LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Delegated Admin via Administrative Permissions
  • Adding Administrative Permission
  • Administrative Permission vs. Role Enforcements

Was this helpful?

Export as PDF

Delegated Administration

Overview of role-based Administrative Permissions

PreviousSecurity KeysNextAccount Transfer Policy

Last updated 8 months ago

Was this helpful?

Delegated Admin via Administrative Permissions

A Keeper role can be granted Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different roles to have different permissions inside of the Admin Console.

An example of a role that can be created would be a Delegated Admin role. In this role the administrator can set up one or more Administrative Permissions that allow that user in the role to login to the Keeper Admin Console and perform administrative functions. For example, the delegated admin can be given permission to create teams, add users, create or edit roles, run reports, approve devices and perform account transfers. These permissions can be limited to a single node or they can cascade or traverse down the tree structure to all the sub-nodes.

Adding Administrative Permission

To create a privileged role with admin permissions, click on the + Add Managing Node button in the Administrative Permissions sections.

Each node a role manages has its own set of permissions and those permissions can cascade down from that node for example, if the role was created in the top root level node and there were three other nodes created under the top, root level node. The Administrative Permission can be added as the top node, the privileges added, and Cascade Node Permissions selected. This would then give those permissions to all four nodes and members of that role.

  1. To give Administrative Permissions to a Role, select the + Add Managing Node button on the Role screen.

  2. Select a Node and click OK.

  3. Set permissions by clicking on the gear icon next to the node you added.

When Cascade Node Permissions is selected, the permissions will be applied to all sub-nodes of the parent node. It is important to note that Administrative Permissions cannot be added to a Role if one or more of its users still have an "invited" status.

A description of each permission is below.

Permission
Description

Manage Nodes

Manage Users

Manage Roles

Manage Companies (MSP)

Manage Teams

Manage Bridge/SSO

The ability to add, remove, or configure the Enterprise Bridge or SSO.

Run Security Reports

Perform Device Approvals

For SSO cloud users, the ability to approve devices

Transfer Account

Cascade Node Permissions

If selected, the permissions apply to this node and all sub-nodes.

Manage record Types in Vault

Share Admin

Run Compliance Reports

Only administrators who are a currently a member of this role are able to select "Transfer Account". If needed, you can add yourself to the role or another administrator within the role can set this permission.

Administrative Permission vs. Role Enforcements

Both Administrative permissions and enforcements are configurable from within a role. Enforcements are rules or policies that apply to the end user's vault experience and security. Administrative Permissions grant rights to perform certain actions within the admin console (also known as delegated administration).

We recommend that only specific roles are given Administrative Permission, and the permission level should be based on the least amount of privilege required by that role.

For example, the default Keeper Administrator may have created a role called "All Users" specifically to handle the policies that are desired for all the users that have been onboarded to the Keeper platform. If you intend for one of those users to be able to perform some of the administrative permissions, create a new role called "Delegated Admin", grant the administrative permissions, and make the user a member of that role.

The ability to add, remove, or edit .

The ability to add, remove, or edit .

The ability to add, remove, or edit .

The ability to add, remove, and assign base-plans and secure add-ons to managed companies. Can also launch to the managed companies administrator consoles with full administrative permissions (only appears for ).

The ability to add, remove, or add members to .

The ability to run and configure reports ()

The ability to transfer a user's vault (if the user's Role is configured to allow this. See .

This permission allows the admin rights to create, edit, or delete Record Types which have pre-defined fields. Record Types appear during creation of records in the user's vault. about record types.

Provides elevated access rights over the organization's shared folders and shared records. about Share Admin.

Provides on-demand visibility of the access permissions associated with your enterprise records. about compliance reports.

nodes
users
roles
MSP customers
Teams
Advanced Reporting & Alerts Module
Account Transfer policy
Learn more
Learn more
Learn more
Adding Administrative Permissions to a Role
Add Managed Node
Setting Administrative Permissions
Individual Permissions