Roles, RBAC and Permissions

Keeper's Least-Privilege Role permissions are both flexible and powerful.

In the Keeper architecture, Roles and Teams are separate but related concepts.

Roles define permissions, controls what features and security settings apply to users and manages administrative capabilities.

Teams are used for sharing privileged accounts and Shared Folders among users within the vault. Teams can also be used to easily assign Roles to entire groups of users to ensure the consistency of enforcement policies across a collective group of individuals (more on teams here).

Role-based Access Controls (RBAC) provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions.

The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role Keeper Administrator (under the Root Node) is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console.

We strongly recommend adding a secondary admin to the Keeper Administrator role in case one account is lost or no longer accessible. The creation of additional roles such as a General Employee role, is not required but highly encouraged.

Watch the video below to learn more about role-base access controls.

Adding Roles

You can add roles manually through the Admin Console, automatically mapped via SCIM or assigned directly from Active Directory / LDAP through the Keeper Bridge. To learn more about how to add users through Active Directory, please refer to our Keeper AD Bridge guide.

To add roles manually, select the Roles tab. There you can navigate to the specific node you would like the role to be assigned to. Select the + button to add a role. Verify or select the appropriate Node in the organization tree (or select the Root Node). Enter the name of the role you are creating then click Add. After the role has been created, you can configure the role enforcement policies, select the users to assign the role and set administrative permissions.

Role Enforcement Policies

First, select the role you would like to configure. Click the Enforcement Policies button. Observe the enforcement policies are are structured into the following areas:

  • Login Settings

  • Two-Factor Authentication (2FA)

  • Platform Restriction

  • Vault Features

  • Sharing & Uploading

  • KeeperFill

  • Account Settings

  • Allow IP List

  • Keeper Secrets Manager

  • Transfer Account

For more information about Enforcement Policies, click here.

Team-to-Role Mapping

Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into Teams that can be assigned custom Roles. With team-to-role mapping, a user who is a member of a team who is assigned to a role will assume the enforcements of the given role. That user can be a member of the role more than once, once via user-role membership and again via user-team-role memberships if any exist.

To use team-to-role mapping, administrators simply assign a role to an entire Team, as opposed to individual users, and use Role Enforcement Policies to establish different requirements and restrictions for each Team.

Currently Keeper does not allow mapping of administrative roles to teams, in order to prevent an admin from inadvertently elevating permission of a user. This feature is being considered for a future release.

Role Enforcement Conflicts

It is important to note, that if a user is a member of multiple roles or a team with differing role enforcements, all enforcements must be satisfied for all the roles the user is a member of. Keeper implements least-privileged policies, so when a user is a member of multiple roles, their net policy is most restrictive.

For example: Role A does not allow sharing to anyone. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A (least privileged) does not allow it.

Enforcement Policies

The next section documents each of the available enforcement policies.

Last updated