Sharing Commands
Commands related to sharing records and shared folders
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Command | Explanation |
share-record or sr | Grant or revoke user access to a record |
share-folder or sf | Change shared folder permissions |
record-permission | Change record permissions of a folder |
share | Manage one-time shares |
external-shares-report or esr | Display or revoke shares to external users |
Command:
share-record
or sr
Detail: Grant or revoke user access to a record given that record's path or UID
Parameters:
Path or UID of record
Switches:
-e, --email <EMAIL> email of account to edit permissions for (required)
-a, --action <{grant, revoke, owner, cancel}> permission to set for record
-s, --share allow user to share record
-w, --write allow user to modify record
Examples:
share-record memberships/Gym -e [email protected]
sr g6rvo2-Uv-BC16ZM33CF3w -e [email protected] --share
sr social/Twitter -e [email protected] --action owner
- 1.Share the "Gym" record in the "memberships" folder with user John Smith
- 2.Share a record with the given UID with user John smith and allow him to share the record with others
- 3.Transfer record ownership of the "Twitter" records from the "social" folder with user John Smith
Command:
share-folder
or sf
Detail: Grant or revoke user or default permissions for a given (set of) shared folder(s)
Parameters:
Path(s) or UID(s) of folder(s)
Switches:
-a, --action <{grant, revoke}> permission to set for record
-e, --email <EMAIL, TEAM, *>
- email - user's email to set folder permissions for
- team - name of a team to set folder permissions for
- * - apply relevant permissions for each new user with whom the folder(s) is/are shared
- @currrent/@existing - apply to all users with existing access to folder(s)
-r, --record <{RECORD NAME, UID, *, @existing, @current}>
- record name / UID - specific record to set permissions for
- * - set default permissions for any new record added to the relevant folder(s)
- @existing/@current - apply permissions to all records currently contained by the specified shared folder(s)
-p, --manage-records allow managing records
-o, --manage-users allow managing users
-s, --can-share allow sharing records
-d, --can-edit allow modifying records in the folder
-f, --force apply permissions changes ignoring default folder permissions
Shared folder permissions are additive. If the default folder permissions allow a permission, all users and teams that folder is shared with will have that permission unless it is specifically revoked using
-a revoke
Examples:
share-folder memberships -e [email protected] -p -s -d
sf memberships -e [email protected] -r memberships/gym -a revoke
sf jdrkYEaf03bG0ShCGlnKww -e DB_ADMINS -p
sf "Team Passwords" -e "Marketing Team" -a grant -d
sf * -e DB_ADMINS -p
- 1.Share the "memberships" shared folder with user [email protected]. Allow the user to manage records, share the folder, and edit records
- 2.Revoke user [email protected]'s access to the "gym" record in the "memberships" shared folder
- 3.Share the folder with the given UID with the "DB_ADMINS" team and allow them to manage records in the shared folder
- 4.Share a "Team Passwords" folder with a team called "Marketing Team" and give them edit access
- 5.Share all shared folders with the "DB_ADMINS" team and allow them to manage records in the shared folder
The Default Folder Settings control the permissions on newly added users and records. To change the default permissions with the
share-folder
command, use the [*] symbol. For example, to set user defaults to "Can Manage Users & Records" and to set record defaults to "Can Edit & Share" on the Shared Folder based on a UID:
sf --action=grant --email=* --manage-user --manage-records jdrkYEaf03bG0ShCGlnKww
sf --action=grant --record=* --can-share --can-edit jdrkYEaf03bG0ShCGlnKww
Hint: You can also apply the same permissions used to set a shared folder's default settings (as in the examples above) to records/users currently assigned to that shared folder within the same command call by simply specifying the value "@current" or "@existing" for the appropriate option/s (-r for records, -e for users). Using examples similar to the ones above, we have the following:
sf -e * --manage-user --manage-records
-e @existing
jdrkYEaf03bG0ShCGlnKww
sf -r * -r @existing --can-share --can-edit -e @existing jdrkYEaf03bG0ShCGlnKww
In the 1st example, we set both the default user permissions and the permissions granted to current users assigned to the shared folder to "can manage users" and "can manage records".
In the 2nd example, we set both default record permissions and permissions for already-existing records currently contained by the shared-folder to "can edit" and "can share' for users that currently have access to that shared-folder
Detail: Change the permissions for all records in a shared folder
Parameters:
Path or UID of folder
Switches:
-a, --action <{grant, revoke}> permission access to set for record
-s, --can-share allow sharing records
-d, --can-edit allow modifying records in the folder
-f, --force apply permissions changes without prompting
-R, --recursive apply permission changes to all sub folders
--dry-run Display permission changes made by command without actually changing the permissions
--share-record change a record's sharing permissions
--share-folder change a folder's sharing permissions
Examples:
record-permission memberships --action grant --can-share
record-permission jdrkYEaf03bG0ShCGlnKww -a revoke -d -R
