Sharing Commands

Commands related to sharing records and shared folders


Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.

To get help on a particular command, run:

help <command>

Sharing Commands



Grant or revoke user access to a record

Change shared folder permissions

Change record permissions of a folder

Manage one-time shares

Display or revoke shares to external users

share-record command

Command: share-record or sr

Detail: Grant or revoke user access to record(s) given that record or folder path or UID


Path or UID of record or folder


-e, --email <EMAIL> email of account to edit permissions for (required)

-a, --action <{grant, revoke, owner, cancel}> permission to set for record

-s, --share allow user to share record

-w, --write allow user to modify record

-R, --recursive apply command to shared folder hierarchy

--dry-run display the permissions changes without committing them

--expire-at EXPIRE_AT share expiration: "never" or ISO date-time (yyyy-MM-dd[ hh:mm:ss])

--expire-in <NUMBER>[(mi)nutes|(h)ours|(d)ays|(mo)nths|(y)ears] share expiration: "never" or period


share-record memberships/Gym -e
sr g6rvo2-Uv-BC16ZM33CF3w -e --share
sr social/Twitter -e --action owner
sr --recursive -e "My Shared Folder" 
sr --expire-at "2050-01-01 00:00:01" -e memberships/Gym
sr --expire-in 3d -e social/Twitter
  1. Share the "Gym" record in the "memberships" folder with user John Smith

  2. Share a record with the given UID with user John Smith and allow him to share the record with others

  3. Transfer record ownership of the "Twitter" records from the "social" folder with user John Smith

  4. Share all records found in shared-folder "My Shared Folder" (including any in its subfolders) with user John Smith

  5. Share record "Gym" in the "memberships" folder with user John Smith, accessible until 1 second after the start of the year 2050 (GMT)

  6. Give user John Smith time-limited read-only access (valid only for the next 3 days) to the "Twitter" record in the folder named "social"

share-folder command

Command: share-folder or sf

Detail: Grant or revoke user default permissions for a given (set of) shared folder(s)

See the mkdir command for details on creating shared folders


Path(s) or UID(s) of folder(s)


-a, --action <{grant, revoke, remove}> permission to set for folder(s) / record(s)

-e, --email <EMAIL, TEAM, *>

  • email - user's email to set folder permissions for

  • team - name of a team to set folder permissions for

  • * - apply relevant permissions for each new user with whom the folder(s) is/are shared

  • @currrent/@existing - apply to all users with existing access to folder(s)

-r, --record <{RECORD NAME, UID, *, @existing, @current}>

  • record name / UID - specific record to set permissions for

  • * - set default permissions for any new record added to the relevant folder(s)

  • @existing/@current - apply permissions to all records currently contained by the specified shared folder(s)

-p, --manage-records allow managing records. Users/teams only

-o, --manage-users allow managing users. Users/teams only

-s, --can-share allow sharing records. Records only

-d, --can-edit allow modifying records in the folder. Records only

-f, --force apply permissions changes ignoring default folder permissions

--expire-at TIMESTAMP share expiration: "never" or ISO date-time (yyyy-MM-dd[ hh:mm:ss])

--expire-in PERIOD share expiration: "never" or period (<NUMBER>[(y)ears|(mo)nths|(d)ays|(h)ours(mi)nutes])

Shared folder permissions are additive. If the default folder permissions allow a permission, all users and teams that folder is shared with will have that permission unless it is specifically revoked using -a revoke


share-folder memberships -e -p 
sf memberships -r memberships/gym -a revoke --can-share
sf jdrkYEaf03bG0ShCGlnKww -e DB_ADMINS -p
sf "Team Passwords" -e "Marketing Team" -a grant -o
sf * -e DB_ADMINS -p
sf -a remove -e memberships
sf -e --expire-in 5h memberships
  1. Share the "memberships" shared folder with user Allow the user to manage records

  2. Revoke "Can Share" permission from the "gym" record in the "memberships" shared folder

  3. Share the folder with the given UID with the "DB_ADMINS" team and allow them to manage records in the shared folder

  4. Share a "Team Passwords" folder with a team called "Marketing Team" and give permission to manage users

  5. Share all shared folders with the "DB_ADMINS" team and allow them to manage records in the shared folder

  6. Remove all access to "memberships" shared folder for user Jane.Smith@gmail

  7. Grant user read-only access to "memberships" shared-folder, valid only for the next 5 hours

Changing Default Folder Settings

The Default Folder Settings control the permissions on newly added users and records. To change the default permissions with the share-folder command, use the [*] symbol.

