Elevated rights to Shared Folders and Records
Keeper's Share Admin feature is a role-based permission that gives administrators elevated access rights over your organization's shared folders and shared records.
Share Admins have full user and record privileges for any shared record that they have access to.
From the Admin Console, assign a role with Share Admin privilege
From the Vault, add the Share Admin user to the folder or record
The Share Admin will immediately have full access rights on their Shared Folders
Restrictions
(1) The Share Admin can only take effect on Shared Folders that are owner/created by users within the Enterprise.
(2) The Share Admin can only take effect on Shared Folders that are owner/created by users within nodes under management by the Share Admin
(3) These restrictions are useful when you have Share Administrators that are managing just an organizational unit (or Node) and not the entire company.
(4) The Share Admin user must be added to folders they wish to manage. Anyone with "Can Manage Users" can add the Share Admin to the designated shared folder or record.
Add or remove records and users from shared folders
Change folder default permissions
Modify record permissions
Transfer record ownership to other users
Delete shared folders
In support of least-privileged access, Share Administrator permissions are granted via Role-Based Enforcement Policies. This provides the ability to grant Share Administrator rights to a limited group of administrators and provide elevated access rights to your organizations shared records and folders.
To assign someone in your organization Share Admin permissions, first create a role or select an existing role. Under administrative permissions click on the gear icon to display the list of permissions and select “Share Admin”.
In Keeper Commander, you can also run this command on the CLI:
To learn more about Keeper Commander visit: https://docs.keeper.io/secrets-manager/commander-cli/overview
While in edit mode for the shared folder, select the Users tab then click within the user search bar. Your organization’s available Share Admins will appear at the top of the list. Select the share admin(s) you would like to invite to the folder and click Add.
Individual Records
Share Admins can also be added directly to an individual record through the Share Record screen.
Once a shared record or folder is shared with the Share Administrator, they will immediately be granted full permissions over the Shared Folders or Records.
From the vault, a user with Share Admin permission for a shared folder is able to view all shared folder content, change shared folder default permissions, add or remove records and users, and delete the shared folder. The Share Admin can change record permissions for those records owned by users managed by the Share Admin. Changing record permissions includes editing, sharing, or transferring ownership.
Users can view who has Share Admin permissions over a folder by clicking on the Folder Information icon.
Share Admins can add or remove users and records from Shared Folders, no matter who owns the record.
Share Admins can change record permissions of any record within a Shared Folder or a direct share.
Share Admins can change the Default Folder Settings of any Shared Folder.
Share Admins can delete Shared Folders or Shared Records.
Share Admins have full record edit permissions including the right to transfer ownership of single or multiple records at once. To transfer ownership of multiple records, select the records, then right-click to reveal the context menu and select transfer ownership.
Enter the new owner’s email address or select it from the dropdown and click the transfer ownership button.
The transfer is verified if successful, if not, you will receive a notification of any records that are unable to be transferred. Share Admins can also perform a transfer of ownership of a single record directly from the record’s “Options” menu.
Share Admins can use the Commander CLI for making changes to Shared Folders and Shared Records. For example:
Record Commands such as edit
Sharing Commands such as share-record
, record-permissions
and share-folder
To learn more about Keeper Commander visit: https://docs.keeper.io/secrets-manager/commander-cli/overview
Share Admins will show up in the Compliance Reports interface as seen below:
Some use cases for Share Admin include:
Simplifies the process of editing record permissions when there are multiple users who contribute to a Shared Folder with mixed permission settings
Shared Folders that were created with unintentionally restrictive settings can be updated easily
Shared folder contains records that need to be moved to another shared folder
Records need to be transferred without having to completely transfer an entire vault
Temporarily elevate rights to make folder permission and record changes
How do I view the Share Admins for a shared folder in my vault?
Click the “Info” icon to reveal the shared folder detail panel. Share Admins are listed in the information dialog.
As a shared folder participant, how do I know who the “Share Admins” are for the organization so that I can invite them to participate in my shared folder?
While in edit mode for the shared folder, select the “Users” tab and “Add” users button. The organization’s available Share Admins will appear at the top of the list.
What happens to a consumer’s shared folder with owned records, if the consumer shares the folder with an enterprise user who is a Share Administrator, and the records in the shared folder have “read only” access?
The Share Admin does not manage the consumer, which means that the Share Admin cannot change record permissions and would have “read only” access to the records owned by the consumer. However, the Share Admin can manage the shared folder, users and records in the shared folder. These permissions allow the Share Admin to remove or invite users to the shared folder, change default folder permissions, or even delete the shared folder.
Given this scenario: A consumer has a shared folder with owned records and the consumer shares the folder to two users of the same enterprise with Manage Record permissions, where one of them is a Share Administrator. The non-share administrator adds a record to the folder. Can the Share Administrator manage users for this folder in this scenario since they can manage user access for records of managed record owners?
Yes. The Share Admin can manage (add/remove) any record or user from the shared folder. Additionally, if the non-share admin is associated with a node managed by the share administrator, the share administrator can change record permissions for those records owned by the administrator that does not have share admin permission.
What happens if a shared folder is shared between two businesses and there are shared folder administrators participating in the shared folder from both businesses.
The Share Admin can edit the default shared folder permissions, add/remove users and records from the shared folder, and edit record permissions for records that are owned by their managed users. If a record is removed from the shared folder, and it is the last reference to that record, it is moved to the record owner’s trash bin.
Are Share Admin permissions shown in Compliance Reports?
Yes. If a user has Share Admin access to records in a Compliance Report, this is shown in the report.
Can a Share Admin be removed from the Share Admin role and/or removed from a shared folder? If so, what happens to their permissions?
A Keeper Administrator can be temporarily assigned to a role with Share Admin permission. When they are removed from this role, their permissions to shared folders and records will revert to their previous shared folder permissions. A Share Admin can be removed from a Shared Folder by any participant that has “manage users” permission.
Will Share Admin permission be turned "on" by default for the Keeper Administrator role?
Yes. This permission is automatically turned on for the default Keeper Administrator role.