Team and User Approvals

Manual and Automated approval of SCIM or Bridge-provisioned Users & Teams

The "Approval Queue" is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval. Approvals are required in the Keeper environment in order to share the necessary encryption keys (by encrypting the private keys with the public key of the Team or User).

Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user clicks on "Request Admin Approval".

Keeper provides several methods of approvals, manual and automated.

Team and User Approval Process

New users added by identity providers using the SCIM protocol are created in the “invited” state and will receive an invite to join Keeper.

New teams created by the SCIM sync are created in the “pending” state and require final approval by either the Keeper Administrator or another team member.

Users added to teams via SCIM are added in a "pending" state and require approval by one of the methods outlined below. Actions must be taken by either the Admin or using methods outlined below, because encryption keys must be generated and/or shared. In Keeper's Zero-Knowledge environment, this action must be performed by a Keeper Administrator or by another team member.

In the newest version of Keeper, User and Team approvals occur automatically upon signing into the Admin Console, Web Vault and Desktop App.

Approval Method 1: Admin Console Login

Team creation and team member assignments are completed automatically when any Administrator logs into the Keeper Admin Console. Approval is performed by encrypting the Team Key with the user's public key.

When teams are approved, if users linked to these teams have already joined the enterprise, they become team members immediately. If the linked users have not joined yet, they become pending members after they join and a Keeper administrator must approve those users' team memberships in the Keeper Admin Console or using one of our automated methods.

Approval Method 2: Vault Login

Team members approvals are completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.

When teams are approved, if users linked to these teams have already joined the enterprise, they become team members immediately. If the linked users have not joined yet, they become pending members after they join and a Keeper administrator must approve those users' team memberships in the Keeper Admin Console or using one of our automated methods.

Approval Method 3: Keeper Commander

Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.

Download Keeper Commander here: https://github.com/Keeper-Security/commander.

team-approve approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge.

My Vault> team-approve

Keeper Commander Parameters

  • --team approve teams only

  • --user approve team users only

  • --restrict-edit {on,off} disable record edits

  • --restrict-share {on,off} disable record re-shares

  • --restrict-view {on,off} disable view/copy passwords

device-approve approves SSO Cloud user devices.

My Vault> device-approve
  • --approve approve all devices

  • --trusted-ip approve devices that come from recognized IPs

  • --reload retrieve the latest devices pending approval

  • --deny deny a device

Approval Method 4: Azure Function

Keeper provides customers with fully automated Admin Approvals using an Azure Cloud Function. This is an advanced method of performing Admin Approvals in the customer's fully cloud-based Azure environment.

See the setup instructions here: https://docs.keeper.io/sso-connect-cloud/device-approvals/azure-function