Flag for org users to access all subvaults

2025-07-18 16:11:28 -05:00 · 2017-04-20 23:50:12 -04:00
parent aa5b79df2b
commit b0b6cac97b
26 changed files with 139 additions and 106 deletions
--- a/src/Sql/dbo/Functions/UserCanEditCipher.sql
+++ b/src/Sql/dbo/Functions/UserCanEditCipher.sql
@ -5,22 +5,22 @@ BEGIN

    ;WITH [CTE] AS(
        SELECT
-            CASE WHEN SU.[ReadOnly] = 0 THEN 1 ELSE 0 END [CanEdit]
+            CASE WHEN OU.[AccessAllSubvaults] = 1 OR SU.[ReadOnly] = 0 THEN 1 ELSE 0 END [CanEdit]
        FROM
-            [dbo].[SubvaultUser] SU
+            [dbo].[Cipher] C
        INNER JOIN
-            [dbo].[SubvaultCipher] SC ON SC.SubvaultId = SU.SubvaultId
+            [dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
        INNER JOIN
-            [dbo].[Cipher] C ON SC.[CipherId] = C.[Id]
-        INNER JOIN
-            [dbo].[OrganizationUser] OU ON OU.Id = SU.OrganizationUserId AND OU.OrganizationId = C.OrganizationId
-        INNER JOIN
-            [dbo].[Organization] O ON O.Id = C.OrganizationId
+            [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+        LEFT JOIN
+            [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND OU.[AccessAllSubvaults] = 0 AND SC.[CipherId] = C.[Id]
+        LEFT JOIN
+            [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId] AND SU.[OrganizationUserId] = OU.[Id]
        WHERE
            C.[Id] = @CipherId
-            AND OU.[UserId] = @UserId
            AND OU.[Status] = 2 -- 2 = Confirmed
            AND O.[Enabled] = 1
+            AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
    )
    SELECT
        @CanEdit = CASE WHEN COUNT(1) > 0 THEN 1 ELSE 0 END
--- a/Procedures/CipherDetails_ReadByIdUserId.sql
+++ b/Procedures/CipherDetails_ReadByIdUserId.sql
@ -9,23 +9,23 @@ BEGIN
        C.*
    FROM
        [dbo].[CipherDetails](@UserId) C
-    LEFT JOIN
-        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND SC.[CipherId] = C.[Id]
-    LEFT JOIN
-        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
-    LEFT JOIN
-        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
    LEFT JOIN
        [dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
+    LEFT JOIN
+        [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND OU.[AccessAllSubvaults] = 0 AND SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId] AND SU.[OrganizationUserId] = OU.[Id]
    WHERE
        C.Id = @Id
        AND (
            C.[UserId] = @UserId
            OR (
                C.[UserId] IS NULL
-                AND OU.[UserId] = @UserId
                AND OU.[Status] = 2 -- 2 = Confirmed
                AND O.[Enabled] = 1
+                AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
            )
        )
 END
--- a/Procedures/CipherDetails_ReadByTypeUserId.sql
+++ b/Procedures/CipherDetails_ReadByTypeUserId.sql
@ -9,23 +9,23 @@ BEGIN
        C.*
    FROM
        [dbo].[CipherDetails](@UserId) C
-    LEFT JOIN
-        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND SC.[CipherId] = C.[Id]
-    LEFT JOIN
-        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
-    LEFT JOIN
-        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
    LEFT JOIN
        [dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
+    LEFT JOIN
