As described in the previous section, the AD Bridge will provision new Users, Roles and Teams to the Keeper Admin Console based on the configuration and filters applied. The creation of NEW teams and the action of adding users to a team require an encryption key generation and key exchange that can occur within the Keeper Admin Console, Keeper Bridge or when a team member logs into Web Vault. In addition to the encryption aspect of this process, a level of security is in place to prevent the AD Bridge administrator from adding himself to a team which is privileged. The Bridge will Notify the Admin of Pending Team Approvals through the Bridge Notification feature. The Team notification will always sort to the top. This notification summarizes the Teams and Team User Assignments which are pending approval.
For this reason, the Keeper Admin Console contains an Approval Queue which prompts the Administrator to quickly approve the creation of new teams and addition of users to teams. If there are pending approvals, you will see a red indicator at the upper right side of the Admin Console interface:
Select on the indicator to open the Approval Queue. There are two approval queues - Teams and Users.
Teams that are dynamically created by the AD Bridge must be approved by the administrator in the Admin Console. Select the red alert indicator and select the Teams option to display all pending team names. Approvals can be processed in one batch by selecting the Approve column header checkbox, or by selecting individual checkboxes. In the Disable columns, this represents the Team Restrictions of Record Re-shares, Record Editing and Password Viewing (this maps to the team restrictions Disable record re-shares, Disable record edits and Disable viewing passwords described in the Team screen.)
Users that are invited to Keeper within teams must be approved by the administrator in the Admin Console. Select the red alert indicator and select the Users option to display all pending user accounts. Note: Users will only appear in the Approval Queue after they have accepted the invitation to the Keeper account and set up their profile. Approvals can be processed in one batch by selecting the Approve column header checkbox, or by selecting individual checkboxes. Upon approval, the user will immediately have access to any Shared Folders which have been shared to the team.
The Keeper Bridge can automate Team approval. This feature requires that the admin be logged into the bridge client locally with their keeper credential. The admin is added to every team in Keeper which they approve. This allows the bridge to use the admin credential to automate User Team assignment. The Admin credential is only retained in memory and is not stored for as this account will have all team keys. If the admin is not logged in during a Publish cycle the Team or Team User Assignment will be queued. A Notification will appear alerting the Admin to log in the Bridge client. Teams and Team users can be approved from the console ad-hoc if needed. It is best to use the same Admin account as is set up for bridge registration. An Admin can only approve teams for which they are members. It a team is approved by a different admin than is used for Bridge Registration and the Bridge admin is not specifically added to that team, the bridge will not be able to approve member to that team. To enable automated team approval selection the Option on the Options tab.
Team keys are also automatically distributed when a team member logs into the Web Vault or desktop application.
The Team notification will always sort to the top. This notification summarizes the Teams and Team User Assignments which are pending approval. The notification can be cleared manually, but will also clear itself when no Teams or Team Users require approval after the most recent Publish event has run. If Automated Team Approval is enabled this notification will only appear when the Admin login is not available or a Team User cannot be approved because the Registered Admin is not part of the Team.