Sharing Commands
Commands related to sharing records and shared folders
Commands
Keeper Command Reference
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Sharing Commands
Command | Explanation |
| Grant or revoke user access to a record |
| Change shared folder permissions |
Change record permissions of a folder | |
Manage one-time shares | |
| Display or revoke shares to external users |
share-record command
Command: share-record or sr
Detail: Grant or revoke user access to record(s) given that record or folder path or UID
Parameters:
Path or UID of record or folder
Switches:
-e, --email <EMAIL> email of account to edit permissions for (required)
-a, --action <{grant, revoke, owner, cancel}> permission to set for record
-s, --share allow user to share record
-w, --write allow user to modify record
-R, --recursive apply command to shared folder hierarchy
--dry-run display the permissions changes without committing them
--expire-at EXPIRE_AT share expiration: "never" or ISO date-time (yyyy-MM-dd[ hh:mm:ss])
--expire-in <NUMBER>[(mi)nutes|(h)ours|(d)ays|(mo)nths|(y)ears] share expiration: "never" or period
Examples:
Share the "Gym" record in the "memberships" folder with user John Smith
Share a record with the given UID with user John Smith and allow him to share the record with others
Transfer record ownership of the "Twitter" records from the "social" folder with user John Smith
Share all records found in shared-folder "My Shared Folder" (including any in its subfolders) with user John Smith
Share record "Gym" in the "memberships" folder with user John Smith, accessible until 1 second after the start of the year 2050 (GMT)
Give user John Smith time-limited read-only access (valid only for the next 3 days) to the "Twitter" record in the folder named "social"
share-folder command
Command: share-folder or sf
Detail: Grant or revoke user default permissions for a given (set of) shared folder(s)
See the mkdir command for details on creating shared folders
Parameters:
Path(s) or UID(s) of folder(s)
Switches:
-a, --action <{grant, revoke, remove}> permission to set for folder(s) / record(s)
-e, --email <EMAIL, TEAM, *>
email - user's email to set folder permissions for
team - name of a team to set folder permissions for
* - apply relevant permissions for each new user with whom the folder(s) is/are shared
@currrent/@existing - apply to all users with existing access to folder(s)
-r, --record <{RECORD NAME, UID, *, @existing, @current}>
record name / UID - specific record to set permissions for
* - set default permissions for any new record added to the relevant folder(s)
@existing/@current - apply permissions to all records currently contained by the specified shared folder(s)
-p, --manage-records allow managing records. Users/teams only
-o, --manage-users allow managing users. Users/teams only
-s, --can-share allow sharing records. Records only
-d, --can-edit allow modifying records in the folder. Records only
-f, --force apply permissions changes ignoring default folder permissions
--expire-at TIMESTAMP share expiration: "never" or ISO date-time (yyyy-MM-dd[ hh:mm:ss])
--expire-in PERIOD share expiration: "never" or period (<NUMBER>[(y)ears|(mo)nths|(d)ays|(h)ours(mi)nutes])
Shared folder permissions are additive. If the default folder permissions allow a permission, all users and teams that folder is shared with will have that permission unless it is specifically revoked using -a revoke
Examples:
Share the "memberships" shared folder with user Jane.Smith@gmail.com. Allow the user to manage records
Revoke "Can Share" permission from the "gym" record in the "memberships" shared folder
Share the folder with the given UID with the "DB_ADMINS" team and allow them to manage records in the shared folder
Share a "Team Passwords" folder with a team called "Marketing Team" and give permission to manage users
Share all shared folders with the "DB_ADMINS" team and allow them to manage records in the shared folder
Remove all access to "memberships" shared folder for user Jane.Smith@gmail
Grant user read-only access to "memberships" shared-folder, valid only for the next 5 hours
Changing Default Folder Settings
The Default Folder Settings control the permissions on newly added users and records. To change the default permissions with the share-folder command, use the [*] symbol.
For example, to set user defaults to "Can Manage Users & Records" and to set record defaults to "Can Edit & Share" on the Shared Folder based on a UID:
Hint: You can also apply the same permissions used to set a shared folder's default settings (as in the examples above) to records/users currently assigned to that shared folder within the same command call by simply specifying the value "@current" or "@existing" for the appropriate option/s (-r for records, -e for users). Using examples similar to the ones above, we have the following:
sf -e * --manage-user --manage-records -e @existing jdrkYEaf03bG0ShCGlnKww
sf -r * -r @existing --can-share --can-edit -e @existing jdrkYEaf03bG0ShCGlnKww
In the 1st example, we set both the default user permissions and the permissions granted to current users assigned to the shared folder to "can manage users" and "can manage records".
