Approval Queue

Manual and Automated approval of SCIM or Bridge-provisioned Users & Teams

The Approval Queue is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval.

Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user requests "Admin Approval".

Team and User Approval Process

New users added by the SCIM sync are created in the “invited” state and will receive an invite to join Keeper.

New teams created by the SCIM sync are created in the “pending” state and require final approval by either the Keeper Administrator or another team member.

Users added to teams via SCIM are added in a "pending" state and require approval by one of the methods outlined below. Actions must be taken by either the Admin or using a methods outlined below, because encryption keys must be generated and/or shared. In Keeper's Zero-Knowledge environment, this action must be performed by a Keeper Administrator or by another team member.

In the newest version of Keeper, User and Team approvals occur automatically upon signing into the Admin Console.

Approval Method 1: Manual Approval from the Approval Queue

The Keeper Administrator can approve the teams in the Enterprise Console by visiting the "Approval Queue" page.

Team Approvals

Select the rows you would like to approve, and click Approve to create the team that has been pushed via SCIM from your identity provider. When the team is approved, encryption keys are generated for the team.

Click on the Users tab to approve users that have been added to teams.

User Assignment Approvals

Notes Regarding this Approval Method

  • Click the Sync button to refresh the data and pick up any Team or User assignments

  • After approving a new team, user approvals for that team will not show up in the Users tab until you click Sync from the Admin page or logout/login

Approval Method 2: Vault Login

Team members approvals are also completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.

When teams are approved, if users linked to these teams have already joined the enterprise, they become team members immediately. If the linked users have not joined yet, they become pending members after they join and a Keeper administrator must approve those users' team memberships in the Keeper Admin Console.

Approval Method 3: Keeper Commander

Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.

Download Keeper Commander here: https://github.com/Keeper-Security/commander.

team-approve approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge.

My Vault> team-approve

Keeper Commander Parameters

  • --team approve teams only

  • --user approve team users only

  • --restrict-edit {on,off} disable record edits

  • --restrict-share {on,off} disable record re-shares

  • --restrict-view {on,off} disable view/copy passwords