Sharing KSM Applications with users
After creating a Keeper Secrets Manager (KSM) Application, you have the option to share it with other end users within your organization. Shared users gain access to the features and resources within the application, including the ability to view secrets, manage devices and gateways, and configure PAM record types using the associated Keeper Gateway.
Sharing enables teams to collaborate securely while maintaining strict access control through Keeper’s zero-knowledge architecture.
Prior to proceeding with this guide, ensure that you have created a KSM application. KSM applications can be created from your Vault or on Commander, for step-by-step instructions:
To share the KSM application:
Select the KSM Application you want to share
Edit the KSM Application by clicking edit
Navigate to the "Users" tab
In the search bar, enter the user’s email address
Select the user from the dropdown to add them to the application.
When sharing a KSM application with other users, the following permissions can be assigned:
Member
Can view the application and use the gateways associated with the application
Shared folders assigned to a KSM application are accessible by the devices and gateways associated with the application. When sharing a KSM application with another user, if the user does not already have access to the shared folders associated with the application, those folders will be automatically shared with the user.
The level of access the user receives to these shared folders depends on their assigned role in the application:
If the user is added as a "Member":
The user receives the "No User Permissions" shared folder permissions
If the user already had access to any of the shared folders before being added to the KSM application, their existing folder permissions remain unchanged and are not overwritten.
Records can be directly assigned to a KSM application via Keeper Commander secrets-manager app share
command.
When sharing a KSM application with another user, if the user does not already have access to the records associated with the application, those records will be automatically shared with the user. The level of access the user receives to these records is "View Only".
Note: Adding individual records to a KSM application requires using Keeper Commander.
Removing a user from the KSM application does not revoke their permissions from the shared folders. Folder access must be manually removed if desired.
KSM Applications can also be shared on Commander using the secrets-manager app share
command. For more information, visit this page.
Gateways are associated with KSM applications. When you share a KSM application with another user, the associated Keeper Gateway is also shared. For more information, visit this page.