Roles, RBAC and Permissions

Keeper's Least-Privilege Role permissions are flexible and powerful.

In the Keeper architecture, Roles and Teams are separate but related concepts. A Role defines permissions, controls what features and security settings apply to users and manages administrative capabilities. Teams are used for sharing privileged accounts among users within the vault. In other words, Teams allow groups of users to share records, or folders, within their vaults. Teams can also be used to easily assign roles to entire groups of users to ensure the consistency of enforcement policies (more on teams here).

Role-based Access Controls (RBAC) provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. By default the account registered to the Keeper for Business company profile is assigned the Keeper Administrator role underneath the Root Node. Other users can be assigned this role as well.

The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role Keeper Administrator is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console.

The Keeper Administrator role requires at least two users in this role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. The creation of other roles is not required, but highly encouraged.

Adding Roles

You can add roles manually through the Admin Console or via Active Directory through the Keeper Bridge. To learn more about how to add users through Active Directory, please refer to our Keeper AD Bridge guide.

To add roles manually, select the Roles tab. Once on roles tab you can navigate to the specific node in which the role is to be part of. Select the + button. An Add Role window will appear. Verify or select the appropriate Node in the organization tree (or set to Root Node). Add the name of the role you are creating in the Role Name field and select save. After the role has been created, you can configure the role enforcement policies, select the users to assign the role and set administrative permissions.

Role Enforcement Policies

Select the role that you want to configure enforcement policies for. The role dialog box will appear on the right. Now select the Enforcement Policies button. The Enforcement Policies dialog box will appear. The settings are structured into these different areas:

  • Login Settings

  • Two-Factor Authentication (2FA)

  • Platform Restriction

  • Vault Features

  • Sharing & Uploading

  • KeeperFill

  • Account Settings

  • IP Whitelisting

  • Transfer Account

Team-to-Role Mapping

Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles. With team-to-role mapping, a user who is a member of a team who is assigned to a role will assume the enforcements of the given role. That user can be a member of the role more than once, once via user-role membership and again via user-team-role memberships if any exist.

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users, and use role enforcements to establish different requirements and restrictions for each team.

Role Enforcement Conflicts

It is important to note, that if a user is a member of multiple roles or a team with differing role enforcements, all enforcements must be satisfied for all the roles the user is a member of. Keeper implements Least-Privileged policies, so when a user is a member of multiple roles, their net policy is most restrictive.

For example: Role A does not allow sharing to anyone. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A (least privileged) does not allow it.

Login Settings

SSO with Master Password Option

Provides users a way to bypass the SSO login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline. This can also be used by SSO-enabled users to log into Keeper Commander CLI. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated. Visit the "Account Settings" role enforcement screen to restrict offline access.

Note: The Master Password feature for SSO users is only available on the Web Vault and Desktop App currently.

Master Password Complexity

This policy enforces a password complexity for users that are assigned the selected role. Settings include: password length, number of digits, number of special characters, number of uppercase letters and number of lowercase letters.

Master Password Expiration

Turning on this policy will require users to change the master password at the selected time interval. When this policy is turned on, the Master Password will expire and the user will forced to choose a new Master Password upon their next login. To configure the number of days that the master password must be changed select the setting and choose one of the selections from 10 to 150 days.

Note: When this policy is applied to users to login with SSO, the Master Password is transparently updated by the Keeper application upon login, without user intervention. Since SSO users are authenticating against your identity provider, we don't recommend enabling this feature for roles that are authenticating using an SSO IdP.

If a user's Master Password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select Expire Master Password option on the top right of all the users. This will instantly expire a user's password and require a password reset.


iOS, Mac OS (Mac Store), Windows 10 (Microsoft Store) and Android platforms support biometric login. By default, all biometrics logins are allowed.

Two Factor Authentication (2FA)

Turning on this policy will require users to select and set up a Two-Factor Authentication method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.

In addition to enforcing 2FA, you can also specify how often users are prompted to re-authenticate with a new code. On the server side, 2FA is always enforced once the policy is activated. On the client device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on Mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.

In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.

Keeper supports the following 2FA methods:

  • Text Message (SMS)

  • TOTP (Google Authenticator, Microsoft Authenticator or any time-based TOTP generator)

  • Smartwatch (Apple Watch or Android Wear)

  • RSA SecurID (Requires Admin Configuration)

  • Duo Security (Requires Admin Configuration)

  • U2F Security Keys (Always allowed)

Security Keys are always available for users, and are not explicitly enforced.

