Most organizations are constantly expanding and contracting their user base, hence the onboarding and the offboarding process is mission-critical to ensuring both effective productivity and the security of your organization. Staff who leave can wreak havoc, either on purpose or inadvertently, through the lockout or misuse of critical company systems that contain sensitive data.
Keeper facilitates the offboarding process for an employee’s vault via the Account Transfer functionality. This allows the entire contents of a user’s vault to be transferred to another designated user who can then decommission or transition the access as needed.
It works by setting up administrative permission (in the console under roles) and then having the Admin specifying where an account is moved to. Up until now all the records were simply transferred one-by-one to the designated user’s vault, which is a challenge to manage if there are so many records.
It is a critical best practice that vault transfer be set up as soon as possible, preferably before users have added any records to their vault so that if an employee leaves the company that all of their records will be preserved and accessible. At the very latest this is required to be done prior to an employee offboarding. The set up will trigger a notification to the vault owner for sake of full disclosure and will also result in a key being shared with the administrator so they have access when needed.
To enable transfer the checkbox must have been set for “Transfer Account” via the drop-down selector in the role Enhancement settings (for whatever role that applies to that employee).
The user will be notified in their vault that their vault is now transferable, and they will be asked to accept this within 30 days or be locked out.
If the user hasn’t been asked and accepted then the transfer of their vault will not be possible, so it’s important to get this capability established as early as possible with the user.
The administrator must have account transfer permissions enabled then they can specify who will be the receiver of that user’s vault records.
To execute the transfer the Admin goes to the User portion of the Admin console, selects that user, and then “locks” their Keeper account. That will freeze that user’s vault, and then a transfer can be done.
The next step is to designate a recipient.
Once the transfer has been done, the Admin Console user tab will show that that user is now “blocked”.
The contents of their vault are now transferred to the designated recipient and reside as a folder in that person’s vault. Dropping records are now put into a folder instead of as individual records, this is an enhancement that was released in May 2020 as part of the 14.4 version update of the console. This will help improve the recipient’s ability to find & manage that users records going forward.
More information on Account Transfer can be found in the Enterprise User Guide here: https://docs.keeper.io/enterprise-guide/account-transfer-policy
Get Started Right Now
The new Admin Console is available now on all Keeper Business and Enterprise plans for customers who are running Version 14.4 or later.
Not a Keeper customer yet? Start your 14-day free trial of Keeper’s business password manager now!
Bill Sheehan
Director, Product Management