Deploy to your team
This guide walks an administrator through rolling out Sablefort Keyvault to an organization end to end: creating the org, inviting members, distributing the desktop build through your internal channels, applying policies, and setting up break-glass access for emergencies. Plan for a pilot with a small group before a full rollout.
1. Create your organization
An organization is the top-level container for your teams, vaults, members, and policies. Sign in to the admin console at https://admin.sablefort.com and choose Create organization.
- Enter your company name and primary billing contact.
- Verify one or more email domains you own (for example
example.com). Verified domains let you enforce SSO and auto-join rules later. - Choose your data region. This determines where your encrypted vaults are stored and cannot be changed after creation.
Once the org exists, you become its first owner. Add a second owner right away so the organization is never dependent on a single account.
2. Plan your vault structure
Decide how you will group secrets before you invite people, so members land in a tidy workspace. Most teams organize vaults by the team that owns the credentials rather than by application. A typical starting layout:
| Vault | Owner team | Typical contents |
|---|---|---|
engineering | Engineering | Service accounts, deploy keys, shared tooling logins |
on-call | SRE | Escalation logins, status-page credentials |
finance | Finance | Vendor portals, payment processor logins |
See Vaults for the full model. You can always add or reorganize vaults later.
3. Invite members
From People → Invitations you can invite members individually or in bulk.
Bulk invite by CSV
Upload a CSV with email and optional role and team columns. Each person receives an email with a one-time link to create their account and set a master password on their own device.
email,role,team
ada@example.com,member,Engineering
grace@example.com,admin,Engineering
lin@example.com,member,Finance
4. Distribute the desktop build
Members install the Sablefort desktop app to unlock vaults, use autofill, and work offline. Distribute the build through the internal channels you already use rather than asking each person to hunt for a download.
- Managed devices (MDM): Package the signed installer and push it to Linux, Windows, and macOS fleets through your device management tooling. The installer supports silent, unattended installation.
- Internal software portal: Publish the installer to your company app catalog or self-service portal so members can install on demand.
- Direct link: For smaller teams, share the download link from your org's Downloads page in the admin console. Every build is code-signed; verify the signature before wide distribution.
You can pin a minimum app version in policy (below) so out-of-date clients are prompted to update before they can sync.
5. Set organization policies
Policies apply to every member and are enforced by the client. Configure them under Settings → Policies before you open the rollout to everyone.
| Policy | Recommended | Notes |
|---|---|---|
| Master password strength | Strong | Enforces minimum length and complexity at account creation. |
| Two-factor authentication | Required | Members must enroll a second factor before accessing vaults. |
| Idle auto-lock | 10 minutes | Locks the app after inactivity; requires master password to unlock. |
| Minimum app version | Latest stable | Blocks sync for clients below the pinned version. |
| Export restrictions | Admins only | Limits who can export vault contents. |
6. Set up break-glass access
Break-glass access covers the rare case where an on-call responder needs a sensitive credential that is normally restricted. The goal is that emergency credentials stay locked down until the moment they are needed, and every use is recorded for review afterward.
- Create a dedicated vault for emergency credentials and give it a clear name such as
break-glass. - Grant access to a small, named group (for example, the current on-call rotation) rather than to everyone.
- Enable Access notifications so that opening an item in this vault posts an alert to your security channel.
- Confirm that audit logging is on for the vault so each view is written to the exportable log.
After an incident, review the access log, rotate any credential that was used, and confirm the responder still needs standing access.
7. Verify and hand off
Before you announce general availability, run through this checklist:
- At least two organization owners exist.
- Pilot members can install the desktop app, sign in, and see their vaults.
- Policies are enforced (test auto-lock and the two-factor requirement).
- Break-glass access notifications reach your security channel.
- Audit log export works and is being retained where you expect.
When the pilot looks healthy, open invitations to the rest of the organization and point new members at Getting started.