Keeper Teams allow you to share privileged accounts among pre-defined user groups.

The purpose of creating teams is to have logical groupings of individuals for the ability to share folders within the Keeper Vault to collective group of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords), and adds the individual users to the team. Teams can also be used to easily assign roles to entire groups of users to ensure the consistency of enforcement policies.

Adding a Team

Navigate to the Teams tab and select on the + icon. The Add Team window will appear and you can add the team name that you are creating. Just like Roles, the teams will get added to the specific node that is selected.

Editing Teams

Once the team is created, select the team name on the left, and in the right panel it will display editable options. The Team name, disable record re-shares, disable record edits, disable viewing passwords, Node and Users can be configured. To delete a team, select on the trashcan icon.

Team-Level Restrictions

Teams can be configured with several restrictions that will override any folder-level permission settings.

1. Disable viewing passwords With this restriction in place, passwords are usable for logging in from the browser extension but are "masked" visually on the user interface. Note that password masking is visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection.

Masked passwords do not restrict a user from access to the password. Enabling this setting is a deterrence from a user easily seeing the password within the vault. However, a skilled user could potentially see the password as they have been given access to the record and have been shared the encryption key to decrypt the contents of the record of which the password is included.

2. Disable record re-shares With this restriction in place, passwords shared to this team cannot be re-shared by team members. Shared Folder permissions take precedence. 3. Disable record edits With this restriction in place, passwords are usable and viewable but cannot be edited. Shared Folder permissions take precedence. 4. Hide Shared Folders Selecting the Hide Shared Folders checkbox will hide Shared Folders which have been shared to this team for a particular user within the team. The purpose of this is to allow an admin to be a member of a team so that they can share the team encryption keys, but not have to receive the records associated with the team. This is not for security, since they could always turn off the Hide Shared Folders, but rather for convenience so they don't get a lot of unwanted records in their vault. Hide Shared Folders can be accessed by clicking on the gear icon by the user's name.

Create Team Manually in Admin Console

Automated Team Provisioning

Teams can be provisioned in other ways as described in the Keeper Enterprise guide, including:

  • Keeper AD Bridge

  • Automated Provisioning with SCIM

  • Keeper Commander API

Team Approvals

Teams provisioned through the Keeper AD Bridge or SCIM can be approved by following the instructions in the Approval Queue page.