Manual and Automated approval of SCIM or Bridge-provisioned Users & Teams
The "Approval Queue" is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval. Approvals are required in the Keeper environment in order to share the necessary encryption keys (by encrypting the private keys with the public key of the Team or User).
Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user clicks on "Request Admin Approval".
Keeper provides several methods of approvals, manual and automated.
New users added by identity providers using the SCIM protocol are created in the “invited” state and will receive an invite to join Keeper.
New teams created by the SCIM sync are created in the “pending” state and require final approval by a Keeper Administrator, another team member or automated methods.
Actions must be taken by either the Admin or using methods outlined below, because encryption keys must be generated and/or shared.
Team creation and team member assignments are completed automatically when any Administrator logs into the Keeper Admin Console. Approval is performed by encrypting the Team Key with the user's public key.
Team members approvals are completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.
Keeper Automator is a container application that can be deployed as a standalone service to any cloud or on-prem environment.
Keeper Automator version 3.3+ supports automated team creation, team-user assignments and user approvals
Keeper Automator performs instant device approvals, team approvals and team-user assignments without the need for any manual actions by users.
See the setup instructions here.
Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.
Download Keeper Commander here: https://github.com/Keeper-Security/commander.
team-approve approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge.
Keeper Commander Parameters
--team approve teams only
--user approve team users only
--restrict-edit {on,off} disable record edits
--restrict-share {on,off} disable record re-shares
--restrict-view {on,off} disable view/copy passwords
device-approve approves SSO Cloud user devices.
--approve approve all devices
--trusted-ip approve devices that come from recognized IPs
--reload retrieve the latest devices pending approval
--deny deny a device
See the setup instructions here.
Last updated
My Vault> team-approveMy Vault> device-approve