⮐ Keeper Home
All Documentation
Admin Console
Keeper Enterprise Guide
Resources
Why Choose Keeper Enterprise
Implementation Overview
Deploying Keeper to End-Users
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
User Management and Lifecycle
Roles, RBAC and Permissions
Delegated Administration
Account Transfer Policy
Teams
Folders and Shared Folders
Creating Vault Records
Two-Factor Authentication
BreachWatch
Secure File Storage
Reporting & Alerts (SIEM)
Vault Offline Access
SSO Welcome Template
Master Password Template
Training and Support
Whitelisting Keeper
System Architecture
Migrating User Vaults Between Regions
On-Prem vs. Cloud
Keeper Encryption Model
Developer SDK
Recommended Security Settings
End-User Guides
Use Cases
Docs Home
Powered by GitBook

Nodes and Organizational Structure

Keeper Node Architecture scales to any sized organization

Nodes are a way to organize your users into distinct groupings, similar to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure. By default, the top-level node, or Root Node is set to the organization name, and all Nodes can be created underneath the Root Node.

Smaller organizations might choose to administer keeper as single level, meaning no additional nodes are created by the Keeper Administrator. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. The advantage to this configuration is there is no additional navigation required to find objects as they are listed under the default root level and easily accessed by navigating to the appropriate tab (user, role, teams). Larger organizations may find benefit in organizing locations or departments into multiple nodes. Users can then be provisioned under their respective node and have roles configured to match the specific needs of the business. One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the Administrative permissions but only on their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators. When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups, within specific organizational units in Active Directory, will be placed in the corresponding Node within the Keeper Admin Console.

Adding Nodes Manually

To manually create Nodes and Sub Nodes, select the + button. The Add Node window will appear. Type the name of the Node in the Name field and select the node where you want the new node to be added in the tree structure.

Adding a Node

Navigating Nodes

At any time, you can change which node you are viewing by navigating to or selecting the nodes on far left Node pane. To navigate to the root-node or top level, select on the business name (e.g. The Company) in the navigation tree or in the breadcrumb along the top.

Note Regarding Nodes and Users/Teams Visibility

In business and enterprise subscriptions, teams are visible by all users regardless of what node the team or user resides in. If the desire is to restrict visibility to control whether or not the usernames and teams associated with other parallel (a.k.a. "sibling") nodes will be hidden in the auto-suggestion drop down box menu when setting up sharing of folders, 'node isolation' will need to be enabled. With 'node isolation' enabled, children of a node can see each others's associated users/teams as well of those above it (parent nodes).

If "node isolation" is desired. A request can be made to enterprise.support@keepersecurity.com to enable this feature for our business/enterprise customers.

If you are a Managed Service Provider (MSP) and you are considering the use of Nodes for different customers, we recommend instead to use the Keeper MSP product which provides a specialized set of features for deploying Managed Companies. The Keeper MSP user guide can be found at: https://docs.keeper.io/msp-guide/

Nodes and Administrative Permissions

Within a Node, the "Role" is defined that can enable administrative permissions.

If nodes are enabled either via Active Directory integration or configured manually from the Admin Console, the placement of the Role within the Node Tree is important with regards to where the administration permissions begin. Placement of the role at the top level will allow the Admin permissions to flow down to any of the sub-nodes if the Cascade Node Permissions attribute is checked within the "Administrative Permissions" setting of the role. If the role is placed in a sub-node with the Cascade Node Permissions attribute checked then the permissions apply to that node and its sub-nodes only. If the Cascade Node Permissions attribute was not checked then the role permissions is only applied the the specific node to which the role belongs.

Cascade Node Permissions

Nodes and User Provisioning

Each node and sub-node within the Keeper deployment can provision users with different provisioning methods. For example, Finance and Sales & Marketing can use Single Sign-On, and Engineering can use Active Directory.

Adding a Provisioning Method

Navigate to the Node which you would like to provision users. Then click on the "Provisioning" tab and click "Add Method".

Adding a Provisioning Method

Stacking Provisioning Methods

A node can contain one or more provisioning methods. For example, you can provision users with Active Directory and authenticate the users with Single Sign-On (SAML 2.0) integration.

Previous
Keeper Admin Console Overview
Next
User and Team Provisioning
4
Last updated 3 weeks ago
Contents
Adding Nodes Manually
Navigating Nodes
Note Regarding Nodes and Users/Teams Visibility
Nodes and Administrative Permissions
Nodes and User Provisioning
Adding a Provisioning Method
Stacking Provisioning Methods