+        [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND OU.[AccessAllSubvaults] = 0 AND SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId] AND SU.[OrganizationUserId] = OU.[Id]
    WHERE
        C.[Type] = @Type
        AND (
            C.[UserId] = @UserId
            OR (
                C.[UserId] IS NULL
-                AND OU.[UserId] = @UserId
                AND OU.[Status] = 2 -- 2 = Confirmed
                AND O.[Enabled] = 1
+                AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
            )
        )
 END
--- a/Procedures/CipherDetails_ReadByUserId.sql
+++ b/Procedures/CipherDetails_ReadByUserId.sql
@ -8,20 +8,20 @@ BEGIN
        C.*
    FROM
        [dbo].[CipherDetails](@UserId) C
-    LEFT JOIN
-        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND SC.[CipherId] = C.[Id]
-    LEFT JOIN
-        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
-    LEFT JOIN
-        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
    LEFT JOIN
        [dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
+    LEFT JOIN
+        [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND OU.[AccessAllSubvaults] = 0 AND SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId] AND SU.[OrganizationUserId] = OU.[Id]
    WHERE
        C.[UserId] = @UserId
        OR (
            C.[UserId] IS NULL
-            AND OU.[UserId] = @UserId
            AND OU.[Status] = 2 -- 2 = Confirmed
            AND O.[Enabled] = 1
+            AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
        )
 END
--- a/Procedures/CipherDetails_ReadByUserIdHasSubvault.sql
+++ b/Procedures/CipherDetails_ReadByUserIdHasSubvault.sql
@ -8,16 +8,16 @@ BEGIN
        C.*
    FROM
        [dbo].[CipherDetails](@UserId) C
-    INNER JOIN
-        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND SC.[CipherId] = C.[Id]
-    INNER JOIN
-        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
-    INNER JOIN
-        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
    INNER JOIN
        [dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
+    INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND OU.[AccessAllSubvaults] = 0 AND SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId] AND SU.[OrganizationUserId] = OU.[Id]
    WHERE
-        OU.[UserId] = @UserId 
-        AND OU.[Status] = 2 -- 2 = Confirmed
+        OU.[Status] = 2 -- 2 = Confirmed
        AND O.[Enabled] = 1
+        AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
 END
--- a/Procedures/CipherFullDetails_ReadByIdUserId.sql
+++ b/Procedures/CipherFullDetails_ReadByIdUserId.sql
@ -13,23 +13,23 @@ BEGIN
        END [Edit]
    FROM
        [dbo].[CipherDetails](@UserId) C
-    LEFT JOIN
-        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND SC.[CipherId] = C.[Id]
-    LEFT JOIN
-        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
-    LEFT JOIN
-        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
    LEFT JOIN
        [dbo].[Organization] O ON C.[UserId] IS NULL AND O.[Id] = C.[OrganizationId]
+    LEFT JOIN
+        [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+    LEFT JOIN
+        [dbo].[SubvaultCipher] SC ON C.[UserId] IS NULL AND OU.[AccessAllSubvaults] = 0 AND SC.[CipherId] = C.[Id]
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId] AND SU.[OrganizationUserId] = OU.[Id]
    WHERE
        C.Id = @Id
        AND (
