Deploy to your team

This guide walks an administrator through rolling out Sablefort Keyvault to an organization end to end: creating the org, inviting members, distributing the desktop build through your internal channels, applying policies, and setting up break-glass access for emergencies. Plan for a pilot with a small group before a full rollout.

You need the Organization owner or Administrator role to complete the steps below. If you were invited as a member, ask an existing owner to grant you an admin role first.

1. Create your organization

An organization is the top-level container for your teams, vaults, members, and policies. Sign in to the admin console at https://admin.sablefort.com and choose Create organization.

  1. Enter your company name and primary billing contact.
  2. Verify one or more email domains you own (for example example.com). Verified domains let you enforce SSO and auto-join rules later.
  3. Choose your data region. This determines where your encrypted vaults are stored and cannot be changed after creation.

Once the org exists, you become its first owner. Add a second owner right away so the organization is never dependent on a single account.

2. Plan your vault structure

Decide how you will group secrets before you invite people, so members land in a tidy workspace. Most teams organize vaults by the team that owns the credentials rather than by application. A typical starting layout:

VaultOwner teamTypical contents
engineeringEngineeringService accounts, deploy keys, shared tooling logins
on-callSREEscalation logins, status-page credentials
financeFinanceVendor portals, payment processor logins

See Vaults for the full model. You can always add or reorganize vaults later.

3. Invite members

From People → Invitations you can invite members individually or in bulk.

Bulk invite by CSV

Upload a CSV with email and optional role and team columns. Each person receives an email with a one-time link to create their account and set a master password on their own device.

email,role,team
ada@example.com,member,Engineering
grace@example.com,admin,Engineering
lin@example.com,member,Finance
If you plan to use SSO or SCIM, skip manual invitations for those users and provision them from your identity provider instead. See Single sign-on.

4. Distribute the desktop build

Members install the Sablefort desktop app to unlock vaults, use autofill, and work offline. Distribute the build through the internal channels you already use rather than asking each person to hunt for a download.

  • Managed devices (MDM): Package the signed installer and push it to Linux, Windows, and macOS fleets through your device management tooling. The installer supports silent, unattended installation.
  • Internal software portal: Publish the installer to your company app catalog or self-service portal so members can install on demand.
  • Direct link: For smaller teams, share the download link from your org's Downloads page in the admin console. Every build is code-signed; verify the signature before wide distribution.

You can pin a minimum app version in policy (below) so out-of-date clients are prompted to update before they can sync.

5. Set organization policies

Policies apply to every member and are enforced by the client. Configure them under Settings → Policies before you open the rollout to everyone.

PolicyRecommendedNotes
Master password strengthStrongEnforces minimum length and complexity at account creation.
Two-factor authenticationRequiredMembers must enroll a second factor before accessing vaults.
Idle auto-lock10 minutesLocks the app after inactivity; requires master password to unlock.
Minimum app versionLatest stableBlocks sync for clients below the pinned version.
Export restrictionsAdmins onlyLimits who can export vault contents.

6. Set up break-glass access

Break-glass access covers the rare case where an on-call responder needs a sensitive credential that is normally restricted. The goal is that emergency credentials stay locked down until the moment they are needed, and every use is recorded for review afterward.

  1. Create a dedicated vault for emergency credentials and give it a clear name such as break-glass.
  2. Grant access to a small, named group (for example, the current on-call rotation) rather than to everyone.
  3. Enable Access notifications so that opening an item in this vault posts an alert to your security channel.
  4. Confirm that audit logging is on for the vault so each view is written to the exportable log.
Break-glass is a process, not a backdoor. Sablefort still encrypts these items on each authorized member's device; access is controlled by vault membership and recorded, but the underlying encryption is the same zero-knowledge model used everywhere else.

After an incident, review the access log, rotate any credential that was used, and confirm the responder still needs standing access.

7. Verify and hand off

Before you announce general availability, run through this checklist:

  • At least two organization owners exist.
  • Pilot members can install the desktop app, sign in, and see their vaults.
  • Policies are enforced (test auto-lock and the two-factor requirement).
  • Break-glass access notifications reach your security channel.
  • Audit log export works and is being retained where you expect.

When the pilot looks healthy, open invitations to the rest of the organization and point new members at Getting started.