Nodes and Organizational Structure
Keeper's node architecture scales for organizations of all sizes
Last updated
Keeper's node architecture scales for organizations of all sizes
Last updated
Keeper's "node" architecture provides customers with a way to organize users into distinct groupings, similar to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure. A node is typically associated with different provisioning methods and identity providers.
By default, the top-level node, or Root Node is set to the organization name, and all Nodes can be created underneath the Root Node.
Smaller organizations might choose to administer keeper as single level. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. Larger organizations benefit from organizing locations or departments into multiple nodes. Users can then be provisioned under their respective node and have roles configured to match the specific needs of the business. One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the Administrative permissions but only on their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators.
When rolling out Keeper alongside an SSO identity provider, we require that those users are located within a node. This way, you can have any number of nodes associated with one or more SSO identity providers.
When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups, within specific organizational units in Active Directory, will be placed in the corresponding Node within the Keeper Admin Console.
Watch the video below to learn about nodes and organizational structure.
At any time, you can change which node you are viewing by navigating to or selecting the nodes on the Node selector. To navigate to the root-node or top level, select the business name (e.g. The Company) in the navigation tree.
When users are in the vault and sharing records, Teams and Users are visible in the auto-suggest field by all users regardless of what node the team or user resides in.
If the desire is to restrict visibility and control whether or not the usernames and teams associated with other parallel (a.k.a. "sibling") nodes will be hidden in the auto-suggestion dropdown menu when setting up sharing of folders, "node isolation" will need to be enabled. With node isolation enabled, "children" of a node can see each others's associated users/teams as well of those above it (parent nodes).
When a node is isolated, users and teams in the parent node will be visible. Node isolation only limits visibility between parallel nodes.
Note: Any user who is an a role with admin rights having Share Admin permissions will also appear in auto-suggestion drop-downs, if the role has management permissions over the node for the currently logged-in user.
Turning on node isolation can be accomplished using the Keeper Commander CLI, or by opening a support ticket with Keeper support.
To find a list of nodes and node IDs, use the enterprise-info
command:
To enable node isolation for a specific node, use the enterprise-node
command:
After node isolation is enabled, a visual indicator will show in the console:
Node Isolation affects the ability for users to share records and folders outside of their node tree. For example, when sharing a record from the vault, the auto-suggestion list is restricted.
If you are a Managed Service Provider (MSP) and you are considering the use of Nodes for different customers, we recommend you instead use the Keeper MSP product which provides a specialized set of features for deploying Managed Companies. The Keeper MSP user guide can be found here: Keeper MSP Guide
Within a Node, the "Role" is defined that can enable administrative permissions.
If nodes are enabled either via Active Directory integration or configured manually from the Admin Console, the placement of the Role within the Node Tree is important with regards to where the administration permissions begin. Placement of the role at the top level will allow the Admin permissions to flow down to any of the sub-nodes if the Cascade Node Permissions attribute is checked within the "Administrative Permissions" setting of the role. If the role is placed in a sub-node with the Cascade Node Permissions attribute checked then the permissions apply to that node and its sub-nodes only. If the Cascade Node Permissions attribute was not checked then the role permissions are only applied the the specific node to which the role belongs.
Each node and sub-node within the Keeper deployment can provision users with different provisioning methods. For example, Finance and Sales & Marketing can use Single Sign-On, and Engineering can use Active Directory.
A node can contain one or more provisioning methods. For example, you can provision users with Active Directory and authenticate the users with Single Sign-On (SAML 2.0) integration.
Navigate to the Node that you would like to provision users. Then click on the "Provisioning" tab and click "Add Method".
To manually create Nodes and Sub Nodes, select the button and click Add Node. The Add Node window will appear. Enter the name of the Node and select the node where you want the new node to be added in the tree structure.