Nodes and Organizational Structure
Nodes are a way to organize your users into distinct groupings, similar to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure. By default, the top-level node, or Root Node is set to the organization name, and all Nodes can be created underneath the Root Node.
Smaller organizations might choose to administer keeper as single level, meaning no additional nodes are created by the Keeper Administrator. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. The advantage to this configuration is there is no additional navigation required to find objects as they are listed under the default root level and easily accessed by navigating to the appropriate tab (user, role, teams). Larger organizations may find benefit in organizing locations or departments into multiple nodes. Users can then be provisioned under their respective node and have roles configured to match the specific needs of the business. One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the Administrative permissions but only on their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators. When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups, within specific organizational units in Active Directory, will be placed in the corresponding Node within the Keeper Admin Console.
To manually create Nodes and Sub Nodes, select the + button. The Add Node window will appear. Type the name of the Node in the Name field and select the node where you want the new node to be added in the tree structure.
At any time, you can change which node you are viewing by navigating to or selecting the nodes on far left Node pane. To navigate to the root-node or top level, select on the business name (e.g. The Company) in the navigation tree or in the breadcrumb along the top.
In business and enterprise subscriptions, teams are visible by all users regardless of what node the team or user resides in. If the desire is to restrict visibility to control whether or not the usernames and teams associated with other parallel (a.k.a. "sibling") nodes will be hidden in the auto-suggestion drop down box menu when setting up sharing of folders, 'node isolation' will need to be enabled. With 'node isolation' enabled, children of a node can see each others's associated users/teams as well of those above it (parent nodes).
If "node isolation" is desired. A request can be made to enterprise.support@keepersecurity.com to enable this feature for our business/enterprise customers.
If you are a Managed Service Provider (MSP) and you are considering the use of Nodes for different customers, we recommend instead to use the Keeper MSP product which provides a specialized set of features for deploying Managed Companies. The Keeper MSP user guide can be found at: https://docs.keeper.io/msp-guide/
Within a Node, the "Role" is defined that can enable administrative permissions.
If nodes are enabled either via Active Directory integration or configured manually from the Admin Console, the placement of the Role within the Node Tree is important with regards to where the administration permissions begin. Placement of the role at the top level will allow the Admin permissions to flow down to any of the sub-nodes if the Cascade Node Permissions attribute is checked within the "Administrative Permissions" setting of the role. If the role is placed in a sub-node with the Cascade Node Permissions attribute checked then the permissions apply to that node and its sub-nodes only. If the Cascade Node Permissions attribute was not checked then the role permissions is only applied the the specific node to which the role belongs.
