Roles and Permissions
In the Keeper architecture, Roles and Teams are separated concepts. A Role defines permissions, controls what features and security settings apply to users and manages administrative capabilities. Teams are specifically used for sharing privileged accounts among users within the vault. In other words, Teams allow groups of users to share records, or folders, within their vaults.
Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. By default the account registered to the Keeper for Business company profile is assigned the Keeper Administrator role underneath the Root Node. Other users can be assigned this role as well.
The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role Keeper Administrator is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console.
The Keeper Administrator role requires at least two users in this role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. The creation of other roles is not required, but highly encouraged.
You can add roles manually through the Admin Console or via Active Directory through the Keeper Bridge. To learn more about how to add users through Active Directory, please refer to our Keeper AD Bridge guide.
To add roles manually, select the Roles tab. Once on roles tab you can navigate to the specific node in which the role is to be part of. Select the + button. An Add Role window will appear. Verify or select the appropriate Node in the organization tree (or set to Root Node). Add the name of the role you are creating in the Role Name field and select save. After the role has been created, you can configure the role enforcement settings, select the users to assign the role and set administrative permissions.
Select on the role that you want to configure enforcement settings for. The role dialog box will appear on the right. Now select the Enforcement Settings button. The Enforcement Setting dialog box will appear. The settings are structured into these different areas:
Login Settings
Two-Factor Authentication (2FA)
Platform Restriction
Sharing & Uploading
KeeperFill
Account Settings
IP Whitelisting
Transfer Account
Provides users a way to bypass the SSO login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline and the user can't recall a more complex SSO password. This can also be used by SSO-enabled users to log into Keeper Commander CLI. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated. Visit the "Account Settings" role enforcement screen to restrict offline access.
Settings for users that are assigned the selected role. Settings include: password length, special characters, how many uppercase letters, and how many digits will be required.
Turning on this policy will require users to change the master password at the selected time interval. When this option is turned on the Master password expires every option appears. To configure the number of days that the master password must be changed select the setting and choose one of the selections from 10 to 150 days.
If a user's Master password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select Expire Master Password option on the top right of all the users. This will instantly expire a user's password and require a password reset.
iOS, Mac OS (Mac Store), Windows 10 (Microsoft Store) and Android platforms support fingerprint login. By default, all fingerprint logins are allowed.
Turning on this policy will require users to select and set up a Two-Factor Authentication method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.
In addition to enforcing 2FA, you can also specify how often users are prompted to re-authenticate with a new code. On the server side, 2FA is always enforced once the policy is activated. On the client device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on Mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.
In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.
Keeper supports the following 2FA methods:
Text Message (SMS)
Google and Microsoft Authenticator (TOTP)
Smartwatch (Apple Watch or Android Wear)
RSA SecurID
Duo Security
U2F Security Keys
Security Keys are always available for users, and are not explicitly enforced.
More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.
An admin can restrict the use of certain platforms in Keeper Vault: Web Vault, Extensions, Mobile and Desktop devices. For KeeperChat: Desktop and Mobile.
An Admin can prevent users from using standard features in the Vault. This includes: Creating folders, Creating Identity and Payment records, Masking custom fields, notes and passwords.
To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.
Admins can also configure automatic deletion of records that the user has placed into the trash bin.
Turning this on will outright prevent users from any record and folder sharing.
Turning on this policy will ensure records are not shared with users outside of your organization.
This prevents users from sharing records that have files attached to the record.
This will prevent users from exporting their data from their Keeper Web and Desktop Apps.
When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.
You can now specify the password generator complexity policy on a per-domain basis, or using wildcards can specify a larger matching pattern against domain names. This role enforcement feature has been added to the Vault Features screen.
Note: By default, all Sharing & Uploading restrictions are not enabled.
KeeperFill is the browser extension that Keeper uses to login into website and applications. An admin can restrict KeeperFill access to specific websites. This feature supports wildcard characters for matching domain names or URLs.
You can learn more about the KeeperFill Browser Extension in our guides.
Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.
More information about Offline Access is documented here.
Turning this on prevents users from changing their email address.
Roles having this enforcement can not send email invitations.
The Admin can govern how long a platform is signed in. Web, Mobile and Desktop Apps can have separate durations in minutes.
Password-Based Key Derivation Function 2 can have Iterations from: Not Enforced, 1000, 10,000 and 100,000. All platforms default to 100,000 iterations.
Users within the specified role can be restricted to use Keeper outside from within a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.
Select the role which can perform the account transfer.
Note: Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login.
For detailed Account Transfer configuration information click here.
If a user is a member of multiple roles with differing enforcements, all enforcements must be satisfied for all the roles the user is a member of. For example: Role A does not allow sharing. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A does not allow it.
