Enterprise Guide

Team and User Approvals

Manual and Automated approval of SCIM or Bridge-provisioned Users & Teams

The "Approval Queue" is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval. Approvals are required in the Keeper environment in order to share the necessary encryption keys (by encrypting the private keys with the public key of the Team or User).

Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user clicks on "Request Admin Approval".

Keeper provides several methods of approvals, manual and automated.

Team and User Approval Process

New users added by identity providers using the SCIM protocol are created in the “invited” state and will receive an invite to join Keeper.

New teams created by the SCIM sync are created in the “pending” state and require final approval by a Keeper Administrator, another team member or automated methods.

Actions must be taken by either the Admin or using methods outlined below, because encryption keys must be generated and/or shared.

Approval Method 1: Admin Console Login

Team creation and team member assignments are completed automatically when any Administrator logs into the Keeper Admin Console. Approval is performed by encrypting the Team Key with the user's public key.

Approval Method 2: Vault Login

Team members approvals are completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.

Approval Method 3: Keeper Automator

Keeper Automator is a container application that can be deployed as a standalone service to any cloud or on-prem environment.

Keeper Automator version 3.3+ supports automated team creation, team-user assignments and user approvals

Keeper Automator performs instant device approvals, team approvals and team-user assignments without the need for any manual actions by users.

See the setup instructions here: https://docs.keeper.io/sso-connect-cloud/device-approvals/automator

Approval Method 4: Keeper Commander

Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.

Download Keeper Commander here: https://github.com/Keeper-Security/commander.

team-approve approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge.

My Vault> team-approve

Keeper Commander Parameters

  • --team approve teams only

  • --user approve team users only

  • --restrict-edit {on,off} disable record edits

  • --restrict-share {on,off} disable record re-shares

  • --restrict-view {on,off} disable view/copy passwords

device-approve approves SSO Cloud user devices.

My Vault> device-approve

  • --approve approve all devices

  • --trusted-ip approve devices that come from recognized IPs

  • --reload retrieve the latest devices pending approval

  • --deny deny a device

See the setup instructions here:

https://docs.keeper.io/secrets-manager/commander-cli/command-reference/enterprise-management-commands#device-approve-command

PreviousAPI Provisioning with SCIMNextEmail Auto-Provisioning

Last updated