutoscaleSeats] = @MaxAutoscaleSeats,
+    [UseKeyConnector] = @UseKeyConnector,
+    [UseScim] = @UseScim,
+    [UseCustomPermissions] = @UseCustomPermissions,
+    [UseSecretsManager] = @UseSecretsManager,
+    [Status] = @Status,
+    [UsePasswordManager] = @UsePasswordManager,
+    [SmSeats] = @SmSeats,
+    [SmServiceAccounts] = @SmServiceAccounts,
+    [MaxAutoscaleSmSeats] = @MaxAutoscaleSmSeats,
+    [MaxAutoscaleSmServiceAccounts] = @MaxAutoscaleSmServiceAccounts,
+    [SecretsManagerBeta] = @SecretsManagerBeta,
+    [LimitCollectionCreationDeletion] = @LimitCollectionCreationDeletion,
+    [AllowAdminAccessToAllCollectionItems] = @AllowAdminAccessToAllCollectionItems,
+    [FlexibleCollections] = @FlexibleCollections
+WHERE
+    [Id] = @Id
+END
+GO
+
+/**
+  ORGANIZATION VIEWS
+ */
+
+-- Update OrganizationUserOrganizationDetailsView to include new column and default value
+CREATE OR ALTER VIEW [dbo].[OrganizationUserOrganizationDetailsView]
+AS
+SELECT
+    OU.[UserId],
+    OU.[OrganizationId],
+    O.[Name],
+    O.[Enabled],
+    O.[PlanType],
+    O.[UsePolicies],
+    O.[UseSso],
+    O.[UseKeyConnector],
+    O.[UseScim],
+    O.[UseGroups],
+    O.[UseDirectory],
+    O.[UseEvents],
+    O.[UseTotp],
+    O.[Use2fa],
+    O.[UseApi],
+    O.[UseResetPassword],
+    O.[SelfHost],
+    O.[UsersGetPremium],
+    O.[UseCustomPermissions],
+    O.[UseSecretsManager],
+    O.[Seats],
+    O.[MaxCollections],
+    O.[MaxStorageGb],
+    O.[Identifier],
+    OU.[Key],
+    OU.[ResetPasswordKey],
+    O.[PublicKey],
+    O.[PrivateKey],
+    OU.[Status],
+    OU.[Type],
+    SU.[ExternalId] SsoExternalId,
+    OU.[Permissions],
+    PO.[ProviderId],
+    P.[Name] ProviderName,
+    P.[Type] ProviderType,
+    SS.[Data] SsoConfig,
+    OS.[FriendlyName] FamilySponsorshipFriendlyName,
+    OS.[LastSyncDate] FamilySponsorshipLastSyncDate,
+    OS.[ToDelete] FamilySponsorshipToDelete,
+    OS.[ValidUntil] FamilySponsorshipValidUntil,
+    OU.[AccessSecretsManager],
+    O.[UsePasswordManager],
+    O.[SmSeats],
+    O.[SmServiceAccounts],
+    O.[LimitCollectionCreationDeletion],
+    O.[AllowAdminAccessToAllCollectionItems],
+    O.[FlexibleCollections]
+FROM
+    [dbo].[OrganizationUser] OU
+LEFT JOIN
+    [dbo].[Organization] O ON O.[Id] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[SsoUser] SU ON SU.[UserId] = OU.[UserId] AND SU.[OrganizationId] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[ProviderOrganization] PO ON PO.[OrganizationId] = O.[Id]
+LEFT JOIN
+    [dbo].[Provider] P ON P.[Id] = PO.[ProviderId]
+LEFT JOIN
+    [dbo].[SsoConfig] SS ON SS.[OrganizationId] = OU.[OrganizationId]
+LEFT JOIN
+    [dbo].[OrganizationSponsorship] OS ON OS.[SponsoringOrganizationUserID] = OU.[Id]
+GO
+
+--Manually refresh OrganizationView
+IF OBJECT_ID('[dbo].[OrganizationView]') IS NOT NULL
+    BEGIN
+        EXECUTE sp_refreshsqlmodule N'[dbo].[OrganizationView]';
+    END
+GO
+
+/**
+  PROVIDER VIEWS - not directly modified, but access Organization table
+ */
+
+--Manually refresh ProviderOrganizationOrganizationDetailsView
+IF OBJECT_ID('[dbo].[ProviderOrganizationOrganizationDetailsView]') IS NOT NULL
+    BEGIN
+        EXECUTE sp_refreshsqlmodule N'[dbo].[ProviderOrganizationOrganizationDetailsView]';
+    END
+GO
+
+--Manually refresh ProviderUserProviderOrganizationDetailsView
+IF OBJECT_ID('[dbo].[ProviderUserProviderOrganizationDetailsView]') IS NOT NULL
+    BEGIN
+        EXECUTE sp_refreshsqlmodule N'[dbo].[ProviderUserProviderOrganizationDetailsView]';
+    END
+GO

util/Migrator/DbScripts/2024-01-11_01_OrganizationAbilitiesAddFlexibleCollectionsColumn.sql

