Roles and Permissions

Keeper's Least-Privilege Role permissions are flexible and powerful.

In the Keeper architecture, Roles and Teams are separated concepts. A Role defines permissions, controls what features and security settings apply to users and manages administrative capabilities. Teams are specifically used for sharing privileged accounts among users within the vault. In other words, Teams allow groups of users to share records, or folders, within their vaults.

Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. By default the account registered to the Keeper for Business company profile is assigned the Keeper Administrator role underneath the Root Node. Other users can be assigned this role as well.

The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role Keeper Administrator is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console.

The Keeper Administrator role requires at least two users in this role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. The creation of other roles is not required, but highly encouraged.

Roles Interface

Adding Roles

You can add roles manually through the Admin Console or via Active Directory through the Keeper Bridge. To learn more about how to add users through Active Directory, please refer to our Keeper AD Bridge guide.

To add roles manually, select the Roles tab. Once on roles tab you can navigate to the specific node in which the role is to be part of. Select the + button. An Add Role window will appear. Verify or select the appropriate Node in the organization tree (or set to Root Node). Add the name of the role you are creating in the Role Name field and select save. After the role has been created, you can configure the role enforcement settings, select the users to assign the role and set administrative permissions.

Role Enforcement Settings

Select on the role that you want to configure enforcement settings for. The role dialog box will appear on the right. Now select the Enforcement Settings button. The Enforcement Setting dialog box will appear. The settings are structured into these different areas:

  • Login Settings

  • Two-Factor Authentication (2FA)

  • Platform Restriction

  • Sharing & Uploading

  • KeeperFill

  • Account Settings

  • IP Whitelisting

  • Transfer Account

Role Enforcement Settings

Login Settings

SSO with Master Password Option

Provides users a way to bypass the SSO login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline and the user can't recall a more complex SSO password. This can also be used by SSO-enabled users to log into Keeper Commander CLI. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated. Visit the "Account Settings" role enforcement screen to restrict offline access.

Master Password Complexity

Settings for users that are assigned the selected role. Settings include: password length, special characters, how many uppercase letters, and how many digits will be required.

Master Password Expiration

Turning on this policy will require users to change the master password at the selected time interval. When this option is turned on the Master password expires every option appears. To configure the number of days that the master password must be changed select the setting and choose one of the selections from 10 to 150 days.

If a user's Master password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select Expire Master Password option on the top right of all the users. This will instantly expire a user's password and require a password reset.


iOS, Mac OS (Mac Store), Windows 10 (Microsoft Store) and Android platforms support fingerprint login. By default, all fingerprint logins are allowed.

Two Factor Authentication (2FA)

Turning on this policy will require users to select and set up a Two-Factor Authentication method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.

In addition to enforcing 2FA, you can also specify how often users are prompted to re-authenticate with a new code. On the server side, 2FA is always enforced once the policy is activated. On the client device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on Mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.

In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.

Keeper supports the following 2FA methods:

  • Text Message (SMS)

  • Google and Microsoft Authenticator (TOTP)

  • Smartwatch (Apple Watch or Android Wear)

  • RSA SecurID

  • Duo Security

  • U2F Security Keys

Security Keys are always available for users, and are not explicitly enforced.

More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

Platform Restriction

An admin can restrict the use of certain platforms in Keeper Vault: Web Vault, Extensions, Mobile and Desktop devices. For KeeperChat: Desktop and Mobile.

Vault Features

An Admin can prevent users from using standard features in the Vault. This includes: Creating folders, Creating Identity and Payment records, Masking custom fields, notes and passwords.

Purging Deleted Records

To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.

Admins can also configure automatic deletion of records that the user has placed into the trash bin.

Prevent record and folder sharing

Turning this on will outright prevent users from any record and folder sharing.

Prevent record sharing outside of Keeper Enterprise

Turning on this policy will ensure records are not shared with users outside of your organization.

Prevent sharing records with file attachments

This prevents users from sharing records that have files attached to the record.

Prevent exporting of records from Web App and Desktop App

This will prevent users from exporting their data from their Keeper Web and Desktop Apps.

Prevent users from uploading files

When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.

Password Generator Enforcement policy

You can specify the password generator complexity policy on a per-domain basis, or using wildcards can specify a larger matching pattern against domain names. This role enforcement feature has been added to the Vault Features screen.

Wildcards can be used to create minimum password complexity rules for more than a single domain: *.com, *.net, *.gov, etc. can be configured. One can also create a global domain rule using the wildcard character (*) by itself. Keep in mind that overlapping rules will be evaluated to produce the most restrictive outcome. For example, if you create a global rule (*) for a minimum password length of eight characters, and a (*.com) rule with a minimum of six characters, the lest permissive rule of eight characters will take precedence for all domains.

Sharing & Loading

Note: By default, all Sharing & Uploading restrictions are not enabled.


KeeperFill is the browser extension that Keeper uses to login into website and applications. An admin can restrict KeeperFill access to specific websites. This feature supports wildcard characters for matching domain names or URLs.

You can learn more about the KeeperFill Browser Extension in our guides.

Account Settings

Restrict offline access

Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.

More information about Offline Access is documented here.

Prevent users from changing their email

Turning this on prevents users from changing their email address.

Disable email invitations

Roles having this enforcement can not send email invitations.

Logout Timer

The Admin can govern how long a platform is signed in. Web, Mobile and Desktop Apps can have separate durations in minutes.

Advanced Settings

PBKDF2 Minimum Iterations

Password-Based Key Derivation Function 2 can have Iterations from: Not Enforced, 1000, 10,000 and 100,000. All platforms default to 100,000 iterations.

IP Whitelisting

Users within the specified role can be restricted to use Keeper outside from within a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.

Transfer Account

Enable Account Transfer

Select the role which can perform the account transfer.

Note: Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login.

For detailed Account Transfer configuration information click here.

Role Enforcement Conflicts

If a user is a member of multiple roles with differing enforcements, all enforcements must be satisfied for all the roles the user is a member of. For example: Role A does not allow sharing. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A does not allow it.