⮐ Keeper Home
All Documentation
Admin Console
Getting Started
Resources
Quick Start Guide for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Deploying Keeper to End-Users
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
User Management and Lifecycle
Roles, RBAC and Permissions
Delegated Administration
Account Transfer Policy
Teams
Folders and Shared Folders
Creating Vault Records
Two-Factor Authentication
BreachWatch
Secure File Storage
Reporting & Alerts (SIEM)
Vault Offline Access
Keeper MSP
Personal Vaults for Enterprise & Business Users
Training and Support
IP Allow Keeper
System Architecture
Migrating User Vaults Between Regions
On-Prem vs. Cloud
Keeper Encryption Model
Login API
Developer SDK
Recommended Security Settings
End-User Guides
Use Cases
Docs Home
Powered by GitBook

Nodes and Organizational Structure

Keeper's Node Architecture scales to any sized organization

Nodes are a way to organize your users into distinct groupings, similar to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure. By default, the top-level node, or Root Node is set to the organization name, and all Nodes can be created underneath the Root Node.

Smaller organizations might choose to administer keeper as single level, meaning no additional nodes are created by the Keeper Administrator. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. The advantage to this configuration is there is no additional navigation required to find objects as they are listed under the default root level and easily accessed by navigating to the appropriate tab (users, roles, teams). Larger organizations may benefit from organizing locations or departments into multiple nodes. Users can then be provisioned under their respective node and have roles configured to match the specific needs of the business. One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the Administrative permissions but only on their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators. When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups, within specific organizational units in Active Directory, will be placed in the corresponding Node within the Keeper Admin Console.

Adding Nodes Manually

To manually create Nodes and Sub Nodes, select the + button. The Add Node window will appear. Enter the name of the Node and select the node where you want the new node to be added in the tree structure.

Adding a Node

Navigating Nodes

At any time, you can change which node you are viewing by navigating to or selecting the nodes on the far left Node pane. To navigate to the root-node or top level, select the business name (e.g. The Company) in the navigation tree or in the breadcrumb along the top.

Nodes & Users/Teams Visibility

Teams are visible by all users regardless of what node the team or user resides in (Business & Enterprise Subscriptions). If the desire is to restrict visibility and control whether or not the usernames and teams associated with other parallel (a.k.a. "sibling") nodes will be hidden in the auto-suggestion dropdown menu when setting up sharing of folders, 'node isolation' will need to be enabled. With 'node isolation' enabled, "children" of a node can see each others's associated users/teams as well of those above it (parent nodes).

If "node isolation" is desired, Business and Enterprise customers can submit a request to enable this feature by contacting enterprise.support@keepersecurity.com.

If you are a Managed Service Provider (MSP) and you are considering the use of Nodes for different customers, we recommend you instead t=use the Keeper MSP product which provides a specialized set of features for deploying Managed Companies. The Keeper MSP user guide can be found at: https://docs.keeper.io/msp-guide/

Nodes & Administrative Permissions

Within a Node, the "Role" is defined that can enable administrative permissions.

If nodes are enabled either via Active Directory integration or configured manually from the Admin Console, the placement of the Role within the Node Tree is important with regards to where the administration permissions begin. Placement of the role at the top level will allow the Admin permissions to flow down to any of the sub-nodes if the Cascade Node Permissions attribute is checked within the "Administrative Permissions" setting of the role. If the role is placed in a sub-node with the Cascade Node Permissions attribute checked then the permissions apply to that node and its sub-nodes only. If the Cascade Node Permissions attribute was not checked then the role permissions is only applied the the specific node to which the role belongs.

Cascade Node Permissions

Nodes & User Provisioning

Each node and sub-node within the Keeper deployment can provision users with different provisioning methods. For example, Finance and Sales & Marketing can use Single Sign-On, and Engineering can use Active Directory.

Stacking Provisioning Methods

A node can contain one or more provisioning methods. For example, you can provision users with Active Directory and authenticate the users with Single Sign-On (SAML 2.0) integration.

Adding a Provisioning Method

Navigate to the Node that you would like to provision users. Then click on the "Provisioning" tab and click "Add Method".

Provisioning Method
Previous
Keeper Admin Console Overview
Next
User and Team Provisioning
4
Last updated 2 months ago
Contents
Adding Nodes Manually
Navigating Nodes
Nodes & Users/Teams Visibility
Nodes & Administrative Permissions
Nodes & User Provisioning
Stacking Provisioning Methods
Adding a Provisioning Method