@@ -0,0 +1,31 @@
+--Update stored procedure to include LimitCollectionCreationDeletion property
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadAbilities]
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [Id],
+        [UseEvents],
+        [Use2fa],
+        CASE
+            WHEN [Use2fa] = 1 AND [TwoFactorProviders] IS NOT NULL AND [TwoFactorProviders] != '{}' THEN
+                1
+            ELSE
+                0
+            END AS [Using2fa],
+        [UsersGetPremium],
+        [UseCustomPermissions],
+        [UseSso],
+        [UseKeyConnector],
+        [UseScim],
+        [UseResetPassword],
+        [UsePolicies],
+        [Enabled],
+        [LimitCollectionCreationDeletion],
+        [AllowAdminAccessToAllCollectionItems],
+        [FlexibleCollections]
+    FROM
+        [dbo].[Organization]
+END
+GO

util/MySqlMigrations/Migrations/20231229202309_AddToolsTableIndexes.cs

@@ -0,0 +1,35 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddToolsTableIndexes : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateIndex(
+            name: "IX_Send_DeletionDate",
+            table: "Send",
+            column: "DeletionDate");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Send_UserId_OrganizationId",
+            table: "Send",
+            columns: new[] { "UserId", "OrganizationId" });
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropIndex(
+            name: "IX_Send_DeletionDate",
+            table: "Send");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Send_UserId_OrganizationId",
+            table: "Send");
+    }
+}

util/MySqlMigrations/Migrations/20240109215348_AddTableIndexes.cs

@@ -0,0 +1,110 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddTableIndexes : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateIndex(
+            name: "IX_User_Email",
+            table: "User",
+            column: "Email",
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_User_Premium_PremiumExpirationDate_RenewalReminderDate",
+            table: "User",
+            columns: new[] { "Premium", "PremiumExpirationDate", "RenewalReminderDate" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Transaction_UserId_OrganizationId_CreationDate",
+            table: "Transaction",
+            columns: new[] { "UserId", "OrganizationId", "CreationDate" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Policy_OrganizationId_Type",
+            table: "Policy",
+            columns: new[] { "OrganizationId", "Type" },
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationUser_UserId_OrganizationId_Status",
+            table: "OrganizationUser",
+            columns: new[] { "UserId", "OrganizationId", "Status" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationSponsorship_SponsoringOrganizationUserId",
+            table: "OrganizationSponsorship",
+            column: "SponsoringOrganizationUserId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Organization_Id_Enabled",
+            table: "Organization",
+            columns: new[] { "Id", "Enabled" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Event_Date_OrganizationId_ActingUserId_CipherId",
+            table: "Event",
+            columns: new[] { "Date", "OrganizationId", "ActingUserId", "CipherId" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Device_Identifier",
+            table: "Device",
+            column: "Identifier");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Device_UserId_Identifier",
+            table: "Device",
+            columns: new[] { "UserId", "Identifier" },
+            unique: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropIndex(
+            name: "IX_User_Email",
+            table: "User");
+
+        migrationBuilder.DropIndex(
+            name: "IX_User_Premium_PremiumExpirationDate_RenewalReminderDate",
+            table: "User");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Transaction_UserId_OrganizationId_CreationDate",
+            table: "Transaction");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Policy_OrganizationId_Type",
+            table: "Policy");
+
+        migrationBuilder.DropIndex(
+            name: "IX_OrganizationUser_UserId_OrganizationId_Status",
+            table: "OrganizationUser");
+
+        migrationBuilder.DropIndex(
+            name: "IX_OrganizationSponsorship_SponsoringOrganizationUserId",
+            table: "OrganizationSponsorship");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Organization_Id_Enabled",
+            table: "Organization");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Event_Date_OrganizationId_ActingUserId_CipherId",
+            table: "Event");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Device_Identifier",
+            table: "Device");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Device_UserId_Identifier",
+            table: "Device");
+    }
+}

util/MySqlMigrations/Migrations/20240111034851_OrganizationFlexibleCollectionsColumn.cs

