# Team and User Approvals The "Approval Queue" is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval. Approvals are required in the Keeper environment in order to share the necessary encryption keys (by encrypting the private keys with the public key of the Team or User). Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user clicks on "Request Admin Approval". Keeper provides several methods of approvals, manual and automated. ## Team and User Approval Process New users added by identity providers using the SCIM protocol are created in the “invited” state and will receive an invite to join Keeper. New teams created by the SCIM sync are created in the “pending” state and require final approval by a Keeper Administrator, another team member or automated methods. Actions must be taken by either the Admin or using methods outlined below, because encryption keys must be generated and/or shared. ## Approval Method 1: Admin Console Login Team creation and team member assignments are completed automatically when any Administrator logs into the Keeper Admin Console. Approval is performed by encrypting the Team Key with the user's public key. ## Approval Method 2: Vault Login Team members approvals are completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key. ## Approval Method 3: Keeper Automator Keeper Automator is a container application that can be deployed as a standalone service to any cloud or on-prem environment. {% hint style="info" %} Keeper Automator version 3.3+ supports automated team creation, team-user assignments and user approvals {% endhint %} Keeper Automator performs instant device approvals, team approvals and team-user assignments without the need for any manual actions by users. See the setup instructions [here](https://app.gitbook.com/s/-MB_i6vKdtG6Z2n6zWgJ/device-approvals/automator). ## Approval Method 4: Keeper Commander Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander. {% hint style="info" %} Download Keeper Commander here: . {% endhint %} `team-approve` approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge. ``` My Vault> team-approve ``` **Keeper Commander Parameters** * `--team` approve teams only * `--user` approve team users only * `--restrict-edit {on,off}` disable record edits * `--restrict-share {on,off}` disable record re-shares * `--restrict-view {on,off}` disable view/copy passwords `device-approve` approves SSO Cloud user devices. ``` My Vault> device-approve ``` * `--approve` approve all devices * `--trusted-ip` approve devices that come from recognized IPs * `--reload` retrieve the latest devices pending approval * `--deny` deny a device See the setup instructions [here](https://app.gitbook.com/s/-MJXOXEifAmpyvNVL1to/commander-cli/command-reference/enterprise-management-commands#device-approve-command). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/enterprise-guide/user-and-team-provisioning/approval-queue.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.