⮐ Keeper HomeAll DocumentationAdmin Console
Search…
Getting Started
Start Your Trial
Resources
Quick Start for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Domain Reservation
Deploying Keeper to End-Users
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
SSO / SAML Authentication
User Management and Lifecycle
Roles, RBAC and Permissions
Delegated Administration
Account Transfer Policy
Teams (Groups)
Folders and Shared Folders
Creating Vault Records
One-Time Share
Importing Data
Record Types
Two-Factor Authentication
Storing Two-Factor Codes
Security Audit
BreachWatch (Dark Web)
Secure File Storage
Reporting, Alerts & SIEM
Recommended Alerts
Webhooks (Slack & Teams)
Compliance Reports
Vault Offline Access
Secrets Manager
Commander CLI
Keeper Connection Manager
Keeper MSP
Free Family License for Personal Use
Recommended Security Settings
IP Allow Keeper
Keeper Encryption Model
Developer API / SDK Tools
End-User Guides
On-Prem vs. Cloud
Authentication Flow V3
Migrating from LastPass
Training and Support
Troubleshooting
Docs Home
Powered By GitBook
Delegated Administration
Overview of role-based Administrative Permissions

Delegated Admin via Administrative Permissions

A role can be given Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different roles to have different permissions inside of the Admin Console.
An example of a role that can be created would be a Delegated Admin role. In this role the administrator can set up one or more Administrative Permissions that allow that user in the role to login to the Keeper Admin Console and perform administrative functions. For example, the delegated admin can be given permission to create teams, add users, create or edit roles, run reports and perform account transfers. These permissions can be limited to a single node or they can cascade or traverse down the tree structure to all the sub-nodes. In order to have the role applied to multiple nodes, simply select the + button after Administrative Permissions and add the node the role will manage.
Each node a role manages has its own set of permissions and those permissions can cascade down from that node for example, if the role was created in the top root level node and there were three other nodes created under the top, root level node. The Administrative Permission can be added as the top node, the privileges added, and Cascade Node Permissions selected. This would then give those permissions to all four nodes and members of that role.
  1. 1.
    To give Administrative Permissions to a Role, select the + button on the Role screen.
  2. 2.
    Select a Node and click OK.
  3. 3.
    Select the gear icon next to the node you added.
When Cascade Node Permissions is selected, the permissions will be applied to all sub-nodes of the parent node. It is important to note that Administrative Permissions cannot be added to a Role if one or more of its users are still have an "invited" status.
Admin permissions list
Permission
Description
Manage Nodes
The ability to add, remove, or edit nodes.
Manage Users
The ability to add, remove, or edit users.
Manage Roles
The ability to add, remove, or edit roles.
Manage Licenses
MSP-specific ability to manage licensing
Manage Teams
The ability to add, remove, or add members to teams.
Manage Bridge/SSO
The ability to add, remove, or configure the Enterprise Bridge or SSO.
Run Reports
The ability to run and configure reports (Advanced Reporting & Alerts Module)
Perform Device Approvals
For SSO cloud users, the ability to approve devices
Transfer Account
The ability to transfer a user's vault (if the user's Role is configured to allow this. See Account Transfer policy.
Cascade Node Permissions
If selected, the permissions apply to this node and all sub-nodes.
Manage record Types in Vault
This permission allows the admin rights to create, edit, or delete Record Types which have pre-defined fields. Record Types appear during creation of records in the user's vault.
Only administrators who are a member of this role are able to check Transfer Account. If needed, you can add yourself to the role or another administrator within the role can set this permission. Once this box is selected, only members of this role can add other members to the role.

Administrative Permission vs. Role Enforcements

Both Administrative permissions and enforcements are configurable from within a role. Enforcements are rules or policies that apply to the end user's vault experience and security. Administrative Permissions grant rights to perform certain actions within the admin console (also known as delegated administration).
We recommend that only specific roles are given Administrative Permission, and the permission level should be based on the least amount of privilege required by that role.
For example, the default Keeper Administrator may have created a role called Users specifically to handle the policies that are desired for all the users that have been onboarded to the Keeper platform. If you intend for one of those users to be able to perform some of the administrative permissions it wouldn't make sense to configure the Users role with the additional entitlements for that one user as it would be applied to all the users and not congruent with a least privilege security model. So instead of editing the Users role to add additional administrative permissions, it would make the most sense to create a new role called Delegated Admin, grant the administrative permissions, and make the user a member of that role.
Previous
Enforcement Policies
Next
Account Transfer Policy
Last modified 8mo ago
Export as PDF
Copy link
Contents
Delegated Admin via Administrative Permissions