            C.[UserId] = @UserId
            OR (
                C.[UserId] IS NULL
-                AND OU.[UserId] = @UserId
                AND OU.[Status] = 2 -- 2 = Confirmed
                AND O.[Enabled] = 1
+                AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
            )
        )
 END
--- a/Procedures/Cipher_UpdateWithSubvaults.sql
+++ b/Procedures/Cipher_UpdateWithSubvaults.sql
@ -24,21 +24,21 @@ BEGIN
    WHERE
        [Id] = @Id

-
    ;WITH [AvailableSubvaultsCTE] AS(
        SELECT
-            SU.SubvaultId
+            S.[Id]
        FROM
-            [dbo].[SubvaultUser] SU
+            [dbo].[Subvault] S
        INNER JOIN
-            [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
+            [Organization] O ON O.[Id] = S.[OrganizationId]
        INNER JOIN
-            [dbo].[Organization] O ON O.[Id] = OU.[OrganizationId]
+            [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+        LEFT JOIN
+            [dbo].[SubvaultUser] SU ON OU.[AccessAllSubvaults] = 0 AND SU.[SubvaultId] = S.[Id] AND SU.[OrganizationUserId] = OU.[Id]
        WHERE
-            OU.[UserId] = @UserId
-            AND SU.[ReadOnly] = 0
-            AND OU.[Status] = 2 -- Confirmed
+            OU.[Status] = 2 -- Confirmed
            AND O.[Enabled] = 1
+            AND (OU.[AccessAllSubvaults] = 1 OR SU.[ReadOnly] = 0)
    )
    INSERT INTO [dbo].[SubvaultCipher]
    (
@ -46,10 +46,10 @@ BEGIN
        [CipherId]
    )
    SELECT
-        Id,
+        [Id],
        @Id
    FROM
        @SubvaultIds
    WHERE
-        Id IN (SELECT SubvaultId FROM [AvailableSubvaultsCTE])
+        [Id] IN (SELECT [Id] FROM [AvailableSubvaultsCTE])
 END
--- a/Procedures/OrganizationUser_Create.sql
+++ b/Procedures/OrganizationUser_Create.sql
@ -6,6 +6,7 @@
    @Key VARCHAR(MAX),
    @Status TINYINT,
    @Type TINYINT,
+    @AccessAllSubvaults BIT,
    @CreationDate DATETIME2(7),
    @RevisionDate DATETIME2(7)
 AS
@ -21,6 +22,7 @@ BEGIN
        [Key],
        [Status],
        [Type],
+        [AccessAllSubvaults],
        [CreationDate],
        [RevisionDate]
    )
@ -33,6 +35,7 @@ BEGIN
        @Key,
        @Status,
        @Type,
+        @AccessAllSubvaults,
        @CreationDate,
        @RevisionDate
    )
--- a/Procedures/OrganizationUser_Update.sql
+++ b/Procedures/OrganizationUser_Update.sql
@ -6,6 +6,7 @@
    @Key VARCHAR(MAX),
    @Status TINYINT,
    @Type TINYINT,
+    @AccessAllSubvaults BIT,
    @CreationDate DATETIME2(7),
    @RevisionDate DATETIME2(7)
 AS
@ -21,6 +22,7 @@ BEGIN
        [Key] = @Key,
        [Status] = @Status,
        [Type] = @Type,
+        [AccessAllSubvaults] = @AccessAllSubvaults,
        [CreationDate] = @CreationDate,
        [RevisionDate] = @RevisionDate
    WHERE
--- a/Procedures/SubvaultCipher_ReadByUserId.sql
+++ b/Procedures/SubvaultCipher_ReadByUserId.sql
@ -9,10 +9,12 @@ BEGIN
    FROM
        [dbo].[SubvaultCipher] SC
    INNER JOIN
-        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
+        [dbo].[Subvault] S ON S.[Id] = SC.[SubvaultId]
    INNER JOIN
-        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
+        [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = S.[OrganizationId] AND OU.[UserId] = @UserId
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON OU.[AccessAllSubvaults] = 0 AND SU.[SubvaultId] = S.[Id] AND SU.[OrganizationUserId] = OU.[Id]
