User Management and Lifecycle

Managing users and lifecycles in the Keeper Admin Console

Searching for a User

Clicking on the Search field will open a dynamic search tool that searches across Nodes, Roles, Teams and Users. The search feature uses a fuzzy searching mechanism to find the best match.

Searching

Click on the headers (Nodes, Roles, Teams, Users) to filter the results.

Filter by Type

User Detail Screen

Once a user has been added, the Administrator can edit or make changes to a user's profile. By selecting the user that you want to modify from the Users tab, you will notice what user details can be edited, such as Name, Roles, or Team.

User Detail Screen

User Status

Users can be in one several states: Invited, Active, Locked, and Locked by IdP.

Status
Description

Invited

User has been invited to join Keeper but has not completed their account setup yet. User can be re-sent the invitation by selecting the Resend Invite button.

Active

User has created their Keeper account and joined the organization.

Locked by IdP

User has been disabled by the linked identity provider such as Active Directory or Entra ID.

Locked

User has been suspended (either manually by selecting the Lock Account button or automatically via AD Bridge or SCIM). To manually lock a user account, select the Lock Account button.

User Actions

Additional user actions can be performed from the Edit User dialog.

Action
Description

Edit a user

Change the name of the user.

Disable 2FA

Disable the user's second factor authorization (2FA).

Transfer Account

If Account Transfer is active for the user's role and the currently logged-in administrator has the Administrative Permission to perform a transfer, this action will move all records and shared folders from the user's account to a destination user account. The account must first be locked before you can perform a transfer. After the transfer is completed, the user account is deleted. More information on the Transfer Account action is detailed throughout this guide.

Delete User

Delete the user account.

Note: this action cannot be undone and has serious consequences: 1. All of this user's owned vault records will be immediately deleted, and they will be removed from all Roles, Nodes and Teams. 2. Any unshared records created by the user are deleted. 3. Any records shared from this user to other users will continue to be shared and will become "ownerless". Contact Keeper Support if you have questions regarding claiming ownerless records.

Lock Account

To suspend an account and prevent the user from accessing their Vault, you can simply lock their account. This retains the user's owned records but blocks their access to their Keeper Vault. Any records and Shared Folders created by that user will still be accessible to other shared users and teams.

Expire Master Password

Expire a user's Master Password outside of the enforcement policy periodicity. This functionality allows the administrator to specifically target a user to rotate their Master Password if a potential compromise is suspected. Please note, the user must first authenticate with their current Master Password, after which they will be promoted to create a new Master Password.

Resend Invite

If a user has been invited to join Keeper but has not yet completed their account setup, you can re-send their invitation to join.

Reset Security Score

Reset the stored calculations of the user's security score. Upon their next login on the Web Vault or Desktop App, the user's security scores will be re-calculated.

Email Changes

Email addresses can be edited by the Keeper Admin through the user interface or through the Commander CLI. For security reasons, emails can only be changed to domains which are reserved to the tenant. Learn more about domain reservation.

Change Email

Commander CLI

Manage users from the command line using the Keeper Commander CLI tool.

Relevant commands:

For more information see our Keeper Commander Documentation.

Last updated

Was this helpful?