Role Enforcement Policies

Last updated last month

Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. By default the account registered to the Keeper for Business company profile is assigned the Keeper Administrator role underneath the Root Node. Other users can be assigned this role as well.

The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role Keeper Administrator is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console.

Note: The Keeper Administrator role requires at least two users in this role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. The creation of other roles is not required, but highly encouraged.

Adding Roles

You can add roles manually through the Admin Console or via Active Directory through the Keeper Bridge. To learn more about how to add users through Active Directory, please refer to our Keeper AD Bridge section in this guide.

To add roles manually, select the Roles tab. Once on roles tab you can navigate to the specific node in which the role is to be part of. Select the + button. An Add Role window will appear. Verify or select the appropriate Node in the organization tree (or set to Root Node). Add the name of the role you are creating in the Role Name field and select save. After the role has been created, you can configure the role enforcement settings, select the users to assign the role and set administrative permissions.

Role Enforcement Settings

Select on the role that you want to configure enforcement settings for. The role dialog box will appear on the right. Now select the Enforcement Settings button. The Enforcement Setting dialog box will appear. The settings are structured into eight different areas: Login Settings, Two-Factor Authentication, Platform Restriction, Sharing & Uploading, Account Settings, Transfer Account, Email Invites, and Advanced Settings.

Login Settings

Master Password Complexity On this screen you have the ability to configure the Master Password Complexity settings for users that are assigned the selected role. Settings include: password length, special characters, how many uppercase letters, and how many digits will be required.

Master Password Expiration Turning on this policy will require users to change the master password at the selected time interval. When this option is turned on the Master password expires every option appears. To configure the number of days that the master password must be changed select the setting and choose one of the selections from 10 to 150 days.

If a user's Master password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select Expire Master Password option on the top right of all the users. This will instantly expire a user's password and require a password reset.

Biometrics iOS, Mac OS (Mac Store), Windows 10 (Microsoft Store) and Android platforms support fingerprint login. By default, all fingerprint logins are allowed.

Two Factor Authentication Turning on this policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.

More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

Platform Restriction

An admin can restrict the use of certain platforms in Keeper Vault: Web Vault, Extensions, Mobile and Desktop devices. For KeeperChat : Desktop and Mobile.

Vault Features

An Admin can prevent users from using standard features in the Vault. This includes: Creating folders, Creating Identity and Payment records, Masking custom fields, notes and passwords.

Purging Deleted Records Admins can set limits on the system to purge deleted records: Days before records can be purged permanently and days before records automatically purge.

Sharing & Uploading

Prevent record and folder sharing Turning this on will outright prevent users from any record and folder sharing.

Prevent record sharing outside of Keeper Enterprise Turning on this policy will ensure records are not shared with users outside of your organization.

Prevent sharing records with file attachments This prevents users from sharing records that have files in them.

Prevent exporting of records from Web App and Desktop App This will prevent your users from exporting their data from their Keeper Web and Desktop Apps.

Prevent users from uploading files When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.

Note: By default, all Sharing & Uploading restrictions are not enabled.


KeeperFill is the browser extension that Keeper uses to login into website and applications. An admin can restrict KeeperFill access to specific websites.

You can learn more about the KeeperFill Browser Extension in our guides.

Account Settings

Restrict offline access Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce.

Prevent users from changing their email Turning this on prevents users from changing their email address.

Disable email invitations Roles having this enforcement can not send email invitations.

Logout Timer

The Admin can govern how long a platorm is signed in. Web, Mobile and Desktop Apps can have separate durations in minutes.

Advanced Settings

PBKDF2 Minimum Iterations Password-Based Key Derivation Function 2 can have Iterations from: Not Enforced, 1000, 10,000 and 100,000.

IP Whitelisting

Users within the specified role can be restricted from using Keeper outside of a specified IP address range. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.

Transfer Account

Enable Account Transfer Select the role which can perform the account transfer.

Note: Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login.

For more in-depth information, refer to Account Transfer - Employee Offboarding‚Äč

Role Enforcement Conflicts

If a user is a member of multiple roles with differing enforcements, all enforcements must be satisfied for all the roles the user is a member of. For example: Role A does not allow sharing. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A does not allow it.

Delegated Admin via Administrative Permissions

A role can be given Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different roles to have different permissions inside of the Admin Console.

An example of a role that can be created would be a Delegated Admin role. In this role the administrator can set up one or more Administrative Permissions that allow that user in the role to login to the Keeper Admin Console and perform administrative functions. For example, the delegated admin can be given permission to create teams, add users, create or edit roles, run reports and perform account transfers. These permissions can be limited to a single node or they can cascade or traverse down the tree structure to all the sub-nodes. In order to have the role applied to multiple nodes, simply select the + button after Administrative Permissions (see below) and add the node the role will manage. Each node a role manages has its own set of permissions and those permissions can cascade down from that node. For example: If the role was created in the top root level node and there were three other nodes created each under the top level node. The Administrative Permission can be added as the top node, the privileges added, and cascade node permissions selected. This would then give those permissions to all 4 nodes to members of that role.

