Keeper's Folder, Shared Folder and subfolder capabilities are flexible and secure. Folders and Shared Folders can be created within the vault (if permitted by the Admin) or provisioned automatically from SCIM-connected identity providers such as Azure, Okta and Jumpcloud.
A personal folder is only visible to the user who created the folder. A personal folder can be made up of subfolders and records. A personal folder can also contain other shared folders and shared records.
A shared folder can be shared with an individual Keeper user or to a Keeper Team. Shared Folder permissions can be applied to Users, Teams and Records. A team can be setup in the Admin Console manually from the Admin > Teams tab by simply clicking on the Add Team button and then selecting users via the + user checkbox dialogue.
Alternatively, when a user is provisioned to a Team through any of the previously described onboarding methods (Active Directory Bridge, SSO, Azure AD, SCIM, API, etc...), the user will instantly receive the shared folders for that team, and the records associated with those shared folders. When the user is removed from a team, their access is revoked from any shared folders and those folders are immediately removed from their vault.
Both personal and shared folders can be nested and contain an unlimited number of records or subfolders. Each subfolder inherits the same permissions structure as the parent folder.
If the parent folder is a shared folder and you move a personal folder into it, the personal folder will now inherit the permissions set from the shared folder, including the users that have permission to view and edit that folder and its records.
In the screen capture below, the Region 1 folder is not shared but 1 of its 2 subfolders is shared (Monthly Sales Projections) as noted by the shared folder icon. Region 2 is a shared folder so all the records contained within its subfolders are also shared and they as noted in their shared record icons.
A Folder and a Shared Folder are objects that are created independently of records. Keeper's implementation of Subfolders (Nested Folders) is powerful and flexible, providing Enterprise customers with the most secure encryption model while providing ease-of-use functionality such as drag-and-drop.
A folder can be made up of personal records, shared records or other regular subfolders.
Subfolders can be either shared or personal.
You can create an unlimited number of folders and shared folders.
A shared folder can be made up of an unlimited number of subfolders, each subfolder beneath a shared folder retains the permissions of the parent.
There is no limit to the folder tree depth.
A folder is a container of records and record references (shortcuts).
A shared folder is a container of records, with flexible user and team sharing capability.
Folders and subfolders contained within Shared Folders will inherit the permission of the Shared Folder.
To create a new Folder or Subfolder, select Create New then select either Folder or Shared Folder. You can select the parent folder or select My Vault to add the folder at the root level. To provision a Shared Folder to a Team, select the folder from within the vault and and click Edit. From the Users screen, select the Team and then assign the team level permissions.
To provision a Shared Folder to an individual user, select the folder from within the vault and click Edit.
From the Users screen, enter the user's email address or select them from the drop-down of previously shared users then assign the user permissions.
There are two permissions available from the Shared Folder screen when adding Users and Teams.
Can Manage Records - when this permission is enabled, the user is able to add and remove records from the shared folder. The permissions of records added to the folder (Can Edit, Can Edit & Share) are set based on the Default Folder Settings of the shared folder.
Can Manage Users - when this permission is enabled, the user is able to add and remove other Users & Teams from the Shared Folder.
The permissions of records within a Shared Folder can be individually controlled with the following two permissions:
Can Edit - when this permission is enabled, the record can be edited by any user with the shared folder.
Can Share - when this permission is enabled, records can be shared by any user with the shared folder.
When creating a Shared Folder, we recommend setting the Default Folder Settings to ensure that records added to the folder by team members will inherit the desired permissions.
Select Default Folder Settings to configure the following four permission options.
Can Manage Users
Users or teams added to the shared folder can add and remove other users and teams from the folder.
Can Manage Records
Users or teams added to the shared folder can add and remove records from the folder.
Can Edit Record
Users or teams added to the shared folder can edit the record contents.
Can Share Record
Users or teams added to the shared folder can share the individual records in a different shared folder or with another individual.
Watch the video below to learn about creating shared folders and assigning permissions.
If the Default Folder Settings are not set properly, users who drop records into the Shared Folder will find that the records are read-only by other members of the Shared Folder, even if those users have "Can Manage Records" permission. The "Can Manage Records" permission does not allow the user to elevate their privileges on records.
