Account Transfer Policy

Transfer the contents of a vault to another Keeper user

Account Transfer: Employee Off-boarding

The Account Transfer policy provides business and enterprise customers with the ability to transfer a user's vault if they are terminated or abruptly leave the organization. This is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.

When an employee leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user. This account transfer functionality is an important and powerful way to take ownership of the content within a user's vault while retaining a secure role-based hierarchy.

When to Enable Account Transfer

By default the Account Transfer permission is off. The Keeper administrator can optionally turn on the permission which permits the ability to take the contents of a user's vault and transfer it to another user. It's important to note that this permission will need to be enabled prior to the time it will need to be used. For example, if User A has a password that gains access to a business essential application or account in their vault that no one else in the organization has access to, and User A, for any number of reasons is no longer able to authenticate to their vault, the business may find they are left in a tough situation to recover access. However, if the Account Transfer permission had been enabled in the default Keeper Administrator role (and any other role that is desired to have the permission to transfer capability) and applied to the role that User A is a member of, the Keeper Administrator would have the ability to transfer the full contents of User A's vault to another user.

Why is the initial setup required?

When the decision is made to enable the Account Transfer feature on a particular role, all of the users that are a member of that role will be subjected to the possibility of having the entire contents of their vault transferred and their account deleted at will by the Keeper Administrator. After the enforcement policy is enabled, the users within the managed role will receive a pop-up notification upon logging into their vault informing them that the business has chosen to enable the capability of transferring their vault if needed. Each user will need to Accept that consent notification. Upon acceptance, Keeper performs the necessary encryption key exchange between users and roles to facilitate the data transfer in the future, if needed. Without this encryption key exchange, the user within the Admin Console would be unable to decrypt and transfer the data. The reason for this process flow is to maintain zero knowledge, and to also ensure that only specific users are able to be transferred or perform the transfer. Once the vault has been transferred to another user, the transferred user's vault is deleted.

Will the administrator have full access to a user's vault?

No. While the Account Transfer feature does give the administrator the ability to migrate the entire contents to another user, it does not give the Admin the capability to access the vault whenever they feel like it. The vault being transferred has to be locked first and after the contents are transferred the account is deleted. The end user will receive a notification when their account is locked by the Admin as well as when it's transferred and deleted.

How to Enable Account Transfer Functionality

Account Transfer functionality must be enabled and the user must login to their vault (and accept the account sharing consent) prior to performing a transfer by an Administrator. Follow the steps below to perform this action.

(1) Enable the Transfer Account setting within the Administrative Permissions of the role that will have the ability to initiate the account transfer.

If the Transfer Account checkbox cannot be checked, it is because the user must be logged into an account that is a member of the role, like the default Keeper Administrator, that has the Transfer Account permission enabled.

Note that a role (e.g. the Keeper Administrator role) must have this permission enabled before any other role can be granted transfer account permission.

(2) Turn on the Enable Transfer Account option under the Transfer Account section of the Enforcement Policy of the desired role.

(3) Select the administrative role that will have the ability to initiate a transfer (multiple roles may have the ability but only one role can be selected per enforcement).

Both new and existing users will be notified when account transfer is enabled and are required to acknowledge the organization's ability to transfer records from their vault. Users only have to agree to this consent once upon logging into their vaults.

Please note that changing the administrative role from the dropdown will trigger a new acknowledgement notification to both new and existing users regardless of previous acceptance of the notification by users.

Accepting Account Transfer

Users will see this prompt when they log into their vault:

Performing an Account Transfer

(1) Lock the account of the user by selecting Lock Account from the user's configuration panel under User Actions (the configured admin will only have the ability to transfer records from a locked user).

(2) From within the same configuration panel, select Transfer Account. A window will open with a list of users. Select the user that will receive the transfer of records (the "recipient"), then select Transfer.

(3). The records, folders, and subfolders in the user’s account are transferred to the recipient's vault into a single folder (with the original owner's email address) and the original owner's account is permanently deleted.

The records contained in the user's "Deleted Items" will be transferred to the recipient's "Deleted Items".

Watch the video below to learn more about Account Transfer.

Account Transfer

Commander CLI

Account Transfer actions and automation can be performed through the Keeper Commander CLI. See the below related commands:

Last updated