More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

Platform Restriction

An admin can restrict the use of certain platforms in Keeper Vault: Web Vault, Extensions, Mobile and Desktop devices. For KeeperChat: Desktop and Mobile.

Vault Features

An Admin can prevent users in a role from using standard features in the Vault. Each policy is described below.

Vault Features

Prevent user from creating folders

Turning this on will prevent users in the role from creating a folder or a shared folder.

Prevent users from creating Identity and Payment records

Turning this on will prevent users in the role from creating Identity and Payment records, such as credit cards and addresses.

Mask custom fields

This will force all custom field names and values to be masked. The user will need to unmask by clicking the eyeball icon on the record. Here's an example of what this will look like:

Custom Field Masking

Mask notes

This will mask the notes and the user must click the eyeball to unmask the details. Here's an example of what this will look like:

Notes Masking

Mask passwords

Passwords are always masked, by default, across all Keeper platforms. On iOS and Android devices, users have the choice of turning password masking On or Off. If this setting is enabled, the users will always have masking enabled, and to view a password will require the user to click on the eyeball icon.

Pause BreachWatch on client devices

When enabled, BreachWatch events will not be sent from the devices to the Keeper Admin Console. The only reason to use this feature might be when using test data or in the initial setup of the Enterprise console. Pausing BreachWatch events will therefore not generate events in the Admin Console or connected reporting systems.

Send BreachWatch events to Reporting & Alerts and connected external logging systems

By default, Keeper does not send BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The Keeper Admin must explicitly enable this feature. After being enabled, the event data will begin to flow through to the Advanced Reporting engine and connected SIEM systems such as Splunk.

Purging Deleted Records

To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.

Admins can also configure automatic deletion of records that the user has placed into the trash bin.

Password Generator Enforcement policy

You can specify the password generator complexity policy on a per-domain basis, or using wildcards can specify a larger matching pattern against domain names. This role enforcement feature has been added to the Vault Features screen.

Wildcards can be used to create minimum password complexity rules for more than a single domain: *.com, *.net, *.gov, etc. can be configured. One can also create a global domain rule using the wildcard character (*) by itself. Keep in mind that overlapping rules will be evaluated to produce the most restrictive outcome. For example, if you create a global rule (*) for a minimum password length of eight characters, and a (*.com) rule with a minimum of six characters, the lest permissive rule of eight characters will take precedence for all domains.

Sharing & Loading

Note: By default, all Sharing & Uploading restrictions are not enabled.

Sharing & Uploading Enforcements

Prevent record and folder sharing

Turning this on will prevent users in the role from any record and folder sharing.

Prevent record sharing outside of Keeper Enterprise

Turning on this policy will ensure records are not shared with users outside of your organization.

Prevent sharing records with file attachments

Turning this on will prevent users in the role from sharing records that have files attached to the record.

Prevent exporting of records from Web App and Desktop App

Turning this on will prevent users in the role from exporting their data from their Keeper Web Vault and Desktop App. Please note, this is a client-side enforcement since the data is loaded locally when a user logs into their vault.

Prevent users from uploading files

When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.


KeeperFill is the browser extension that provides Keeper users with autofill capability on websites and applications. An admin can disable KeeperFill on specific websites. This feature supports wildcard characters for matching domain names or URLs. One use case might be to disable KeeperFill for internal applications that have a lot of form fields.

You can learn more about the KeeperFill Browser Extension in our guides.

Account Settings

Account Settings Enforcements

Restrict offline access

Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.

More information about Offline Access is documented here.

Prevent users from changing their email

Turning this on prevents users from changing their email address. SSO-enabled users cannot change their email.

Disable email invitations

Roles having this enforcement will not receive email invitations when their account is provisioned. A use case for this might be if the Admin would like to send their own email invitation instead of the system invite. Another use case for this would be if the Admin is testing the invite process.

Logout Timer

The Admin can govern how long a platform is signed in. Web, Mobile and Desktop Apps can have separate logout timer durations, specified in minutes.

PBKDF2 Minimum Iterations

Keeper's encryption model uses a Password-Based Key Derivation Function (PBKDF2) to derive an encryption key from the user's Master Password. By default, Keeper defaults to using 100,000 iterations. We recommend leaving this setting alone unless there are performance issues on older web browsers.

IP Whitelisting

Users within the specified role can be restricted to use Keeper outside from within a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.

Make sure you test IP whitelisting on a role that is not associated with your account. Adding an invalid IP range could lock you out, or all of your users. If you run into this situation, please contact Enterprise Support.

Transfer Account

Enable Account Transfer

Select the role which can perform the account transfer.

Note: Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login.

For detailed Account Transfer configuration information click here.