@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.MySqlMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class OrganizationFlexibleCollectionsColumn : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "FlexibleCollections",
+            table: "Organization",
+            type: "tinyint(1)",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "FlexibleCollections",
+            table: "Organization");
+    }
+}

util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -65,6 +65,9 @@ namespace Bit.MySqlMigrations.Migrations
                     b.Property<DateTime?>("ExpirationDate")
                         .HasColumnType("datetime(6)");
 
+                    b.Property<bool>("FlexibleCollections")
+                        .HasColumnType("tinyint(1)");
+
                     b.Property<byte?>("Gateway")
                         .HasColumnType("tinyint unsigned");
 
@@ -200,6 +203,9 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
                     b.ToTable("Organization", (string)null);
                 });
 
@@ -228,7 +234,12 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("OrganizationId");
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Policy", (string)null);
                 });
@@ -774,7 +785,15 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Device", (string)null);
                 });
@@ -847,6 +866,9 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("Event", (string)null);
                 });
 
@@ -1047,6 +1069,9 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasIndex("SponsoringOrganizationId");
 
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("OrganizationSponsorship", (string)null);
                 });
 
@@ -1098,9 +1123,15 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("OrganizationId");
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "Status")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "AccessAll" })
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("OrganizationUser", (string)null);
                 });
@@ -1155,9 +1186,16 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.HasIndex("OrganizationId");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Send", (string)null);
                 });
@@ -1235,7 +1273,11 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasIndex("OrganizationId");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Transaction", (string)null);
                 });
@@ -1385,6 +1427,13 @@ namespace Bit.MySqlMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("User", (string)null);
                 });
 

util/PostgresMigrations/Migrations/20231229202259_AddToolsTableIndexes.cs

@@ -0,0 +1,35 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddToolsTableIndexes : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateIndex(
+            name: "IX_Send_DeletionDate",
+            table: "Send",
+            column: "DeletionDate");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Send_UserId_OrganizationId",
+            table: "Send",
+            columns: new[] { "UserId", "OrganizationId" });
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropIndex(
+            name: "IX_Send_DeletionDate",
+            table: "Send");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Send_UserId_OrganizationId",
+            table: "Send");
+    }
+}

util/PostgresMigrations/Migrations/20240109215338_AddTableIndexes.cs

@@ -0,0 +1,112 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddTableIndexes : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateIndex(
+            name: "IX_User_Email",
+            table: "User",
+            column: "Email",
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_User_Premium_PremiumExpirationDate_RenewalReminderDate",
+            table: "User",
+            columns: new[] { "Premium", "PremiumExpirationDate", "RenewalReminderDate" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Transaction_UserId_OrganizationId_CreationDate",
+            table: "Transaction",
+            columns: new[] { "UserId", "OrganizationId", "CreationDate" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Policy_OrganizationId_Type",
+            table: "Policy",
+            columns: new[] { "OrganizationId", "Type" },
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationUser_UserId_OrganizationId_Status",
+            table: "OrganizationUser",
+            columns: new[] { "UserId", "OrganizationId", "Status" })
+            .Annotation("Npgsql:IndexInclude", new[] { "AccessAll" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationSponsorship_SponsoringOrganizationUserId",
+            table: "OrganizationSponsorship",
+            column: "SponsoringOrganizationUserId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Organization_Id_Enabled",
+            table: "Organization",
+            columns: new[] { "Id", "Enabled" })
+            .Annotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Event_Date_OrganizationId_ActingUserId_CipherId",
+            table: "Event",
+            columns: new[] { "Date", "OrganizationId", "ActingUserId", "CipherId" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Device_Identifier",
+            table: "Device",
+            column: "Identifier");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Device_UserId_Identifier",
+            table: "Device",
+            columns: new[] { "UserId", "Identifier" },
+            unique: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropIndex(
+            name: "IX_User_Email",
+            table: "User");
+
+        migrationBuilder.DropIndex(
+            name: "IX_User_Premium_PremiumExpirationDate_RenewalReminderDate",
+            table: "User");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Transaction_UserId_OrganizationId_CreationDate",
+            table: "Transaction");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Policy_OrganizationId_Type",
+            table: "Policy");
+
+        migrationBuilder.DropIndex(
+            name: "IX_OrganizationUser_UserId_OrganizationId_Status",
+            table: "OrganizationUser");
+
+        migrationBuilder.DropIndex(
+            name: "IX_OrganizationSponsorship_SponsoringOrganizationUserId",
+            table: "OrganizationSponsorship");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Organization_Id_Enabled",
+            table: "Organization");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Event_Date_OrganizationId_ActingUserId_CipherId",
+            table: "Event");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Device_Identifier",
+            table: "Device");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Device_UserId_Identifier",
+            table: "Device");
+    }
+}