    WHERE
-        OU.[UserId] = @UserId
-        AND OU.[Status] = 2 -- Confirmed
+        OU.[Status] = 2 -- Confirmed
+        AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
 END
--- a/Procedures/SubvaultCipher_ReadByUserIdCipherId.sql
+++ b/Procedures/SubvaultCipher_ReadByUserIdCipherId.sql
@ -10,11 +10,13 @@ BEGIN
    FROM
        [dbo].[SubvaultCipher] SC
    INNER JOIN
-        [dbo].[SubvaultUser] SU ON SU.[SubvaultId] = SC.[SubvaultId]
+        [dbo].[Subvault] S ON S.[Id] = SC.[SubvaultId]
    INNER JOIN
-        [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
+        [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = S.[OrganizationId] AND OU.[UserId] = @UserId
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON OU.[AccessAllSubvaults] = 0 AND SU.[SubvaultId] = S.[Id] AND SU.[OrganizationUserId] = OU.[Id]
    WHERE
        SC.[CipherId] = @CipherId
-        AND OU.[UserId] = @UserId
        AND OU.[Status] = 2 -- Confirmed
+        AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
 END
--- a/Procedures/SubvaultCipher_UpdateSubvaults.sql
+++ b/Procedures/SubvaultCipher_UpdateSubvaults.sql
@ -8,18 +8,19 @@ BEGIN

    ;WITH [AvailableSubvaultsCTE] AS(
        SELECT
-            SU.SubvaultId
+            S.[Id]
        FROM
-            [dbo].[SubvaultUser] SU
+            [dbo].[Subvault] S
        INNER JOIN
-            [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
+            [Organization] O ON O.[Id] = S.[OrganizationId]
        INNER JOIN
-            [dbo].[Organization] O ON O.[Id] = OU.[OrganizationId]
+            [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+        LEFT JOIN
+            [dbo].[SubvaultUser] SU ON OU.[AccessAllSubvaults] = 0 AND SU.[SubvaultId] = S.[Id] AND SU.[OrganizationUserId] = OU.[Id]
        WHERE
-            OU.[UserId] = @UserId
-            AND SU.[ReadOnly] = 0
-            AND OU.[Status] = 2 -- Confirmed
+            OU.[Status] = 2 -- Confirmed
            AND O.[Enabled] = 1
+            AND (OU.[AccessAllSubvaults] = 1 OR SU.[ReadOnly] = 0)
    )
    MERGE
        [dbo].[SubvaultCipher] AS [Target]
@ -29,7 +30,7 @@ BEGIN
        [Target].[SubvaultId] = [Source].[Id]
        AND [Target].[CipherId] = @CipherId
    WHEN NOT MATCHED BY TARGET
-    AND [Source].[Id] IN (SELECT [SubvaultId] FROM [AvailableSubvaultsCTE]) THEN
+    AND [Source].[Id] IN (SELECT [Id] FROM [AvailableSubvaultsCTE]) THEN
        INSERT VALUES
        (
            [Source].[Id],
@ -37,7 +38,7 @@ BEGIN
        )
    WHEN NOT MATCHED BY SOURCE
    AND [Target].[CipherId] = @CipherId
-    AND [Target].[SubvaultId] IN (SELECT [SubvaultId] FROM [AvailableSubvaultsCTE]) THEN
+    AND [Target].[SubvaultId] IN (SELECT [Id] FROM [AvailableSubvaultsCTE]) THEN
        DELETE
    ;
 END
--- a/Procedures/SubvaultUserUserDetails_ReadBySubvaultId.sql
+++ b/Procedures/SubvaultUserUserDetails_ReadBySubvaultId.sql
@ -5,11 +5,10 @@ BEGIN
    SET NOCOUNT ON

    SELECT
-        SU.*
+        *
    FROM
-        [dbo].[SubvaultUserUserDetailsView] SU
-    INNER JOIN
-        [OrganizationUser] OU ON SU.[OrganizationUserId] = OU.[Id]
+        [dbo].[SubvaultUserUserDetailsView]
    WHERE
-        SU.[SubvaultId] = @SubvaultId
+        [AccessAllSubvaults] = 1 
+        OR [SubvaultId] = @SubvaultId
 END
--- a/Procedures/Subvault_ReadByUserId.sql
+++ b/Procedures/Subvault_ReadByUserId.sql
