LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Team and User Approval Process
  • Approval Method 1: Admin Console Login
  • Approval Method 2: Vault Login
  • Approval Method 3: Keeper Automator
  • Approval Method 4: Keeper Commander

Was this helpful?

Export as PDF
  1. User and Team Provisioning

Team and User Approvals

Manual and Automated approval of SCIM or Bridge-provisioned Users & Teams

The "Approval Queue" is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval. Approvals are required in the Keeper environment in order to share the necessary encryption keys (by encrypting the private keys with the public key of the Team or User).

Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user clicks on "Request Admin Approval".

Keeper provides several methods of approvals, manual and automated.

Team and User Approval Process

New users added by identity providers using the SCIM protocol are created in the “invited” state and will receive an invite to join Keeper.

New teams created by the SCIM sync are created in the “pending” state and require final approval by a Keeper Administrator, another team member or automated methods.

Actions must be taken by either the Admin or using methods outlined below, because encryption keys must be generated and/or shared.

Approval Method 1: Admin Console Login

Team creation and team member assignments are completed automatically when any Administrator logs into the Keeper Admin Console. Approval is performed by encrypting the Team Key with the user's public key.

Approval Method 2: Vault Login

Team members approvals are completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.

Approval Method 3: Keeper Automator

Keeper Automator is a container application that can be deployed as a standalone service to any cloud or on-prem environment.

Keeper Automator version 3.3+ supports automated team creation, team-user assignments and user approvals

Keeper Automator performs instant device approvals, team approvals and team-user assignments without the need for any manual actions by users.

Approval Method 4: Keeper Commander

Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.

team-approve approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge.

My Vault> team-approve

Keeper Commander Parameters

  • --team approve teams only

  • --user approve team users only

  • --restrict-edit {on,off} disable record edits

  • --restrict-share {on,off} disable record re-shares

  • --restrict-view {on,off} disable view/copy passwords

device-approve approves SSO Cloud user devices.

My Vault> device-approve

  • --approve approve all devices

  • --trusted-ip approve devices that come from recognized IPs

  • --reload retrieve the latest devices pending approval

  • --deny deny a device

See the setup instructions here:

PreviousUsing SCIM API ProvisioningNextEmail Auto-Provisioning

Last updated 1 year ago

Was this helpful?

See the setup instructions here:

Download Keeper Commander here: .

https://docs.keeper.io/sso-connect-cloud/device-approvals/automator
https://github.com/Keeper-Security/commander
https://docs.keeper.io/secrets-manager/commander-cli/command-reference/enterprise-management-commands#device-approve-command