util/PostgresMigrations/Migrations/20240111034857_OrganizationFlexibleCollectionsColumn.cs

@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.PostgresMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class OrganizationFlexibleCollectionsColumn : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "FlexibleCollections",
+            table: "Organization",
+            type: "boolean",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "FlexibleCollections",
+            table: "Organization");
+    }
+}

util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -69,6 +69,9 @@ namespace Bit.PostgresMigrations.Migrations
                     b.Property<DateTime?>("ExpirationDate")
                         .HasColumnType("timestamp with time zone");
 
+                    b.Property<bool>("FlexibleCollections")
+                        .HasColumnType("boolean");
+
                     b.Property<byte?>("Gateway")
                         .HasColumnType("smallint");
 
@@ -205,6 +208,10 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Id", "Enabled");
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("Id", "Enabled"), new[] { "UseTotp" });
+
                     b.ToTable("Organization", (string)null);
                 });
 
@@ -233,7 +240,12 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("OrganizationId");
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Policy", (string)null);
                 });
@@ -786,7 +798,15 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Device", (string)null);
                 });
@@ -859,6 +879,9 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("Event", (string)null);
                 });
 
@@ -1059,6 +1082,9 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasIndex("SponsoringOrganizationId");
 
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("OrganizationSponsorship", (string)null);
                 });
 
@@ -1110,9 +1136,16 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("OrganizationId");
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "Status")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    NpgsqlIndexBuilderExtensions.IncludeProperties(b.HasIndex("UserId", "OrganizationId", "Status"), new[] { "AccessAll" });
 
                     b.ToTable("OrganizationUser", (string)null);
                 });
@@ -1167,9 +1200,16 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.HasIndex("OrganizationId");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Send", (string)null);
                 });
@@ -1247,7 +1287,11 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasIndex("OrganizationId");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Transaction", (string)null);
                 });
@@ -1398,6 +1442,13 @@ namespace Bit.PostgresMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("User", (string)null);
                 });
 

util/SqliteMigrations/Migrations/20231229202304_AddToolsTableIndexes.cs

@@ -0,0 +1,35 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddToolsTableIndexes : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateIndex(
+            name: "IX_Send_DeletionDate",
+            table: "Send",
+            column: "DeletionDate");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Send_UserId_OrganizationId",
+            table: "Send",
+            columns: new[] { "UserId", "OrganizationId" });
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropIndex(
+            name: "IX_Send_DeletionDate",
+            table: "Send");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Send_UserId_OrganizationId",
+            table: "Send");
+    }
+}

