LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Nodes and SSO
  • Nodes and Active Directory
  • Creating Nodes
  • Navigating Nodes
  • Team and User Sharing Visibility
  • Node Isolation
  • Managed Service Providers
  • Nodes & Administrative Permissions
  • Nodes & User Provisioning
  • Stacking Provisioning Methods
  • Adding a Provisioning Method

Was this helpful?

Export as PDF

Nodes and Organizational Structure

Keeper's node architecture scales for organizations of all sizes

PreviousKeeper Admin Console OverviewNextRisk Management Dashboard

Last updated 1 month ago

Was this helpful?

Keeper's "node" architecture provides customers with a way to organize users into distinct groupings, similar to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure. A node is typically associated with different provisioning methods and identity providers.

By default, the top-level node, or Root Node is set to the organization name, and all Nodes can be created underneath the Root Node.

Smaller organizations might choose to administer keeper as single level. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. Larger organizations benefit from organizing locations or departments into multiple nodes. Users can then be provisioned under their respective node and have roles configured to match the specific needs of the business. One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the Administrative permissions but only on their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators.

Nodes and SSO

When rolling out Keeper alongside an SSO identity provider, we require that those users are located within a node. This way, you can have any number of nodes associated with one or more SSO identity providers.

Nodes and Active Directory

When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups, within specific organizational units in Active Directory, will be placed in the corresponding Node within the Keeper Admin Console.

Watch the video below to learn about nodes and organizational structure.

Creating Nodes

Navigating Nodes

At any time, you can change which node you are viewing by navigating to or selecting the nodes on the Node selector. To navigate to the root-node or top level, select the business name (e.g. The Company) in the navigation tree.

Team and User Sharing Visibility

When users are in the vault and sharing records, Teams and Users are visible in the auto-suggest field by all users regardless of what node the team or user resides in.

Node Isolation

If the desire is to restrict visibility and control whether or not the usernames and teams associated with other parallel (a.k.a. "sibling") nodes will be hidden in the auto-suggestion dropdown menu when setting up sharing of folders, "node isolation" will need to be enabled. With node isolation enabled, "children" of a node can see each others' associated users/teams as well of those above it (parent nodes).

When a node is isolated, users and teams in the parent node will be visible. Node isolation only limits visibility between parallel nodes.

Note: Any user who is an a role with admin rights having Share Admin permissions will also appear in auto-suggestion drop-downs, if the role has management permissions over the node for the currently logged-in user.

Activating node isolation

To find a list of nodes and node IDs, use the enterprise-info command:

enterprise-info --nodes

To enable node isolation for a specific node, use the enterprise-node command:

enterprise-node --toggle-isolated <NODE_ID>

After node isolation is enabled, a visual indicator will show in the console:

Node Isolation affects the ability for users to share records and folders outside of their node tree. For example, when sharing a record from the vault, the auto-suggestion list is restricted.

Managed Service Providers

Nodes & Administrative Permissions

Within a Node, the "Role" is defined that can enable administrative permissions.

If nodes are enabled either via Active Directory integration or configured manually from the Admin Console, the placement of the Role within the Node Tree is important with regards to where the administration permissions begin. Placement of the role at the top level will allow the Admin permissions to flow down to any of the sub-nodes if the Cascade Node Permissions attribute is checked within the "Administrative Permissions" setting of the role. If the role is placed in a sub-node with the Cascade Node Permissions attribute checked then the permissions apply to that node and its sub-nodes only. If the Cascade Node Permissions attribute was not checked then the role permissions are only applied the the specific node to which the role belongs.

Nodes & User Provisioning

Each node and sub-node within the Keeper deployment can provision users with different provisioning methods. For example, Finance and Sales & Marketing can use Single Sign-On, and Engineering can use Active Directory.

Stacking Provisioning Methods

A node can contain one or more authentication or provisioning methods. For example, you can provision users with Active Directory and authenticate the users with Single Sign-On (SAML 2.0) integration. Or you can authenticate with SSO and privision with SCIM.

Adding a Provisioning Method

Navigate to the Node that you would like to provision users. Then click on the "Provisioning" tab and click "Add Method".

To manually create Nodes and Sub Nodes, select the button and click Add Node. The Add Node window will appear. Enter the name of the Node and select the node where you want the new node to be added in the tree structure.

Turning on node isolation can be accomplished using the , or by opening a support ticket with Keeper support.

If you are a Managed Service Provider (MSP) and you are considering the use of Nodes for different customers, we recommend you instead use the Keeper MSP product which provides a specialized set of features for deploying Managed Companies. The Keeper MSP user guide can be found here:

Keeper Commander CLI
Keeper MSP Guide
Nodes and Organizational Structure
Nodes and Organizational Structure
Adding a Node
Navigating Nodes
Sharing Autosuggest
Isolated Node Indicator
Node Isolation affected in Vault Sharing
Cascade Node Permissions
Provisioning Method