For example, to set user defaults to "Can Manage Users & Records" and to set record defaults to "Can Edit & Share" on the Shared Folder based on a UID:

sf --action=grant --email=* --manage-user --manage-records jdrkYEaf03bG0ShCGlnKww
sf --action=grant --record=* --can-share --can-edit jdrkYEaf03bG0ShCGlnKww

Hint: You can also apply the same permissions used to set a shared folder's default settings (as in the examples above) to records/users currently assigned to that shared folder within the same command call by simply specifying the value "@current" or "@existing" for the appropriate option/s (-r for records, -e for users). Using examples similar to the ones above, we have the following:

sf -e * --manage-user --manage-records -e @existing jdrkYEaf03bG0ShCGlnKww

sf -r * -r @existing --can-share --can-edit -e @existing jdrkYEaf03bG0ShCGlnKww

In the 1st example, we set both the default user permissions and the permissions granted to current users assigned to the shared folder to "can manage users" and "can manage records".

In the 2nd example, we set both default record permissions and permissions for already-existing records currently contained by the shared-folder to "can edit" and "can share' for users that currently have access to that shared-folder

record-permission command

Detail: Change the permissions for all records in a shared folder


Path or UID of folder


-a, --action <{grant, revoke}> permission access to set for record

-s, --can-share allow sharing records

-d, --can-edit allow modifying records in the folder

-f, --force apply permissions changes without prompting

-R, --recursive apply permission changes to all sub folders

--dry-run Display permission changes made by command without actually changing the permissions

--share-record change a record's sharing permissions

--share-folder change a folder's sharing permissions


record-permission memberships --action grant --can-share
record-permission jdrkYEaf03bG0ShCGlnKww -a revoke -d -R
record-permission social -a grant -s --dry-run
  1. Grant sharing permission to all records in the "memberships" shared folder

  2. Revoke edit permission from all records in the folder with the given UID and all sub folders

  3. See the changes that would be made by granting sharing permissions to the "social" folder but don't apply the permission change

share Command

Requires Commander version 16.6.3+

Command: share

Detail: Create, list, or remove a one-time shares for a given record. For more information about one-time share click here.

Sub Commands:

list - show one time shares

create - create a new one time share URL

remove - remove a one time share


name or UID of record

one-time share name or ID (remove only)



-a --all show all one-time shares, including expired shares

--format <table, csv, json> the format to show the one time shares in

-v --verbose Verbose output


--output <clipboard, stdout> choose to put the URL in the clipboard, or to stdout (default)

--name name the one time share

-e <TIME> --expire <TIME> how long the one time share will remain active

format: <NUMBER>[(m)inutes|(h)ours|(d)ays] e.g. 1h for 1 hour



My Vault> share list dIGd46nq2uE_q1fXlAQGkw --all
Record UID              Name         Share Link ID            Generated            Opened    Expires              Status
----------------------  -----------  -----------------------  -------------------  --------  -------------------  ---------
dIGyf6nq2uE_q1fXlAQGkw  MyShare      vhSIl2fnjp5tTaE4w9DC...  2022-04-29 11:01:19            2022-04-29 12:01:19  Expired
dIGyf6nq2uE_q1fXlAQGkw  LwIdbnYa160  bOuAQzCoYL8XIcQpz2KU...  2022-04-29 15:38:27            2022-04-29 16:38:27  Generated


My Vault> share create dIGyf6nq2uE_q1fXlAQGkw -e 1h
       URL :[...]


My Vault> share remove dIGyf6nq2uE_q1fXlAQGkw MyShare
One-time share "MyShare" is removed from record "dIGyf6nq2uE_q1fXlAQGkw"

external-shares-report command

The external-shares-report requires the Compliance Reporting add-on. This command is only available for Enterprise admin accounts.