To change the record permissions, the owner of the record must edit the Shared Folder and change the permission of each of the individual records:
If you are unable to change the permission of the record, it means that you are not the record owner. You will need to contact the record owner and instruct them to edit the Shared Folder and elevate the permission of the record.
Keeper Commander, our command-line SDK toolkit, provides a method of bulk record permission changes. Commander has special features that can be executed on the CLI instead of using the user interface. To download Keeper Commander binaries on Mac or PC please visit:
https://github.com/Keeper-Security/Commander/releases Or, to install the CLI in a developer mode, please follow the installation instructions in the documentation here:
Example: Elevate Permissions on All Records
In this example, we will recursively change the record permissions in a Shared Folder.
(1) Identify the Shared Folder UID on the Vault user interface, or from the Commander CLI.
On Commander, you can use the "ls -l" command, similar to a Bash shell.
On the Vault user interface, you can click on the info dialog to get the Shared Folder UID.
(2) On Commander, execute the "record-permission" command with the "--dry-run" option to simulate the command. In this example, the Shared Folder UID is "-FHdesR_GSERHUwBg4vTXw". The command is below: record-permission --dry-run --recursive --action grant --can-edit -- -FHdesR_GSERHUwBg4vTXw
As you can see, the Shared Folder UID starts with a dash so we add "--" before the identifier to escape the character.
Running this command produces the following output:
The "SKIP" section is saying that the current user on Commander cannot make those requested changes, because we are not the owner of the record. The "GRANT" section indicates the changes that will be allowed.
(3) To execute the command, we remove the "--dry-run" portion:
Now, on the Vault UI, the permission of those affected records has been changed to "Can Edit".
If you are in a situation with many record owners in the same shared folder that require update, each of those users can simply run the above Commander action to change the permissions of their respective records.
Keeper engineering is in development of a new feature called "Shared Folder Admin" which will be launched in Q3 2021. This new feature will give administrative rights over the shared folder contents without the requirement of record owner to make changes. Stay tuned !
A record can exist outside of a folder, inside a folder or inside a Shared Folder. A record can also be linked into multiple folders or Shared Folders. A linked record is also referred to as a Shortcut or a reference. In either case, modifying a linked record will change it everywhere that it is referenced.
There are two ways to move a record into a folder:
Drag & Drop the record from the left pane and select Move when prompted
Right-click on a record from list of records and select Move to...
Watch the video below to learn about adding records to shared folders.
Use one of the following methods to to add a record to multiple folders (create a Shortcut):
Select the Folder and then select Edit. In the Add Records search box, search for the records to add and select Add. This method will always add a Shortcut to the folder.
Drag-and-Drop the record from list of records and select Create Shortcut when prompted
Right-click on a record from the list of records and select Create Shortcut...
Teams are created by the Keeper Administrator, or any user who has been given administrative permissions for a specific node or organizational unit. A team is made up of users within a node or sub-node. Additionally, there is no limit to the number of teams that can be created. Teams can be provisioned using any of the following methods:
Manual creation in the Keeper Admin Console
Automatically provisioned through the Active Directory / LDAP Bridge software
Automatically provisioned through SCIM
Automatically provisioned through the Keeper Commander SDK
At the encryption layer, Teams have a public and private key pair. In order to add a user to a team, you must first be a member of the team because you need to encrypt the Team Key with the recipient's public key. When the recipient logs into their vault, the Team Key is retrieved by decrypting it with the user's private key. This encryption process is automatically handled by the provisioning methods listed above.
Inside the Admin Console there are several team security options. Teams that are added to a shared folder can be given limited rights:
Disable record re-shares
Disable record edits
Apply privacy screen
Individual users within the team can optionally hide shared folders from their own vault. This may be useful for Administrators who want to manage their teams but not see any of the shared folders in their own vault. To disable viewing of shared folders, select hide shared folders in the team edit screen (hovering over the user name).
A user with access to a Shared Folder can remove themselves from the Shared Folder. If the user has been granted "Can Manage Users & Records", the user also has the ability to delete the Shared Folder.
A user can change the color of a shared folder in order to make is stand out visually. This can be done on both Shared Folders and Personal Folders.