  1. To give Administrative Permissions to a Role, select the + button on the Role screen.

  2. Select a node. Select Save.

  3. Select the gear next to the node you added.

When Cascade Node Permissions is selected, the permissions will be applied to all sub-nodes of the parent node. It is important to note that Administrative Permissions cannot be added to a Role if one or more of its users are still in the INVITED status.



Manage Users

The ability to add, remove, or edit users.

Manage Nodes

The ability to add, remove, or edit nodes.

Manage Licenses

The ability to manage and upgrade the organization's license capacity.

Manage Roles

The ability to add, remove, or edit roles.

Manage Teams

The ability to add, remove, or configure the Enterprise Bridge settings.

Manage Bridge

The ability to add, remove, or configure the Enterprise Bridge settings.

Run Reports

The ability to run and configure reports on usages within the admin console.

View Tree

The ability to see the node structure.

Transfer Account

The ability to transfer a user's vault.

Note: Only administrators who are a member of this role are able to check Transfer Account. If needed, you can add yourself to the role or another administrator within the role can set this permission. Once this box is selected, only members of this role can add members to this role.

Administrative Permission versus Role Enforcements

Both Administrative permissions and enforcements are configurable from within a role. Enforcements are rules or policies that apply to the end user's Vault experience and security. Administrative Permissions grant rights to perform certain actions within the admin console (also known as delegated administration).

We recommend that only specific roles are given Administrative Permission, and the permission level should be based on the least amount of privilege required by that role.

For example, the default Keeper Administrator may have created a role called Users specifically to handle the policies that are desired for all the users that have been onboarded to the Keeper platform. If one of those users are intended to be able to perform some of the administrative permissions it wouldn't make sense to configure the Users role with the additional entitlements for that one user as it would be applied to all the users and not congruent with a least privilege security model. So instead of editing the Users role to add in additional administrative permissions, it would make the most sense to create a new role called Delegated Admin, grant the administrative permissions, and make the user a member of that role.

Account Transfer - Employee offboarding

Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.

When an employee leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within user's vault while retaining a secure role-based hierarchy in the organization.

When to Enable Account Transfer

By default the Account Transfer permission is off. The Keeper Business administrator can optionally turn on the permission which permits the ability to take the contents of a user's vault and transfer it to another user. One important note is that this permission will need to be enabled prior to the need of using it. For example, if User A has a password that gains access to a business essential application or account in their vault that no one else in the organization has access to, and User A, for any number of reasons is no longer able to authenticate to their vault, the business may find they are left in a tough situation to recover access. However, if the Account Transfer permission had been enabled in the default Keeper Administrator role (and any other role that is desired to have the permission to transfer capability) and applied to the role that User A is a member of, the Keeper Administrator would have the ability to transfer the full contents of User A's vault to another user.

Why is the initial setup required?

When the decision is made to enable the Account Transfer feature on a particular role, all the users that are a member of that role will be subjected to the possibility of having the entire contents of their vault transferred and their account deleted at will by the Keeper Administrator. After the enforcement setting is enabled, the users within the managed role will receive a pop up message inside of their vault informing them that the business has chosen to enable the capability of transferring their vault if needed. Each user will need to Accept that consent notification. Upon acceptance, Keeper performs the necessary encryption key exchange between users and roles to facilitate the data transfer in the future, if needed. Without this encryption key exchange, the user within the Admin Console would be unable to decrypt and transfer the data. The reason for this process flow is to maintain zero knowledge, and to also ensure that only specific users are able to be transferred or perform the transfer. Once the vault has been transferred to another user, the transferred user's vault is deleted.

Will the administrator have full access to a user's vault?

No. While the Account Transfer feature does give the administrator the ability to migrate the entire contents to another user, it does not give the admin the capability to access the vault whenever they feel like it. The vault being transferred has to be locked first and after the contents are transferred the account gets deleted. The end user will receive notification when their account is locked by the admin and when it's transferred and deleted.

How to Enable Account Transfer Functionality

Account Transfer functionality must be enabled and the user must login to their vault (and accept the account sharing consent) prior to performing a transfer by an administrator. Below are the steps that must be performed.

1. Enable the Transfer Account in the Administrative Permissions of the role that will have to ability to initiate the account transfer.

Note: If the Transfer Account checkbox cannot be checked, it is because the user must be logged into an account that is a member of the role, like the default Keeper Administrator, that has the Transfer Account permission enabled.

Simply add yourself to the role by selecting the plus button. After you are added to the role, you will be able to select the Transfer Account permission on that role. A role (e.g. the Keeper Administrator role) must have the permission enabled before any other role can be granted transfer account permission.

2. Turn on the Enable Transfer Account option under the Sharing & Uploading section of the Enforcement Settings of the desired role.

3. Select the administrative role that will have the ability to initiate a transfer (multiple roles may have the ability but only one role can be selected per enforcement).

Note: Both new users as well as existing users will be notified and are required to acknowledge the organization's ability to transfer records from their vault. Users only have to agree to this consent one time, upon logging into the vault.

Performing an Account Transfer

1. Lock the account of the user by selecting on the lock icon inside user's configuration panel under User Actions (The configured admin will only have the ability to transfer records from a locked user).

2. The administrator will select the transfer icon inside user's configuration panel under User Actions. A window will open with a list of users. Select the user that will receive the transfer of records and select OK.

3. The user's account is transferred and their account is permanently deleted.