record-permission social -a grant -s --dry-run
- 1.Grant sharing permission to all records in the "memberships" shared folder
- 2.Revoke edit permission from all records in the folder with the given UID and all sub folders
- 3.See the changes that would be made by granting sharing permissions to the "social" folder but don't apply the permission change
Requires Commander version 16.6.3+
Command:
share
Detail: Create, list, or remove a one-time shares for a given record. For more information about one-time share click here.
Sub Commands:
list
- show one time sharescreate
- create a new one time share URLremove
- remove a one time shareParameters:
name or UID of record
one-time share name or ID (remove only)
Switches:
List
-a
--all
show all one-time shares, including expired shares--format <table, csv, json>
the format to show the one time shares in-v
--verbose
Verbose outputCreate
--output <clipboard, stdout>
choose to put the URL in the clipboard, or to stdout (default)--name
name the one time share-e <TIME>
--expire <TIME>
how long the one time share will remain active format: <NUMBER>[(m)inutes|(h)ours|(d)ays] e.g.
1h
for 1 hourExamples:
List
My Vault> share list dIGd46nq2uE_q1fXlAQGkw --all
Record UID Name Share Link ID Generated Opened Expires Status
---------------------- ----------- ----------------------- ------------------- -------- ------------------- ---------
dIGyf6nq2uE_q1fXlAQGkw MyShare vhSIl2fnjp5tTaE4w9DC... 2022-04-29 11:01:19 2022-04-29 12:01:19 Expired
dIGyf6nq2uE_q1fXlAQGkw LwIdbnYa160 bOuAQzCoYL8XIcQpz2KU... 2022-04-29 15:38:27 2022-04-29 16:38:27 Generated
Create
My Vault> share create dIGyf6nq2uE_q1fXlAQGkw -e 1h
URL : https://keepersecurity.com/vault/share#s4iSKc7TP[...]
Remove
My Vault> share remove dIGyf6nq2uE_q1fXlAQGkw MyShare
One-time share "MyShare" is removed from record "dIGyf6nq2uE_q1fXlAQGkw"
The external-shares-report requires the Compliance Reporting add-on. This command is only available for Enterprise admin accounts.
Command:
external-shares-report
or esr
Details: Display and (optionally) revoke share-permissions granted to users outside of the enterprise
Switches:
--format <{table, json, csv}> format the output, default is 'table'
--output <FILENAME> output to a filename. Ignored with 'table' format
--action, -a <{remove, none}> action to perform on external shares, 'none' if omitted
--share-type, -t <{direct, shared-folder, all}> filter report by share type, 'all' if omitted
--force, -f, skip confirmation when removing shares
--refresh-data, -r refresh local user and record data before running
Examples:
external-shares-report
external-shares-report -r
esr --output external_shares.json --format json
external-shares-report -a remove
esr -a remove -f
external-shares-report --share-type shared-folder
- 1.Show records and shared-folders shared to users outside of the enterprise
- 2.Refresh locally-cached enterprise record/folder/user data prior to running and showing report
- 3.Run report and export results to a JSON-formatted file named external_shares.json
- 4.Run report, show results, and revoke external shares identified in the results
- 5.Same as #4 above but requires no additional user-interaction to complete execution (i.e., skips confirmation prompt prior to revoking the external shares identified in the report)
- 6.Run and show report, limiting results to records shared via direct-share (i.e., omit shared-folders from report)
By default, using the above command to revoke share-permissions previously granted to external accounts (via
esr -a remove
) requires user-interaction -- via a confirmation prompt -- to complete.Hint: If you need to perform this task in a non-interactive manner (e.g., if running from a Keeper script/batch file, or as part of an automated administrative tool), include the
--force
flag in your command call (e.g., external-shares-report --force --action remove
) In this example, we will recursively change the record permissions in a Shared Folder.
On Commander, you can use the "ls -l" command, similar to a Bash shell.

On the Vault user interface, you can click on the info dialog to get the Shared Folder UID.

With Commander, execute the
record-permission
command with the --dry-run
option to simulate the command. In this example, the Shared Folder UID is "-FHdesR_GSERHUwBg4vTXw". The command is below:
record-permission --dry-run --recursive --action grant --can-edit -- -FHdesR_GSERHUwBg4vTXw
Since the Shared Folder UID beings with '-' in this example, '--' must be added before the identifier
Running this command produces the following output:

The "SKIP" section is saying that the current user on Commander cannot make those requested changes, because we are not the owner of the record. The "GRANT" section indicates the changes that will be allowed.
To execute the command, we remove the "--dry-run" portion:

Now, on the Vault UI, the permission of those affected records has been changed to "Can Edit".

If you are in a situation with many record owners in the same shared folder that require update, each of those users can simply run the above Commander action to change the permissions of their respective records.
Hint:
If you are an enterprise-user with share-admin privileges, you need only perform the steps outlined above once to change permissions for all records (regardless of who owns those records) in the shared-folder.
In such a case, there is no need for other record-owners to repeat the same steps, thus greatly simplifying the process.
Last modified 1mo ago