Command: external-shares-report or esr

Details: Display and (optionally) revoke share-permissions granted to users outside of the enterprise


--format <{table, json, csv}> format the output, default is 'table'

--output <FILENAME> output to a filename. Ignored with 'table' format

--action, -a <{remove, none}> action to perform on external shares, 'none' if omitted

--share-type, -t <{direct, shared-folder, all}> filter report by share type, 'all' if omitted

--force, -f, skip confirmation when removing shares

--refresh-data, -r refresh local user and record data before running


external-shares-report -r
esr --output external_shares.json --format json
external-shares-report -a remove
esr -a remove -f
external-shares-report --share-type shared-folder
  1. Show records and shared-folders shared to users outside of the enterprise

  2. Refresh locally-cached enterprise record/folder/user data prior to running and showing report

  3. Run report and export results to a JSON-formatted file named external_shares.json

  4. Run report, show results, and revoke external shares identified in the results

  5. Same as #4 above but requires no additional user-interaction to complete execution (i.e., skips confirmation prompt prior to revoking the external shares identified in the report)

  6. Run and show report, limiting results to records shared via direct-share (i.e., omit shared-folders from report)

By default, using the above command to revoke share-permissions previously granted to external accounts (via esr -a remove) requires user-interaction -- via a confirmation prompt -- to complete.

Hint: If you need to perform this task in a non-interactive manner (e.g., if running from a Keeper script/batch file, or as part of an automated administrative tool), include the --force flag in your command call (e.g., external-shares-report --force --action remove)

Bulk Record Permission Changes

In this example, we will recursively change the record permissions in a Shared Folder.

1. Identify Shared Folder UID

On Commander, you can use the "ls -l" command, similar to a Bash shell.

On the Vault user interface, you can click on the info dialog to get the Shared Folder UID.

2. Validate Record Permissions Change with Commander

With Commander, execute the record-permission command with the --dry-run option to simulate the command. In this example, the Shared Folder UID is "-FHdesR_GSERHUwBg4vTXw". The command is below: record-permission --dry-run --recursive --action grant --can-edit -- -FHdesR_GSERHUwBg4vTXw

Since the Shared Folder UID beings with '-' in this example, '--' must be added before the identifier

Running this command produces the following output:

The "SKIP" section is saying that the current user on Commander cannot make those requested changes, because we are not the owner of the record. The "GRANT" section indicates the changes that will be allowed.

3. Execute Permissions Change Command with Commander

To execute the command, we remove the "--dry-run" portion:

Now, on the Vault UI, the permission of those affected records has been changed to "Can Edit".

Shared Folders With Multiple Record Owners

If you are in a situation with many record owners in the same shared folder that require update, each of those users can simply run the above Commander action to change the permissions of their respective records.


If you are an enterprise-user with share-admin privileges, you need only perform the steps outlined above once to change permissions for all records (regardless of who owns those records) in the shared-folder.

In such a case, there is no need for other record-owners to repeat the same steps, thus greatly simplifying the process.

Bulk Record-Ownership Transfer

Using steps almost identical to those of the previous example (in which we show how to change permissions for all records within a shared folder), it is also possible to transfer ownership of all records within a given shared folder to a single account.

For the following example (using the same vault and shared folder as the previous example), let's assume that we would like to transfer ownership of the records in that shared folder to user The steps are as follows:

1. Identify Shared Folder UID

See previous example for details on how to do this. For this example, we'll be using the shared folder with UID -FHdesR_GSERHUwBg4vTXw

2. Validate Record-Ownership Transfer Command with Commander

Similar to the previous example, we can simulate the desired action prior to its actual execution by running the share-record command with the --dry-run option in Commander (Note: unlike the previous example, we will also need to specify the username -- in this example -- for the account to which ownership of records should be transferred). The command is as follows:

share-record --action owner --email --dry-run --recursive -- -FHdesR_GSERHUwBg4vTXw

3. Execute Record-Ownership Transfer Command with Commander

Finally, as in the previous example, we remove the --dry-run option from our command call to perform the desired action, like so:

share-record --action owner --email --recursive -- -FHdesR_GSERHUwBg4vTXw

Last updated