Credential governance and controls

Protect your Passwords with Role-Based Access Controls and Zero-Trust Security.

Request a Demo

Why Least-Privileged Access is Foundational to Your Organization's Security

Organizations are often faced with the challenge of providing their employees with the credentials and access required to execute their responsibilities efficiently while also excluding access to other confidential information. This is the principle of least privilege. The idea is to reduce the “attack surface” by eliminating unnecessary privileges that could be exploited by either a malicious insider or an outsider who is able to compromise any given employee. If proper credential governance and security mechanisms aren’t in place, your organization's security is at risk.

Keeper understands that the ability to provide least-privilege access to all users is a critical feature for an enterprise password manager. Keeper gives administrators the power to fine tune their organization's access levels to critical data and credentials, from teams and groups down to the individual user level. This key feature works seamlessly with Keeper’s superior architecture, composed of Nodes, Roles and Teams.

  • Nodes are a way to organize users into distinct groupings, similar to organizational units in Active Directory.
  • Roles define permissions, control which features and security settings apply to which users, and manage administrative capabilities.
  • Teams are used for sharing privileged accounts and shared folders among users within the vault.

Since Keeper’s security model is based on least-privilege access, Keeper implements least-privilege policies, so when a user is a member of multiple roles, their net policy is the one that’s most restrictive.

Meet the Unique Needs of Your Internal Controls with Role-Based Enforcement Policies

Keeper gives your organization fine-grained control and visibility over what information users are capable of accessing and managing from within the platform, using customizable role-based access controls (RBAC). By providing a flexible role policy engine, you can lock down restrictions and access based on the risk profile of an individual user.

For example, you may want your IT Admins to be restricted from accessing their vault outside of the office network. Or you may want administrative assistants the ability to onboard new users, manage teams and run reports. The entire process is fully customizable through a user-friendly interface.

From the console, administrators have access to a robust collection of Enforcement Policies, which control how users access and interact with the vault and which features they can use such as password complexity rules, two-factor authentication (2FA), platform restrictions, sharing, KeeperFill settings, offline access restrictions, IP allow lists and more.

  • Password Complexity Rules and Biometrics
  • Multi-Factor Authentication, Token Expiration and Device Restriction
  • Offline Access Restrictions
  • Allow IP Listing, Sharing and Data Export Restrictions
  • Account Transfers (employee offboarding and break-glass scenarios)
  • Administrative Permissions

Keeper’s Node Architecture Scales to Any Size Organization

Fully appreciating the power and flexibility of Keeper’s role-based access controls requires an understanding of the organizational structure that is implemented when deploying Keeper in your organization.

At the core of Keeper’s architecture are Nodes. The administrator can create nodes based on location, department, division or any other structure. By default, the top-level node, or root node is set to the organization name and all other nodes can be created under the root node.

One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the administrative permissions but only over their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators. This delegated administration allows different people in the organization to have management controls over subsets of teams, users, roles and shared folders.

Users can then be provisioned under their respective nodes, with their Roles configured to match the specific needs of the business. Roles are made up of enforcement policies and control how users are able to access the Keeper vault on their devices. Any number of role policies can be created and then applied to one or more users.

Finally, there are Teams, which are used for sharing privileged accounts and shared folders among groups of users within the vault. Teams can also be used to easily assign roles to entire groups of users to ensure the consistency of enforcement policies across a collective group of individuals.

Now more than ever, businesses are growing and evolving at an unprecedented rate, requiring ease of use and flexible internal safeguards. Keeper is designed to scale to any size organization and features such as role-based permissions, team sharing, departmental auditing and delegated administration support your business as it grows and evolves. As employees take on new job responsibilities or change positions, Keeper updates their roles through Active Directory, ensuring that team members always have the correct (and least-privilege) network permissions.

Eliminate the Risk of Critical Data Loss When Employees Leave the Organization

Keeper's Zero-Knowledge Account Transfer capabilities provide Enterprise customers with the peace of mind that an employee will never walk away with critical data when they leave the organization. Retaining critical and confidential data is important when employees leave the organization, especially users that are in an administrative or management capacity. Through the use of Keeper’s secure “Account Transfer” feature, a user’s vault can be locked and then transferred to another user within the organization.

The process of account transfer remains fully zero-knowledge, and the responsibility of performing the account transfers can be limited based on the roles created. For example, IT administrators can ensure that only the Engineering Manager can transfer the vault of an Engineer, or the Marketing Manager can only transfer the vault of a Marketing Coordinator. This account transfer functionality is an important and powerful way to take ownership of the content within a user's vault while retaining a secure role-based hierarchy.

Eliminate the Risk of Critical Data Loss When Employees Leave the Organization

Strengthen your Security with Effective Credential and Access Governance.

Request a Demo Try it Free

Trusted by millions of people and thousands of businesses

Ready to try Keeper?

English (US) Call Us
Try it Free