Approval Queue

Manual and Automated approval of SCIM or Bridge-provisioned Users & Teams

The Approval Queue is the location where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval.

Team and User Approval Process

New users added by the SCIM sync are created in the “invited” state and sent an invite to join Keeper.

New teams created by the SCIM sync are created in the “pending” state and require final approval by either the Keeper Administrator or another team member.

Users added to teams via SCIM are added in a "pending" state and require approval by one of the methods outlined below. Actions must be taken by either the Admin or using a methods outlined below, because encryption keys must be generated and/or shared. In Keeper's Zero-Knowledge environment, this action must be performed by a Keeper Administrator or by team members.

Approval Method 1 - Manual Approval in "Approval Queue" Screen

The Keeper Administrator can approve the teams in the Enterprise Console by visiting the "Approval Queue" screen.

Team Approvals

Select the rows to approve, and click "Approve" to create the team that has been pushed via SCIM from your identity provider. When the team is approved, encryption keys are generated for the team.

Click on the "Users" tab to approve users that have been added to teams.

User Assignment Approvals

Note 1: Click the "Sync" button to refresh the data and pick up any Team or User assignments.

Note 2: After approving a NEW team, user approvals for that team will not show up in the Users tab until click "Sync" from Admin screen or logout/login.

Note 3: Users do not need to be approved from the admin console. See Method 2 below.

Approval Method 2 - Vault Login

Team members approvals are also completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.

When teams are approved, if users linked to these teams have already joined the enterprise, they become the team members immediately. If the linked users have not joined yet, they become pending members after they join and Keeper administrator must approve those users team membership in the Keeper Enterprise Console.

Approval Method 3 - Keeper Commander team-approve

Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.

Download Keeper Commander from:

My Vault> team-approve

team-approve Approve queued teams and users that have been provisioned by SCIM or Active Directory Bridge


  • --team Approve teams only

  • --user Approve team users only

  • --restrict-edit {on,off} disable record edits

  • --restrict-share {on,off} disable record re-shares

  • --restrict-view {on,off} disable view/copy passwords