Get Credential Governance with Role-Based Access Control

Protect your Passwords with Role-Based Access Controls and Zero-Trust Security.

Request a Demo

The Principle of Least Privilege

Organisations are often faced with the challenge of providing their employees with the credentials and access required to perform their jobs efficiently, while excluding access to other unnecessary confidential information.

The principle of least privilege (PoLP) is when an admin restricts the levels of access and permissions to the minimum required to carry out job functions. This principle ensures that employees only have access to what is necessary to them – not complete access to the organisation’s entire network.

PoLP reduces the attack surface by eliminating unnecessary privileges that could be exploited by either a malicious insider or an outside threat actor who is able to compromise an employee’s credentials. If proper credential governance and security mechanisms aren’t in place, your organisation's security is at risk.

Control Organisation Access Levels with Nodes, Roles and Teams

The ability to provide least-privilege access to all users is a critical component of enterprise password management. Keeper allows administrators to fine-tune their organisation's access levels to sensitive data and credentials, from teams and groups down to the individual user level.

This key feature works seamlessly with Keeper’s superior architecture, composed of Nodes, Roles and Teams.


Nodes are a way to organise users into distinct groupings, similar to organisational units in Active Directory, and are at the core of Keeper’s architecture. The administrator can create nodes based on location, department, division or any other structure. By default, the top-level node – or root node – is set to the organisation name and all other nodes can be created under the root node.

One advantage of defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the administrative permissions, but only over their respective node or sub nodes.This delegated administration allows different people in the organisation to manage controls over subsets of teams, users, roles and shared folders.


Roles define permissions, control which features and security settings apply to which users, and manage administrative capabilities. Users are provisioned under their respective nodes, with their roles configured to match the specific needs of the business.

Roles are made up of enforcement policies and control how users are able to access the Keeper Vault on their devices. Any number of role policies can be created and applied to one or more users.


Teams are used for sharing privileged accounts and shared folders among groups of users within the Keeper Vault. Teams can also be used to easily assign roles to entire groups of users to ensure the consistency of enforcement policies.

Since Keeper's security model is based on least-privilege access, we implement least-privilege policies, so when a user is a member of multiple roles, their default policy is the most restrictive.

Meet the Needs of Your Internal Controls with Role-Based Enforcement Policies

Keeper gives your organisation fine-grained control and visibility over what information users are capable of accessing and managing from within the platform, using customisable role-based access controls (RBAC). By providing a flexible role policy engine, you can lock down restrictions and access based on the risk profile of an individual user.

For example, you may want your IT Admins to be restricted from accessing their vault outside of the office network. Or you may want administrative assistants to have the ability to onboard new users, manage teams and run reports. The entire process is fully customisable through a user-friendly interface.

From the console, administrators have access to a robust collection of Enforcement Policies that control how users access and interact with the vault and which features they can use.

Features include:

Keeper's Node Architecture Scales to Any Size Organisation

Fully appreciating the power and flexibility of Keeper's role-based access controls requires an understanding of the organisational structure that is implemented when deploying Keeper in your organisation.

The business security landscape is constantly evolving, requiring ease of use and flexible internal safeguards. Keeper is designed to scale to any size organisation. Features such as role-based permissions, team sharing, departmental auditing and delegated administration support your business as it grows and changes. When employees take on new job responsibilities or change positions, Keeper updates their roles through Active Directory, ensuring they always have the correct permissions.

Eliminate the Risk of Critical Data Loss When Employees Leave the Organisation

Eliminate the Risk of Critical Data Loss When Employees Leave the Organisation

Keeper's zero-knowledge account transfer capabilities provide enterprise customers with peace of mind that an employee will never walk away with critical data when they leave the organisation.

Through the use of Keeper’s secure "Account Transfer" feature, a user's vault can be locked, then transferred to another user within the organisation. The process of account transfer remains fully zero knowledge, and the responsibility of performing account transfers can be limited based on the roles created.

For example, IT administrators can ensure that only the engineering manager can transfer the vault of an engineer, or the marketing manager can only transfer the vault of a marketing coordinator.

Frequently Asked Questions

What is RBAC (role-based access control)?

Role-based access control, also known as role-based security, is an access control model where a user’s role within an organisation determines which network resources they have access to. The goal of RBAC is to ensure that users cannot access systems and data that are unrelated to their job functions, enhancing compliance, preventing data leakage and in the event that a user’s credentials are compromised, hampering the ability of a threat actor to move laterally within the network.

What is privileged access management?

Privileged access management (PAM) refers to the tools and technology organisations use to secure, control and monitor access to their most critical information and resources, such as local and domain administrative accounts. PAM helps organisations protect themselves from cyber attacks as it prevents unauthorised privileged access to accounts.


The main difference between role-based access control (RBAC) and attribute-based access control (ABAC) is how each method provides network access. RBAC enables you to grant role-based access. ABAC allows you to grant access through user characteristics such as action types, location, device and more.

English (UK) Call Us