⮐ Keeper HomeAll DocumentationAdmin Console
Search…
Getting Started
Start Your Trial
Resources
Quick Start for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Domain Reservation
Deploying Keeper to End-Users
End-User Guides
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
SSO / SAML Authentication
User Management and Lifecycle
Roles, RBAC and Permissions
Delegated Administration
Account Transfer Policy
Teams (Groups)
Folders and Shared Folders
Share Admin
Creating Vault Records
One-Time Share
Importing Data
Record Types
Two-Factor Authentication
Storing Two-Factor Codes
Security Audit
BreachWatch (Dark Web)
Secure File Storage
Reporting, Alerts & SIEM
Recommended Alerts
Webhooks (Slack & Teams)
Compliance Reports
Vault Offline Access
Secrets Manager
Commander CLI
Keeper Connection Manager
Keeper MSP
Free Family License for Personal Use
KeeperChat
Recommended Security Settings
IP Allow Keeper
Keeper Encryption Model
Developer API / SDK Tools
On-Prem vs. Cloud
Authentication Flow V3
Migrating from LastPass
Training and Support
Troubleshooting
Docs Home
Powered By GitBook
Account Transfer Policy
Transfer the contents of a vault to another Keeper user

Account Transfer: Employee Off-boarding

The Account Transfer policy provides business and enterprise customers with the ability to transfer a user's vault if they are terminated or abruptly leave the organization. This is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.
When an employee leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user. This account transfer functionality is an important and powerful way to take ownership of the content within a user's vault while retaining a secure role-based hierarchy.

When to Enable Account Transfer

By default the Account Transfer permission is off. The Keeper administrator can optionally turn on the permission which permits the ability to take the contents of a user's vault and transfer it to another user. It's important to note that this permission will need to be enabled prior to the time it will need to be used. For example, if User A has a password that gains access to a business essential application or account in their vault that no one else in the organization has access to, and User A, for any number of reasons is no longer able to authenticate to their vault, the business may find they are left in a tough situation to recover access. However, if the Account Transfer permission had been enabled in the default Keeper Administrator role (and any other role that is desired to have the permission to transfer capability) and applied to the role that User A is a member of, the Keeper Administrator would have the ability to transfer the full contents of User A's vault to another user.

Why is the initial setup required?

When the decision is made to enable the Account Transfer feature on a particular role, all of the users that are a member of that role will be subjected to the possibility of having the entire contents of their vault transferred and their account deleted at will by the Keeper Administrator. After the enforcement policy is enabled, the users within the managed role will receive a pop-up notification upon logging into their vault informing them that the business has chosen to enable the capability of transferring their vault if needed. Each user will need to Accept that consent notification. Upon acceptance, Keeper performs the necessary encryption key exchange between users and roles to facilitate the data transfer in the future, if needed. Without this encryption key exchange, the user within the Admin Console would be unable to decrypt and transfer the data. The reason for this process flow is to maintain zero knowledge, and to also ensure that only specific users are able to be transferred or perform the transfer. Once the vault has been transferred to another user, the transferred user's vault is deleted.

Will the administrator have full access to a user's vault?

No. While the Account Transfer feature does give the administrator the ability to migrate the entire contents to another user, it does not give the Admin the capability to access the vault whenever they feel like it. The vault being transferred has to be locked first and after the contents are transferred the account is deleted. The end user will receive a notification when their account is locked by the Admin as well as when it's transferred and deleted.

How to Enable Account Transfer Functionality

Account Transfer functionality must be enabled and the user must login to their vault (and accept the account sharing consent) prior to performing a transfer by an Administrator. Follow the steps below to perform this action.
(1) Enable the Transfer Account setting within the Administrative Permissions of the role that will have the ability to initiate the account transfer.
Administrative Permissions
Enable Transfer Account Permission
If the Transfer Account checkbox cannot be checked, it is because the user must be logged into an account that is a member of the role, like the default Keeper Administrator, that has the Transfer Account permission enabled.
Note that a role (e.g. the Keeper Administrator role) must have this permission enabled before any other role can be granted transfer account permission.
(2) Turn on the Enable Transfer Account option under the Transfer Account section of the Enforcement Policy of the desired role.
Transfer Account Policy
(3) Select the administrative role that will have the ability to initiate a transfer (multiple roles may have the ability but only one role can be selected per enforcement).
Both new and existing users will be notified when account transfer is enabled and are required to acknowledge the organization's ability to transfer records from their vault. Users only have to agree to this consent once upon logging into their vaults.

Performing an Account Transfer

(1) Lock the account of the user by selecting Lock Account from the user's configuration panel under User Actions (the configured admin will only have the ability to transfer records from a locked user).
(2) From within the same configuration panel, select Transfer Account. A window will open with a list of users. Select the user that will receive the transfer of records (the "recipient"), then select Transfer.
Lock and Transfer
Transfer Vault
(3). The records, folders, and subfolders in the user’s account are transferred to the recipient's vault into a single folder (with the original owner's email address) and the original owner's account is permanently deleted.
Watch the video below to learn more about Account Transfer.
Account Transfer
Previous
Delegated Administration
Next
Teams (Groups)
Last modified 10d ago
Export as PDF
Copy link
On this page
Account Transfer: Employee Off-boarding
When to Enable Account Transfer
Why is the initial setup required?
Will the administrator have full access to a user's vault?
How to Enable Account Transfer Functionality