Shared Folders
Private folder and shared team folders in the Keeper Vault
Last updated
Was this helpful?
Enterprise Guide
Private folder and shared team folders in the Keeper Vault
Last updated
Was this helpful?
Keeper's Private Folder, Shared Folder and Subfolder capabilities are flexible and secure. Private Folders and Shared Folders can be created within the vault (if permitted by the Admin). Users and may be provisioned automatically from Active Directory through the , or from SCIM-connected identity providers such as Azure, Okta and Google Workspace allowing for simple setup of shared folder permissions.
A private folder is only visible to the user who created the folder and can be made up of subfolders and records. A folder can also contain other shared folders and shared records. To create a private folder, click Create New > Folder. Choose where you would like to nest the folder using the dropdown menu. You can select the parent folder or select My Vault to add the folder at the root level.
A shared folder can be shared with an individual Keeper user or with a Team of users (as designated in the Admin Console). Shared Folder permissions can be applied to Users, Teams and Records.
To create a Shared Folder, click Create New > Shared Folder. Choose where you would like to nest the folder using the dropdown menu. You can select the parent folder or select My Vault to add the folder at the root level. Next enter the name of the folder and set the User and Folder Permissions.
A Team can be setup in the Admin Console manually from Admin Panel and the Teams tab by clicking on the Add Team button and then selecting users via the + user checkbox dialogue.
Alternatively, when a user is provisioned to a Team through any of the previously described onboarding methods (Active Directory Bridge, SSO, Azure AD, SCIM, API, etc...), the user will instantly receive the shared folders for that team, and the records associated with those shared folders. When the user is removed from a team, their access is revoked from any shared folders and those folders are immediately removed from their vault.
You can add records to the folder by a simple drag-and-drop or you can click Edit and add the records using the record search bar.
Record Permissions are used to govern folder members' (users) interactions with each individual record in the folder. You can access these permissions from the Records Tab by clicking Edit and then the dropdown icon next to each record name.
Can Edit
Users in the folder can edit this record
Can Share
Users in the folder can share this record
Can Edit & Share
Users in the folder can edit and share this record
View Only
Users in the folder can only view this record
Next, set the user permissions by clicking on the dropdown arrow next to each user's email.
Can Manage Users
The user can add or remove other users in the folder
Can Manage Records
The user can add or remove records in the folder
Can Manage Users & Records
The user can add or remove other users and records in the folder
No User Permissions
The user will have no permissions over the other users or records in the folder
To create a Subfolder within a Shared Folder, right-click on a Shared Folder and select New Folder. You can add records to the folder by a simple drag-and-drop or you can click Edit and add the records using the record search bar.
While viewing the records within a Shared Folder, click the Edit Icon and check the box next to “Show subfolder records" located in the Records tab to include those records in view or leave it unchecked to collapse them from view.
Both private and shared folders can be nested and contain an unlimited number of records or subfolders. Each subfolder inherits the same permissions structure as the parent folder.
If the parent folder is a shared folder and you move a private folder into it, the private folder will now inherit the permissions set from the shared folder, including the users that have permission to view and edit that folder and its records.
In the screen capture below, the Region 1 folder is not shared but 1 of its 2 subfolders is shared (Monthly Sales Projections) as noted by the shared folder icon. Region 2 is a shared folder so all the records contained within its subfolders are also shared and they as noted in their shared record icons.
Default Shared Folder Settings are configured in order to easily set folder permissions for all users and records within the folder and subfolder(s). These are selected upon the initial creation of the Shared Folder but you can change them at any time by clicking the edit icon in the upper right corner of the shared folder.
Please note, newly created records inherit these permissions when adding users or records to the shared folder.
If you would also like to apply the permissions change to your subfolder records, you must first check the box next to "Show subfolder records" located within the "Records" tab.
Next, select the "Settings" tab and click each dropdown arrow to set your default "User" and "Record" permissions for the folder.
Optionally, check the box next to "Apply permissions to existing [x] records" to apply the changes to any existing folder records. You can also check the box next "Apply permissions to all subfolders ([x] records)".
If the default folder settings are not set properly, users who add records to the Shared Folder will find that the records are "View Only" by other members of the Shared Folder, even if those users have "Can Manage Records" permission. If you would like all folder members to have edit rights over all records that are added to the folder, set the Record Permissions setting to "Can Edit"
The "Can Manage Records" User Permissions setting only allows users the ability to add or remove records, it does NOT give them record permissions.
Once the default folder settings are configured, it will only affect users added after the change was made. To edit permissions for the users added prior to the default settings change, edit them individually or through a bulk change from the "Users" tab.
