Account Transfer Policy

Account Transfer - Employee off-boarding

Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.

When an employee leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within user's vault while retaining a secure role-based hierarchy in the organization.

When to Enable Account Transfer

By default the Account Transfer permission is off. The Keeper Business administrator can optionally turn on the permission which permits the ability to take the contents of a user's vault and transfer it to another user. One important note is that this permission will need to be enabled prior to the need of using it. For example, if User A has a password that gains access to a business essential application or account in their vault that no one else in the organization has access to, and User A, for any number of reasons is no longer able to authenticate to their vault, the business may find they are left in a tough situation to recover access. However, if the Account Transfer permission had been enabled in the default Keeper Administrator role (and any other role that is desired to have the permission to transfer capability) and applied to the role that User A is a member of, the Keeper Administrator would have the ability to transfer the full contents of User A's vault to another user.

Why is the initial setup required?

When the decision is made to enable the Account Transfer feature on a particular role, all the users that are a member of that role will be subjected to the possibility of having the entire contents of their vault transferred and their account deleted at will by the Keeper Administrator. After the enforcement policy is enabled, the users within the managed role will receive a pop up message inside of their vault informing them that the business has chosen to enable the capability of transferring their vault if needed. Each user will need to Accept that consent notification. Upon acceptance, Keeper performs the necessary encryption key exchange between users and roles to facilitate the data transfer in the future, if needed. Without this encryption key exchange, the user within the Admin Console would be unable to decrypt and transfer the data. The reason for this process flow is to maintain zero knowledge, and to also ensure that only specific users are able to be transferred or perform the transfer. Once the vault has been transferred to another user, the transferred user's vault is deleted.

Will the administrator have full access to a user's vault?

No. While the Account Transfer feature does give the administrator the ability to migrate the entire contents to another user, it does not give the admin the capability to access the vault whenever they feel like it. The vault being transferred has to be locked first and after the contents are transferred the account gets deleted. The end user will receive notification when their account is locked by the admin and when it's transferred and deleted.

How to Enable Account Transfer Functionality

Account Transfer functionality must be enabled and the user must login to their vault (and accept the account sharing consent) prior to performing a transfer by an administrator. Below are the steps that must be performed.

1. Enable the Transfer Account in the Administrative Permissions of the role that will have to ability to initiate the account transfer.

Note: If the Transfer Account checkbox cannot be checked, it is because the user must be logged into an account that is a member of the role, like the default Keeper Administrator, that has the Transfer Account permission enabled.

Simply add yourself to the role by selecting the plus button. After you are added to the role, you will be able to select the Transfer Account permission on that role. A role (e.g. the Keeper Administrator role) must have the permission enabled before any other role can be granted transfer account permission.

2. Turn on the Enable Transfer Account option under the Sharing & Uploading section of the Enforcement Policy of the desired role.

3. Select the administrative role that will have the ability to initiate a transfer (multiple roles may have the ability but only one role can be selected per enforcement).

Note: Both new users as well as existing users will be notified and are required to acknowledge the organization's ability to transfer records from their vault. Users only have to agree to this consent one time, upon logging into the vault.

Performing an Account Transfer

1. Lock the account of the user by selecting the lock icon inside user's configuration panel under User Actions (The configured admin will only have the ability to transfer records from a locked user).

2. The administrator will select the transfer icon inside the user's configuration panel under User Actions. A window will open with a list of users. Select the user that will receive the transfer of records (the "recipient"), then select Transfer.

3. The records, folders, and subfolders in the user’s account are transferred to the recipient's vault into a single folder (with the original owner's email address) and the original owner's account is permanently deleted.