The purpose of creating teams is to have logical groupings of individuals for the ability to share folders within the Keeper Vault to collective group of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords), and adds the individual users to the team. Teams can also be used to easily assign roles to entire groups of users to ensure the consistency of enforcement policies.
Navigate to the Teams tab and select on the + icon. The Add Team window will appear and you can add the team name that you are creating. Just like Roles, the teams will get added to the specific node that is selected.
Once the team is created, select the team name on the left, and in the right panel it will display editable options. The Team name, disable record re-shares, disable record edits, disable viewing passwords, Node and Users can be configured. To delete a team, select on the trashcan icon.
Teams can be configured with several restrictions that will override any folder-level permission settings.
1. Disable viewing passwords With this restriction in place, passwords are usable for logging in from the browser extension but are "masked" visually on the user interface. Note that password masking is visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection.
2. Disable record re-shares With this restriction in place, passwords shared to this team cannot be re-shared by team members. Shared Folder permissions take precedence. 3. Disable record edits With this restriction in place, passwords are usable and viewable but cannot be edited. Shared Folder permissions take precedence. 4. Hide Shared Folders Selecting the Hide Shared Folders checkbox will hide Shared Folders which have been shared to this team for a particular user within the team. The purpose of this is to allow an admin to be a member of a team so that they can share the team encryption keys, but not have to receive the records associated with the team. This is not for security, since they could always turn off the Hide Shared Folders, but rather for convenience so they don't get a lot of unwanted records in their vault. Hide Shared Folders can be accessed by clicking on the gear icon by the user's name.
Teams can be provisioned in other ways as described in the Keeper Enterprise guide, including:
Keeper AD Bridge
Automated Provisioning with SCIM
Keeper Commander API
Teams provisioned through the Keeper AD Bridge or SCIM can be approved by following the instructions in the Approval Queue page.