⮐ Keeper HomeAll DocumentationAdmin Console
Search…
Getting Started
Start Your Trial
Resources
Quick Start for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Domain Reservation
Deploying Keeper to End-Users
End-User Guides
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
SSO / SAML Authentication
User Management and Lifecycle
Roles, RBAC and Permissions
Delegated Administration
Account Transfer Policy
Teams (Groups)
Folders and Shared Folders
Share Admin
Creating Vault Records
One-Time Share
Importing Data
Record Types
Two-Factor Authentication
Storing Two-Factor Codes
Security Audit
BreachWatch (Dark Web)
Secure File Storage
Reporting, Alerts & SIEM
Recommended Alerts
Webhooks (Slack & Teams)
Compliance Reports
Vault Offline Access
Secrets Manager
Commander CLI
Keeper Connection Manager
Keeper MSP
Free Family License for Personal Use
KeeperChat
Recommended Security Settings
IP Allow Keeper
Keeper Encryption Model
Developer API / SDK Tools
On-Prem vs. Cloud
Authentication Flow V3
Migrating from LastPass
Training and Support
Troubleshooting
Docs Home
Powered By GitBook
Teams (Groups)
Keeper Teams allow you to share privileged accounts among pre-defined user groups.
The purpose of creating teams is to give users the ability to share the records and folders within their vaults with logical groupings of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords) and adds individual users to the team. Users can be added to teams either manually or using several different automated methods.
Teams can also be used to easily assign Roles to entire groups of users to ensure the consistency of enforcement policies across a collective group of individuals.

Adding a Team

Navigate to the Teams tab and select the + Add Team button. Just like Roles, the teams will be added to the specific node that is selected. Enter the team name and click Add Team to save.
Add Team

Editing Teams

Select the team you would like to edit from the Teams tab. From here you can make edits to the team such as change the name, disable record re-shares, disable record edits, and apply privacy screens. You can also change the Node the team belongs to as well as add Users and Roles to the team. To delete the team, simply click the Delete button.

Team-Level Restrictions

Teams can be configured with several restrictions that will override any folder-level permission settings.

Disable record re-shares

With this restriction in place, passwords shared to this team cannot be re-shared by team members. Shared Folder permissions take precedence.

Disable record edits

With this restriction in place, passwords are usable and viewable but cannot be edited. Shared Folder permissions take precedence.

Apply Privacy Screens

Keeper's Privacy Screen feature gives you the ability to control the viewing (unmasking) of all passwords at the team level. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users. It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. Privacy Screen can also be configured at the role and website domain level in Keeper's Role Policies.
Privacy Screen at Team Level
Watch the video below to learn more about the Privacy Screen feature.
Privacy Screen

Hide Shared Folders

To hide folders that have been shared with an entire team from individual users of that team, click the gear icon and select the Hide Shared Folders checkbox next to the user. The purpose of this is to allow an Admin to be a member of a team, but not necessarily receive the records associated with the team. This is not for security purposes (since they can easily turn off the Hide Shared Folders feature) but rather convenience so they don't accumulate unwanted records in their vault.
Hide Shared Folders
Hide Shared Folders

Adding Users to Teams

Users can be added to teams several ways:
  • Manually through the Admin Console
  • Automated through the Keeper Bridge (for AD/LDAP)
  • Automated through SCIM provisioning (Azure, Okta, etc)
  • Automated through Keeper Commander CLI

Adding users to Teams through the Admin Console

Click on "+" to add users to a team.
Add Users to Team
Select Users to Assign to Team

Queuing invited users into teams with Commander

If you would like to queue invited users into Keeper Teams, you can accomplish this using Keeper Commander's enterprise-team command. In the example below, we are adding an invited user to a team. This shows in the "Queued User(s)" output.
My Vault> enterprise-team --add-user [email protected] "Social Ops"
My Vault> enterprise-team "Social Ops"
Team UID: BJa131htHCepTxuBCFQ_uA
Team Name: Social Ops
Node: root 288797895950338
Restrict Edit?: Yes
Restrict Share?: Yes
Restrict View?: Yes
Active User(s): [email protected]
: [email protected]
Queued User(s): [email protected]
Queued Teams and Users will be processed using one of the methods described in this page:

Automated Team Provisioning

Teams can be provisioned in other ways as described in the Keeper Enterprise guide, including:

Team and User Approvals

Teams and team assignments queued through the Keeper AD Bridge, SCIM and Commander can be approved by following the instructions from the Approval Queue page. https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/approval-queue
Previous
Account Transfer Policy
Next
Folders and Shared Folders
Last modified 11d ago
Export as PDF
Copy link
On this page
Adding a Team
Editing Teams
Team-Level Restrictions
Adding Users to Teams
Adding users to Teams through the Admin Console
Queuing invited users into teams with Commander
Automated Team Provisioning
Team and User Approvals