A personal folder is only visible by the user who created the folder. A personal folder can be made up of subfolders and records. A personal folder can also contain other shared folders and shared records.
A shared folder can be shared to an individual Keeper user or to a Keeper Team. Shared Folder permissions can be applied to Users, Teams and Records. When a user is provisioned to a Team through any of the previously described onboarding methods (Active Directory Bridge, SSO, Azure AD, SCIM, API, etc...) the user will instantly receive the shared folders for that team, and the records associated with those shared folders. When the user is removed from a team, they are revoked access from any shared folders and those folders are immediately removed from their vault. Any user within the Keeper Vault can create a personal folder or shared folder (unless restricted by the Keeper Administrator).
Both personal folders and shared folders can be nested and can contain an unlimited number of records or subfolders. Each subfolder inherits the same permissions structure as the parent.
If the parent folder is a shared folder and you move a personal folder into it - the personal folder will now inherit the permissions set from the shared folder, including the users that have permission to view and edit that folder and its records.
In the screen below, the Region 1 folder is not shared but 1 of its 2 subfolders is shared (Monthly Sales Projections) and has the shared folder icon. The records it contains are also shared and are displayed with the "shared record icon" to the right of the record name. Region 2 is a shared folder so all the records contained within its subfolders are also shared and have the "shared record icon". The permissions on the Region 2 shared folder are also on the subfolders and records. Only the parent shared folder will receive the shared folder icon.
There are 2 permissions available from the Shared Folder screen when adding users and teams, Can Manage Records and Can Manage Users.
Can Manage Records
When this setting is checked, the user is able to add and remove records from the shared folder.
Can Manage Users
When this setting is checked, the user is able to add and remove other users & teams from the Shared Folder.
Permissions on records within the Shared Folder can be individually controlled with Can Edit and Can Share permission. Records with Can Edit permission are editable by anyone in the shared folder. Records with Can Share permission are re-shareable by anyone in the shared folder.
When creating a Shared Folder, we recommend setting the Default Folder Settings to ensure that records added to the folder by team members retain a desired set of permissions. By default, the permissions are least privileged access. Select on the Default Folder Settings and configure the 4 options:
Can Manage Users
Users or teams added to the shared folder can add and remove other users and teams from the folder.
Can Manage Records
Users or teams added to the shared folder can add and remove records from the folder.
Can Edit Record
Users or teams added to the shared folder can edit the record contents.
Can Share Record
Users or teams added to the shared folder can share the individual records in a different shared folder or with another individual.
Changing the default folder settings applies to only new users and records added moving forward. Therefore we recommend always setting default folder permissions when creating a new shared folder.
A Folder and a Shared Folder are objects that are created independently of records. Keeper's implementation of Subfolders (Nested Folders) is powerful and flexible, providing Enterprise customers with the most secure encryption model while providing ease-of-use functionality like Drag & Drop.
A Folder can be made up of personal records, shared records or other subfolders.
Subfolders can be either shared or personal.
You can create an unlimited number of folders and shared folders.
A Shared Folder can be made up of an unlimited number of subfolders, each subfolder beneath a shared folder retains the permissions of the parent.
There is no limit to the folder tree depth.
A folder is a container of records and record references (shortcuts).
A Shared Folder is a container of records, with flexible user and team sharing capability.
To create a new Folder or Subfolder, select Create New then Folder or Shared Folder. You can select the parent folder or select My Vault to add the folder at the root level. To provision a Shared Folder to a Team, select the folder from the vault then select Edit. From the Users screen select the Team and then assign the team level permissions. To provision a Shared Folder to an individual user, select the folder from the vault then select Edit. From the Users screen type in the user's email address or select from the drop-down of previously shared users then assign the user permissions.
A record can exist outside of a folder, inside a folder or inside a Shared Folder. A record can also be linked into multiple folders or Shared Folders. A linked record is also referred to as a Shortcut or a reference. In either case, modifying a linked record will change it everywhere that it is referenced.
There are two ways to Move a record into a folder:
Drag & Drop the record from the left pane and select "Move" when prompted
Right-click a record from the left pane and select "Move to..."
To add a record to multiple folders (e.g. create a Shortcut), follow one of these methods:
Select the Folder and then select Edit. In the Add Records search box, search for the records to add and select Add. This method will always add a Shortcut (reference) to the folder.
Drag & Drop the record from the left pane and select Create Shortcut when prompted
Right-click a record from the left pane and select Create Shortcut...
Teams are created by the Keeper Administrator, or any user who has been provided administrative permissions to the Keeper Admin Console for a specific node or organizational unit. There is no limit to the number of teams that can be created.
A team is made up of users within a node or sub-node. Teams can be provisioned in any of the below methods:
Manual creation in the Keeper Admin Console
Automatically provisioned through the Active Directory / LDAP Bridge software
Automatically provisioned through SCIM
Automatically provisioned through the Keeper Commander SDK
At the encryption layer, teams have a public and private key pair. In order to add a user to a team, you must first be a member of the team because you need to encrypt the Team Key with the recipient's public key. When the recipient logs into their vault, the Team Key is retrieved by decrypting it with the user's private key. This encryption process is automatically handled by the above provisioning methods.
Inside the Admin Console there are several team security options:
Individual users within the team can optionally hide shared folders from their own vault. This may be useful for Administrators who want to manage their teams but not see any of the shared folders in their own vault. To disable viewing shared folders, select hide shared folders in the team edit screen (hovering over the user name).