⮐ Keeper HomeAll DocumentationAdmin Console
Search…
Getting Started
Start Your Trial
Resources
Quick Start for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Domain Reservation
Deploying Keeper to End-Users
End-User Guides
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
SSO / SAML Authentication
User Management and Lifecycle
Roles, RBAC and Permissions
Enforcement Policies
Delegated Administration
Account Transfer Policy
Teams (Groups)
Folders and Shared Folders
Share Admin
Creating Vault Records
One-Time Share
Importing Data
Record Types
Two-Factor Authentication
Storing Two-Factor Codes
Security Audit
BreachWatch (Dark Web)
Secure File Storage
Reporting, Alerts & SIEM
Recommended Alerts
Webhooks (Slack & Teams)
Compliance Reports
Vault Offline Access
Secrets Manager
Commander CLI
Keeper Connection Manager
Keeper MSP
Free Family License for Personal Use
KeeperChat
Recommended Security Settings
IP Allow Keeper
Keeper Encryption Model
Developer API / SDK Tools
On-Prem vs. Cloud
Authentication Flow V3
Migrating from LastPass
Training and Support
Troubleshooting
Docs Home
Powered By GitBook
Roles, RBAC and Permissions
Keeper's Least-Privilege Role permissions are both flexible and powerful.
In the Keeper architecture, Roles and Teams are separate but related concepts.
Roles define permissions, controls what features and security settings apply to users and manages administrative capabilities.
Teams are used for sharing privileged accounts and Shared Folders among users within the vault. Teams can also be used to easily assign Roles to entire groups of users to ensure the consistency of enforcement policies across a collective group of individuals (more on teams here).
Role-based Access Controls (RBAC) provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions.
The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role Keeper Administrator (under the Root Node) is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console.
We strongly recommend adding a secondary admin to the Keeper Administrator role in case one account is lost or no longer accessible. The creation of additional roles such as a General Employee role, is not required but highly encouraged.
Watch the video below to learn more about role-base access controls.
Role-Base Access & Control

Adding Roles

You can add roles manually through the Admin Console, automatically mapped via SCIM or assigned directly from Active Directory / LDAP through the Keeper Bridge. To learn more about how to add users through Active Directory, please refer to our Keeper AD Bridge guide.
To add roles manually, select the Roles tab. There you can navigate to the specific node you would like the role to be assigned to. Select the + button to add a role. Verify or select the appropriate Node in the organization tree (or select the Root Node). Enter the name of the role you are creating then click Add. After the role has been created, you can configure the role enforcement policies, select the users to assign the role and set administrative permissions.

Role Enforcement Policies

First, select the role you would like to configure. Click the Enforcement Policies button. Observe the enforcement policies are are structured into the following areas:
  • Login Settings
  • Two-Factor Authentication (2FA)
  • Platform Restriction
  • Vault Features
  • Sharing & Uploading
  • KeeperFill
  • Account Settings
  • Allow IP Listing
  • Transfer Account
For more information about Enforcement Policies, click here.

Team-to-Role Mapping

Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into Teams that can be assigned custom Roles. With team-to-role mapping, a user who is a member of a team who is assigned to a role will assume the enforcements of the given role. That user can be a member of the role more than once, once via user-role membership and again via user-team-role memberships if any exist.
To use team-to-role mapping, administrators simply assign a role to an entire Team, as opposed to individual users, and use Role Enforcement Policies to establish different requirements and restrictions for each Team.

Role Enforcement Conflicts

It is important to note, that if a user is a member of multiple roles or a team with differing role enforcements, all enforcements must be satisfied for all the roles the user is a member of. Keeper implements least-privileged policies, so when a user is a member of multiple roles, their net policy is most restrictive.
For example: Role A does not allow sharing to anyone. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A (least privileged) does not allow it.
Previous
User Management and Lifecycle
Next
Enforcement Policies
Last modified 30d ago
Export as PDF
Copy link
On this page
Adding Roles
Role Enforcement Policies
Team-to-Role Mapping
Role Enforcement Conflicts