The purpose of creating teams is to give users the ability to share the records and folders within their vaults with logical groupings of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords) and adds individual users to the team. Teams can also be used to easily assign Roles to entire groups of users to ensure the consistency of enforcement policies across a collective group of individuals.
Navigate to the Teams tab and select the + Add Team button. Just like Roles, the teams will be added to the specific node that is selected. Enter the team name and click Add Team to save.
Select the team you would like to edit from the Teams tab. From here you can make edits to the team such as change the name, disable record re-shares, disable record edits, and apply privacy screens. You can also change the Node the team belongs to as well as add Users and Roles to the team. To delete the team, simply click the Delete button.
Teams can be configured with several restrictions that will override any folder-level permission settings.
With this restriction in place, passwords shared to this team cannot be re-shared by team members. Shared Folder permissions take precedence.
With this restriction in place, passwords are usable and viewable but cannot be edited. Shared Folder permissions take precedence.
Keeper's Privacy Screen feature gives you the ability to control the viewing (unmasking) of all passwords at the team level. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users. It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. Privacy Screen can also be configured at the role and website domain level in Keeper's Role Policies.
To hide folders that have been shared with an entire team from individual users of that team, click the gear icon and select the Hide Shared Folders checkbox next to the user. The purpose of this is to allow an Admin to be a member of a team, but not necessarily receive the records associated with the team. This is not for security purposes (since they can easily turn off the Hide Shared Folders feature) but rather convenience so they don't accumulate unwanted records in their vault.
Teams can be provisioned in other ways as described in the Keeper Enterprise guide, including:
Keeper AD Bridge https://docs.keeper.io/keeper-bridge/
Automated Provisioning with SSO and SCIM https://docs.keeper.io/enterprise-guide/user-and-team-provisioning
Keeper Commander API https://github.com/Keeper-Security/commander
Teams provisioned through the Keeper AD Bridge or SCIM can be approved by following the instructions from the Approval Queue page. https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/approval-queue