util/SqliteMigrations/Migrations/20240109215333_AddTableIndexes.cs

@@ -0,0 +1,110 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class AddTableIndexes : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateIndex(
+            name: "IX_User_Email",
+            table: "User",
+            column: "Email",
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_User_Premium_PremiumExpirationDate_RenewalReminderDate",
+            table: "User",
+            columns: new[] { "Premium", "PremiumExpirationDate", "RenewalReminderDate" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Transaction_UserId_OrganizationId_CreationDate",
+            table: "Transaction",
+            columns: new[] { "UserId", "OrganizationId", "CreationDate" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Policy_OrganizationId_Type",
+            table: "Policy",
+            columns: new[] { "OrganizationId", "Type" },
+            unique: true);
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationUser_UserId_OrganizationId_Status",
+            table: "OrganizationUser",
+            columns: new[] { "UserId", "OrganizationId", "Status" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_OrganizationSponsorship_SponsoringOrganizationUserId",
+            table: "OrganizationSponsorship",
+            column: "SponsoringOrganizationUserId");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Organization_Id_Enabled",
+            table: "Organization",
+            columns: new[] { "Id", "Enabled" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Event_Date_OrganizationId_ActingUserId_CipherId",
+            table: "Event",
+            columns: new[] { "Date", "OrganizationId", "ActingUserId", "CipherId" });
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Device_Identifier",
+            table: "Device",
+            column: "Identifier");
+
+        migrationBuilder.CreateIndex(
+            name: "IX_Device_UserId_Identifier",
+            table: "Device",
+            columns: new[] { "UserId", "Identifier" },
+            unique: true);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropIndex(
+            name: "IX_User_Email",
+            table: "User");
+
+        migrationBuilder.DropIndex(
+            name: "IX_User_Premium_PremiumExpirationDate_RenewalReminderDate",
+            table: "User");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Transaction_UserId_OrganizationId_CreationDate",
+            table: "Transaction");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Policy_OrganizationId_Type",
+            table: "Policy");
+
+        migrationBuilder.DropIndex(
+            name: "IX_OrganizationUser_UserId_OrganizationId_Status",
+            table: "OrganizationUser");
+
+        migrationBuilder.DropIndex(
+            name: "IX_OrganizationSponsorship_SponsoringOrganizationUserId",
+            table: "OrganizationSponsorship");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Organization_Id_Enabled",
+            table: "Organization");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Event_Date_OrganizationId_ActingUserId_CipherId",
+            table: "Event");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Device_Identifier",
+            table: "Device");
+
+        migrationBuilder.DropIndex(
+            name: "IX_Device_UserId_Identifier",
+            table: "Device");
+    }
+}

util/SqliteMigrations/Migrations/20240111034245_OrganizationFlexibleCollectionsColumn.cs

@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Bit.SqliteMigrations.Migrations;
+
+/// <inheritdoc />
+public partial class OrganizationFlexibleCollectionsColumn : Migration
+{
+    /// <inheritdoc />
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.AddColumn<bool>(
+            name: "FlexibleCollections",
+            table: "Organization",
+            type: "INTEGER",
+            nullable: false,
+            defaultValue: false);
+    }
+
+    /// <inheritdoc />
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.DropColumn(
+            name: "FlexibleCollections",
+            table: "Organization");
+    }
+}

util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs

@@ -63,6 +63,9 @@ namespace Bit.SqliteMigrations.Migrations
                     b.Property<DateTime?>("ExpirationDate")
                         .HasColumnType("TEXT");
 
+                    b.Property<bool>("FlexibleCollections")
+                        .HasColumnType("INTEGER");
+
                     b.Property<byte?>("Gateway")
                         .HasColumnType("INTEGER");
 
@@ -198,6 +201,9 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Id", "Enabled")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "UseTotp" });
+
                     b.ToTable("Organization", (string)null);
                 });
 
@@ -226,7 +232,12 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("OrganizationId");
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("OrganizationId", "Type")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Policy", (string)null);
                 });
@@ -772,7 +783,15 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("Identifier")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "Identifier")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Device", (string)null);
                 });
@@ -845,6 +864,9 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Date", "OrganizationId", "ActingUserId", "CipherId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("Event", (string)null);
                 });
 
@@ -1045,6 +1067,9 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasIndex("SponsoringOrganizationId");
 
+                    b.HasIndex("SponsoringOrganizationUserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("OrganizationSponsorship", (string)null);
                 });
 
@@ -1096,9 +1121,15 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasKey("Id");
 
-                    b.HasIndex("OrganizationId");
+                    b.HasIndex("OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "Status")
+                        .HasAnnotation("Npgsql:IndexInclude", new[] { "AccessAll" })
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("OrganizationUser", (string)null);
                 });
@@ -1153,9 +1184,16 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("DeletionDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.HasIndex("OrganizationId");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Send", (string)null);
                 });
@@ -1233,7 +1271,11 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasIndex("OrganizationId");
 
-                    b.HasIndex("UserId");
+                    b.HasIndex("UserId")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("UserId", "OrganizationId", "CreationDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
 
                     b.ToTable("Transaction", (string)null);
                 });
@@ -1383,6 +1425,13 @@ namespace Bit.SqliteMigrations.Migrations
 
                     b.HasKey("Id");
 
+                    b.HasIndex("Email")
+                        .IsUnique()
+                        .HasAnnotation("SqlServer:Clustered", false);
+
+                    b.HasIndex("Premium", "PremiumExpirationDate", "RenewalReminderDate")
+                        .HasAnnotation("SqlServer:Clustered", false);
+
                     b.ToTable("User", (string)null);
                 });