@ -9,13 +9,13 @@ BEGIN
    FROM
        [dbo].[SubvaultView] S
    INNER JOIN
-        [SubvaultUser] SU ON SU.[SubvaultId] = S.[Id]
+        [Organization] O ON O.[Id] = S.[OrganizationId]
    INNER JOIN
-        [OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
-    INNER JOIN
-        [Organization] O ON O.[Id] = OU.[OrganizationId]
+        [dbo].[OrganizationUser] OU ON OU.[OrganizationId] = O.[Id] AND OU.[UserId] = @UserId
+    LEFT JOIN
+        [dbo].[SubvaultUser] SU ON OU.[AccessAllSubvaults] = 0 AND SU.[SubvaultId] = S.[Id] AND SU.[OrganizationUserId] = OU.[Id]
    WHERE
-        OU.[UserId] = @UserId
-        AND OU.[Status] = 2 -- Confirmed
+        OU.[Status] = 2 -- Confirmed
        AND O.[Enabled] = 1
+        AND (OU.[AccessAllSubvaults] = 1 OR SU.[SubvaultId] IS NOT NULL)
 END
--- a/src/Sql/dbo/Tables/OrganizationUser.sql
+++ b/src/Sql/dbo/Tables/OrganizationUser.sql
@ -1,13 +1,14 @@
 CREATE TABLE [dbo].[OrganizationUser] (
-    [Id]             UNIQUEIDENTIFIER NOT NULL,
-    [OrganizationId] UNIQUEIDENTIFIER NOT NULL,
-    [UserId]         UNIQUEIDENTIFIER NULL,
-    [Email]          NVARCHAR (50)    NULL,
-    [Key]            VARCHAR (MAX)    NULL,
-    [Status]         TINYINT          NOT NULL,
-    [Type]           TINYINT          NOT NULL,
-    [CreationDate]   DATETIME2 (7)    NOT NULL,
-    [RevisionDate]   DATETIME2 (7)    NOT NULL,
+    [Id]                    UNIQUEIDENTIFIER NOT NULL,
+    [OrganizationId]        UNIQUEIDENTIFIER NOT NULL,
+    [UserId]                UNIQUEIDENTIFIER NULL,
+    [Email]                 NVARCHAR (50)    NULL,
+    [Key]                   VARCHAR (MAX)    NULL,
+    [Status]                TINYINT          NOT NULL,
+    [Type]                  TINYINT          NOT NULL,
+    [AccessAllSubvaults]    BIT              NOT NULL,
+    [CreationDate]          DATETIME2 (7)    NOT NULL,
+    [RevisionDate]          DATETIME2 (7)    NOT NULL,
    CONSTRAINT [PK_OrganizationUser] PRIMARY KEY CLUSTERED ([Id] ASC),
    CONSTRAINT [FK_OrganizationUser_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id]) ON DELETE CASCADE,
    CONSTRAINT [FK_OrganizationUser_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id])
--- a/src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql
+++ b/src/Sql/dbo/Views/OrganizationUserUserDetailsView.sql
@ -7,7 +7,8 @@ SELECT
    U.[Name],
    ISNULL(U.[Email], OU.[Email]) Email,
    OU.[Status],
-    OU.[Type]
+    OU.[Type],
+    OU.[AccessAllSubvaults]
 FROM
    [dbo].[OrganizationUser] OU
 LEFT JOIN
--- a/src/Sql/dbo/Views/SubvaultUserUserDetailsView.sql
+++ b/src/Sql/dbo/Views/SubvaultUserUserDetailsView.sql
@ -1,17 +1,18 @@
 CREATE VIEW [dbo].[SubvaultUserUserDetailsView]
 AS
 SELECT
+    OU.[Id] AS [OrganizationUserId],
+    OU.[AccessAllSubvaults],
    SU.[Id],
-    SU.[OrganizationUserId],
    SU.[SubvaultId],
    U.[Name],
    ISNULL(U.[Email], OU.[Email]) Email,
    OU.[Status],
    OU.[Type],
-    SU.[ReadOnly]
+    CASE WHEN OU.[AccessAllSubvaults] = 0 AND SU.[ReadOnly] = 1 THEN 1 ELSE 0 END [ReadOnly]
 FROM
-    [dbo].[SubvaultUser] SU
-INNER JOIN
-    [dbo].[OrganizationUser] OU ON OU.[Id] = SU.[OrganizationUserId]
+    [dbo].[OrganizationUser] OU
+LEFT JOIN
+    [dbo].[SubvaultUser] SU ON OU.[AccessAllSubvaults] = 0 AND SU.[OrganizationUserId] = OU.[Id]
 LEFT JOIN
    [dbo].[User] U ON U.[Id] = OU.[UserId]