Comment on page

User Management and Lifecycle

Managing users and lifecycles in the Keeper Admin Console

Searching for a User
Clicking on the Search field will open a dynamic search tool that searches across Nodes, Roles, Teams and Users.  The search feature uses a fuzzy searching mechanism to find the best match.  
Search the Admin Console
Click on the headers (Nodes, Roles, Teams, Users) to filter the results.
Filter by Type
User Detail Screen
Once a user has been added, the Administrator can edit or make changes to a user's profile. By selecting the user that you want to modify from the Users tab,  you will notice what user details can be edited, such as Name, Roles, or Team. 
User Detail Screen
User Status
Users can be in one of 6 states: Invited, Active, Disabled, Locked, Blocked and Pending Transfer Acceptance.
Status
Description
Invited
User has been invited to join Keeper but has not completed their account setup yet. User can be re-sent the invitation by selecting the Resend Invite button.
Active
User has created their Keeper account and joined the organization.
Disabled
User has been disabled in the enterprise Active Directory.
Locked
User has been suspended (either manually by selecting the Lock Account button or automatically via AD Bridge or SCIM). To manually lock a user account, select the Lock Account button.
Blocked
If Account Transfer enforcement policy is applied to the role that the user belongs to, they have 7 days to accept the consent request that is presented to them from within their vault. If a user has not accepted the consent, their account will be blocked (the user can login but will not be able to move past the consent request popup to access their records). By clicking the Extend Transfer Acceptance Consent icon, the Admin can extend the time limit for an additional 7 days.
Pending Transfer Acceptance
If the Account Transfer enforcement policy is applied to the role that the user belongs to and the vault transfer consent request is pending acceptance within their vault. The user has 7 days to accept the request. 
User Actions
Additional user actions can be performed from the Edit User dialog. Only icons relevant to each user's account will be visible.
Icon
Action
 
​
 
Edit a user
Change the name of the user.
​
 
Disable 2FA
Disable the user's second factor authorization (2FA).
​
 
Transfer Account
If Account Transfer is active for the user's role and the currently logged-in administrator has the Administrative Permission to perform a transfer, this action will move all records and shared folders from the user's account to a destination user account. The account must first be locked before you can perform a transfer. After the transfer is completed, the user account is deleted. More information on the Transfer Account action is detailed throughout this guide.
​
 
Delete User
Delete the user account.  
​
Note: this action cannot be undone and has serious consequences:

1. All of this user's owned vault records will be immediately deleted, and they will be removed from all Roles, Nodes and Teams.  
2. Any records created by the user are deleted.  
3. Any records shared from this user to other users will be deleted.
4: Any records in a shared folder shared to other users will continue to be shared and will become ownerless. 
​
 
Lock Account
To suspend an account and prevent the user from accessing their Vault, you can simply lock their account. This retains the user's owned records but blocks their access to their Keeper Vault. Any records and Shared Folders created by that user will still be accessible to other shared users and teams.
​
 
Expire Master Password
Expire a user's Master Password outside of the enforcement policy periodicity. This functionality allows the administrator to specifically target a user to rotate their Master Password if a potential compromise is suspected.
​
Extending Transfer Acceptance Consent 
If the Account Transfer enforcement policy is applied, they have 7 days to accept the consent request that is presented to them from within their vault. If a user has not accepted the consent in 7 days, their account will be in a "blocked" state. They will be required to accept the consent before access is again granted. The Extend Transfer Acceptance Consent will extend the time limit for another 7 days.
​
 
Resend Invite
If a user has been invited to join Keeper but has not yet completed their account setup, you can re-send their invitation to join.

SSO / SAML Authentication

Roles, RBAC and Permissions

Last modified 10d ago

Status	Description
Invited	User has been invited to join Keeper but has not completed their account setup yet. User can be re-sent the invitation by selecting the Resend Invite button.
Active	User has created their Keeper account and joined the organization.
Disabled	User has been disabled in the enterprise Active Directory.
Locked	User has been suspended (either manually by selecting the Lock Account button or automatically via AD Bridge or SCIM). To manually lock a user account, select the Lock Account button.
Blocked	If Account Transfer enforcement policy is applied to the role that the user belongs to, they have 7 days to accept the consent request that is presented to them from within their vault. If a user has not accepted the consent, their account will be blocked (the user can login but will not be able to move past the consent request popup to access their records). By clicking the Extend Transfer Acceptance Consent icon, the Admin can extend the time limit for an additional 7 days.
Pending Transfer Acceptance	If the Account Transfer enforcement policy is applied to the role that the user belongs to and the vault transfer consent request is pending acceptance within their vault. The user has 7 days to accept the request.

Icon	Action
Edit a user	Change the name of the user.
Disable 2FA	Disable the user's second factor authorization (2FA).
Transfer Account	If Account Transfer is active for the user's role and the currently logged-in administrator has the Administrative Permission to perform a transfer, this action will move all records and shared folders from the user's account to a destination user account. The account must first be locked before you can perform a transfer. After the transfer is completed, the user account is deleted. More information on the Transfer Account action is detailed throughout this guide.
Delete User	Delete the user account. Note: this action cannot be undone and has serious consequences: 1. All of this user's owned vault records will be immediately deleted, and they will be removed from all Roles, Nodes and Teams. 2. Any records created by the user are deleted. 3. Any records shared from this user to other users will be deleted. 4: Any records in a shared folder shared to other users will continue to be shared and will become ownerless.
Lock Account	To suspend an account and prevent the user from accessing their Vault, you can simply lock their account. This retains the user's owned records but blocks their access to their Keeper Vault. Any records and Shared Folders created by that user will still be accessible to other shared users and teams.
Expire Master Password	Expire a user's Master Password outside of the enforcement policy periodicity. This functionality allows the administrator to specifically target a user to rotate their Master Password if a potential compromise is suspected.
Extending Transfer Acceptance Consent	If the Account Transfer enforcement policy is applied, they have 7 days to accept the consent request that is presented to them from within their vault. If a user has not accepted the consent in 7 days, their account will be in a "blocked" state. They will be required to accept the consent before access is again granted. The Extend Transfer Acceptance Consent will extend the time limit for another 7 days.
Resend Invite	If a user has been invited to join Keeper but has not yet completed their account setup, you can re-send their invitation to join.