A bulk change can be achieved by checking the box next to "Name" and clicking the "Permissions" dropdown to make your selection.
A Folder and a Shared Folder are objects that are created independently of records. Keeper's implementation of Subfolders (Nested Folders) is powerful and flexible, providing Enterprise customers with the most secure encryption model while providing ease-of-use functionality such as drag-and-drop.
A folder can be made up of private records, shared records or other regular subfolders.
Subfolders can be either shared or private.
You can create an unlimited number of folders and shared folders.
A shared folder can be made up of an unlimited number of subfolders, each subfolder beneath a shared folder retains the permissions of the parent.
There is no limit to the folder tree depth.
A folder is a container of records and record references (shortcuts).
A shared folder is a container of records, with flexible user and team sharing capability.
Folders and subfolders contained within Shared Folders will inherit the permission of the Shared Folder.
Watch the video below to learn about creating shared folders and assigning permissions.
Keeper Commander, our command-line SDK toolkit, provides a method of bulk record permission changes. Commander has special features that can be executed on the CLI instead of using the user interface. To download Keeper Commander binaries on Mac or PC please visit:
Example: Elevate Permissions on All Records
In this example, we will recursively change the record permissions in a Shared Folder.
(1) Identify the Shared Folder UID on the Vault user interface, or from the Commander CLI.
On Commander, you can use the "ls -l" command, similar to a Bash shell.
On the Vault user interface, you can click on the info icon to display the Shared Folder UID.
(2) On Commander, execute the "record-permission" command with the "--dry-run" option to simulate the command. In this example, the Shared Folder UID is "-FHdesR_GSERHUwBg4vTXw". The command is below:
As you can see, the Shared Folder UID starts with a dash so we add "--" before the identifier to escape the character.
Running this command produces the following output:
The "SKIP" section is saying that the current user on Commander cannot make those requested changes, because we are not the owner of the record. The "GRANT" section indicates the changes that will be allowed.
(3) To execute the command, we remove the "--dry-run" portion:
Now, on the Vault UI, the permission of those affected records has been changed to "Can Edit".
If you are in a situation with many record owners in the same shared folder that require update, each of those users can simply run the above Commander action to change the permissions of their respective records.
Keeper's Share Admin feature is a role-based permission that gives administrators elevated access rights over your organization's shared folders and shared records.
A record can exist outside of a folder, inside a folder or inside a Shared Folder. A record can also be linked into multiple folders or Shared Folders. A linked record is also referred to as a Shortcut. In either case, modifying a linked record will change it everywhere it has a shortcut.
There are two ways to move a record into a folder:
Drag-and-drop the record from the list of records and select Move when prompted
Right-click on a record and select Move To...
Watch the video below to learn about adding records to shared folders.
Use one of the following methods to to add a record to multiple folders (create a Shortcut):
Select the Folder and then select Edit. In the Add Records search box, search for the records to add and select Add. This method will always add a Shortcut to the folder.
Drag-and-Drop the record from list of records and select Create Shortcut when prompted
Right-click on a record from the list of records and select Create Shortcut...
Teams are created by the Keeper Administrator, or any user who has been given administrative permissions for a specific node or organizational unit. A team is made up of users within a node or sub-node. Additionally, there is no limit to the number of teams that can be created. Teams can be provisioned using any of the following methods:
Manual creation in the Keeper Admin Console
Automatically provisioned through the Active Directory / LDAP Bridge software
Automatically provisioned through SCIM
Automatically provisioned through the Keeper Commander SDK
At the encryption layer, Teams have a public and private key pair. In order to add a user to a team, you must first be a member of the team because you need to encrypt the Team Key with the recipient's public key. When the recipient logs into their vault, the Team Key is retrieved by decrypting it with the user's private key. This encryption process is automatically handled by the provisioning methods listed above.
Inside the Admin Console there are several team security options. Teams that are added to a shared folder can be given limited rights:
Disable record re-shares
Disable record edits
Apply privacy screen
A user with access to a Shared Folder has the option to remove themselves from the Shared Folder. If the user has been granted the Can Manage Users & Records permission, the user also has the ability to delete the Shared Folder.
Users can change the color of a shared folder in order to make is stand out visually. This can be done on both Shared Folders and Private Folders.
While in Edit mode, from the "Users" tab, click within the email address field and enter the email address of the Keeper user (including ) or Team you would like to share the folder with.
Or, to install the CLI in a developer mode, please follow the installation instructions in the documentation here:
The use of shared folders can be restricted by the Keeper Administrator in the section of the Keeper Admin Console.
