As described in the previous section, the AD Bridge will provision new Users, Roles and Teams to the Keeper Admin Console based on the configuration and filters applied. The creation of NEW teams and the action of adding users to a team require an encryption key generation and key exchange that can occur within the Keeper Admin Console, Keeper Bridge or when a team member logs into Web Vault. In addition to the encryption aspect of this process, a level of security is in place to prevent the AD Bridge administrator from adding himself to a team which is privileged. The Bridge will Notify the Admin of Pending Team Approvals through the Bridge Notification feature. The Team notification will always sort to the top. This notification summarizes the Teams and Team User Assignments which are pending approval.
For this reason, the Keeper Admin Console contains an Approval Queue which allows the Administrator to quickly approve the creation of new teams and addition of users to teams. To view pending approvals, navigate to the Approval Queue on the right side of the Admin Console interface. There are two approval queues - Teams and Users.
Teams that are dynamically created by the AD Bridge must be approved by the administrator in the Admin Console. Navigate to the Approval Queue and select the Teams option to display all pending team names. Approvals can be processed in one batch by selecting the bulk selection checkbox, or by selecting individual checkboxes. In each of the Disable columns, the admin can turn on the restrictions Disable record re-shares, Disable record edits and Disable viewing passwords.
Users that are invited to Keeper within teams must be approved by the administrator in the Admin Console. Navigate to the Approval Queue and select the Users option to display all pending user accounts.
The Keeper Bridge can automate Team approval. This feature requires that the admin be logged into the bridge client locally with their keeper credential. The admin is added to every team in Keeper which they approve. This allows the bridge to use the admin credential to automate User Team assignment. The Admin credential is only retained in memory and is not stored for as this account will have all team keys. If the admin is not logged in during a Publish cycle the Team or Team User Assignment will be queued. A Notification will appear alerting the Admin to log in the Bridge client. Teams and Team users can be approved from the console ad-hoc if needed. It is best to use the same Admin account as is set up for bridge registration. An Admin can only approve teams for which they are members. It a team is approved by a different admin than is used for Bridge Registration and the Bridge admin is not specifically added to that team, the bridge will not be able to approve member to that team. To enable automated team approval selection the Option on the Options tab.
Team keys are also automatically distributed when a team member logs into the Web Vault or desktop application.
The Team notification will always sort to the top. This notification summarizes the Teams and Team User Assignments which are pending approval. The notification can be cleared manually, but will also clear itself when no Teams or Team Users require approval after the most recent Publish event has run. If Automated Team Approval is enabled this notification will only appear when the Admin login is not available or a Team User cannot be approved because the Registered Admin is not part of the Team.