⮐ Keeper HomeAll DocumentationAdmin Console
Search…
Getting Started
Start Your Trial
Resources
Quick Start for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Domain Reservation
Deploying Keeper to End-Users
End-User Guides
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
SSO / SAML Authentication
User Management and Lifecycle
Roles, RBAC and Permissions
Delegated Administration
Account Transfer Policy
Teams (Groups)
Folders and Shared Folders
Share Admin
Creating Vault Records
One-Time Share
Importing Data
Record Types
Two-Factor Authentication
Storing Two-Factor Codes
Security Audit
BreachWatch (Dark Web)
Secure File Storage
Reporting, Alerts & SIEM
Recommended Alerts
Webhooks (Slack & Teams)
Compliance Reports
Vault Offline Access
Secrets Manager
Commander CLI
Keeper Connection Manager
Keeper MSP
Free Family License for Personal Use
KeeperChat
Recommended Security Settings
IP Allow Keeper
Keeper Encryption Model
Developer API / SDK Tools
On-Prem vs. Cloud
Authentication Flow V3
Migrating from LastPass
Training and Support
Troubleshooting
Docs Home
Powered By GitBook
Nodes and Organizational Structure
Keeper's Node Architecture scales to any sized organization
Nodes and Organizational Structure
Keeper's "node" architecture provides customers with a way to organize users into distinct groupings, similar to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure. A node is typically associated with different provisioning methods and identity providers.
By default, the top-level node, or Root Node is set to the organization name, and all Nodes can be created underneath the Root Node.
Smaller organizations might choose to administer keeper as single level. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. Larger organizations benefit from organizing locations or departments into multiple nodes. Users can then be provisioned under their respective node and have roles configured to match the specific needs of the business. One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the Administrative permissions but only on their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators.

Nodes and SSO

When rolling out Keeper alongside an SSO identity provider, we require that those users are located within a node. This way, you can have any number of nodes associated with one ore more SSO identity providers.

Nodes and Active Directory

When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups, within specific organizational units in Active Directory, will be placed in the corresponding Node within the Keeper Admin Console.
Watch the video below to learn about nodes and organizational structure.
Nodes and Organizational Structure

Creating Nodes

To manually create Nodes and Sub Nodes, select the + button. The Add Node window will appear. Enter the name of the Node and select the node where you want the new node to be added in the tree structure.
Adding a Node
At any time, you can change which node you are viewing by navigating to or selecting the nodes on the far left Node pane. To navigate to the root-node or top level, select the business name (e.g. The Company) in the navigation tree or in the breadcrumb along the top.
Navigating Nodes

Team and User Sharing Visibility

When users are in the vault and sharing records, Teams and Users are visible in the auto-suggest field by all users regardless of what node the team or user resides in.
Sharing Autosuggest

Node Isolation

If the desire is to restrict visibility and control whether or not the usernames and teams associated with other parallel (a.k.a. "sibling") nodes will be hidden in the auto-suggestion dropdown menu when setting up sharing of folders, "node isolation" will need to be enabled. With node isolation enabled, "children" of a node can see each others's associated users/teams as well of those above it (parent nodes).
When a node is isolated, users and teams in the parent node will be visible. Node isolation only limits visibility between parallel nodes.

Activating node isolation

Turning on node isolation can be accomplished using the Keeper Commander CLI, or by opening a support ticket with Keeper support.
To find a list of nodes and node IDs, use the enterprise-info command:
enterprise-info --nodes
To enable node isolation for a specific node, use the enterprise-node command:
enterprise-node --toggle-isolated <NODE_ID>
After node isolation is enabled, a visual indicator will show in the console:
Isolated Node indicator

Managed Service Providers

If you are a Managed Service Provider (MSP) and you are considering the use of Nodes for different customers, we recommend you instead use the Keeper MSP product which provides a specialized set of features for deploying Managed Companies. The Keeper MSP user guide can be found here: Keeper MSP Guide

Nodes & Administrative Permissions

Within a Node, the "Role" is defined that can enable administrative permissions.
If nodes are enabled either via Active Directory integration or configured manually from the Admin Console, the placement of the Role within the Node Tree is important with regards to where the administration permissions begin. Placement of the role at the top level will allow the Admin permissions to flow down to any of the sub-nodes if the Cascade Node Permissions attribute is checked within the "Administrative Permissions" setting of the role. If the role is placed in a sub-node with the Cascade Node Permissions attribute checked then the permissions apply to that node and its sub-nodes only. If the Cascade Node Permissions attribute was not checked then the role permissions are only applied the the specific node to which the role belongs.
Cascade Node Permissions

Nodes & User Provisioning

Each node and sub-node within the Keeper deployment can provision users with different provisioning methods. For example, Finance and Sales & Marketing can use Single Sign-On, and Engineering can use Active Directory.

Stacking Provisioning Methods

A node can contain one or more provisioning methods. For example, you can provision users with Active Directory and authenticate the users with Single Sign-On (SAML 2.0) integration.

Adding a Provisioning Method

Navigate to the Node that you would like to provision users. Then click on the "Provisioning" tab and click "Add Method".
Provisioning Method
Previous
Keeper Admin Console Overview
Next
User and Team Provisioning
Last modified 10d ago
Export as PDF
Copy link
On this page
Nodes and SSO
Nodes and Active Directory
Creating Nodes
Navigating Nodes
Team and User Sharing Visibility
Node Isolation
Managed Service Providers
Nodes & Administrative Permissions
Nodes & User Provisioning
Stacking Provisioning Methods
Adding a Provisioning Method