In the 2nd example, we set both default record permissions and permissions for already-existing records currently contained by the shared-folder to "can edit" and "can share' for users that currently have access to that shared-folder
record-permission command
Detail: Change the permissions for all records in a shared folder
Parameters:
Path or UID of folder
Switches:
-a, --action <{grant, revoke}> permission access to set for record
-s, --can-share allow sharing records
-d, --can-edit allow modifying records in the folder
-f, --force apply permissions changes without prompting
-R, --recursive apply permission changes to all sub folders
--dry-run Display permission changes made by command without actually changing the permissions
--share-record change a record's sharing permissions
--share-folder change a folder's sharing permissions
Examples:
Grant sharing permission to all records in the "memberships" shared folder
Revoke edit permission from all records in the folder with the given UID and all sub folders
See the changes that would be made by granting sharing permissions to the "social" folder but don't apply the permission change
share Command
Requires Commander version 16.6.3+
Command: share
Detail: Create, list, or remove a one-time shares for a given record. For more information about one-time share click here.
Sub Commands:
list - show one time shares
create - create a new one time share URL
remove - remove a one time share
Parameters:
name or UID of record
one-time share name or ID (remove only)
Switches:
List
-a --all show all one-time shares, including expired shares
--format <table, csv, json> the format to show the one time shares in
-v --verbose Verbose output
Create
--output <clipboard, stdout> choose to put the URL in the clipboard, or to stdout (default)
--name name the one time share
-e <TIME> --expire <TIME> how long the one time share will remain active
format: <NUMBER>[(m)inutes|(h)ours|(d)ays] e.g. 1h for 1 hour
Examples:
List
Create
Remove
external-shares-report command
The external-shares-report requires the Compliance Reporting add-on. This command is only available for Enterprise admin accounts.
Command: external-shares-report or esr
Details: Display and (optionally) revoke share-permissions granted to users outside of the enterprise
Switches:
--format <{table, json, csv}> format the output, default is 'table'
--output <FILENAME> output to a filename. Ignored with 'table' format
--action, -a <{remove, none}> action to perform on external shares, 'none' if omitted
--share-type, -t <{direct, shared-folder, all}> filter report by share type, 'all' if omitted
--force, -f, skip confirmation when removing shares
--refresh-data, -r refresh local user and record data before running
Examples:
Show records and shared-folders shared to users outside of the enterprise
Refresh locally-cached enterprise record/folder/user data prior to running and showing report
Run report and export results to a JSON-formatted file named external_shares.json
Run report, show results, and revoke external shares identified in the results
Same as #4 above but requires no additional user-interaction to complete execution (i.e., skips confirmation prompt prior to revoking the external shares identified in the report)
Run and show report, limiting results to records shared via direct-share (i.e., omit shared-folders from report)
By default, using the above command to revoke share-permissions previously granted to external accounts (via esr -a remove) requires user-interaction -- via a confirmation prompt -- to complete.
Hint: If you need to perform this task in a non-interactive manner (e.g., if running from a Keeper script/batch file, or as part of an automated administrative tool), include the --force flag in your command call (e.g., external-shares-report --force --action remove)
Bulk Record Permission Changes
In this example, we will recursively change the record permissions in a Shared Folder.
1. Identify Shared Folder UID
On Commander, you can use the "ls -l" command, similar to a Bash shell.
On the Vault user interface, you can click on the info dialog to get the Shared Folder UID.
2. Validate Record Permissions Change with Commander
With Commander, execute the record-permission command with the --dry-run option to simulate the command. In this example, the Shared Folder UID is "-FHdesR_GSERHUwBg4vTXw". The command is below:
record-permission --dry-run --recursive --action grant --can-edit -- -FHdesR_GSERHUwBg4vTXw
Since the Shared Folder UID beings with '-' in this example, '--' must be added before the identifier
Running this command produces the following output:
The "SKIP" section is saying that the current user on Commander cannot make those requested changes, because we are not the owner of the record. The "GRANT" section indicates the changes that will be allowed.
3. Execute Permissions Change Command with Commander
To execute the command, we remove the "--dry-run" portion:
Now, on the Vault UI, the permission of those affected records has been changed to "Can Edit".
Shared Folders With Multiple Record Owners
If you are in a situation with many record owners in the same shared folder that require update, each of those users can simply run the above Commander action to change the permissions of their respective records.
Hint:
If you are an enterprise-user with share-admin privileges, you need only perform the steps outlined above once to change permissions for all records (regardless of who owns those records) in the shared-folder.
In such a case, there is no need for other record-owners to repeat the same steps, thus greatly simplifying the process.
Bulk Record-Ownership Transfer
Using steps almost identical to those of the previous example (in which we show how to change permissions for all records within a shared folder), it is also possible to transfer ownership of all records within a given shared folder to a single account.
For the following example (using the same vault and shared folder as the previous example), let's assume that we would like to transfer ownership of the records in that shared folder to user joe.smith@gmail.com. The steps are as follows:
1. Identify Shared Folder UID
See previous example for details on how to do this. For this example, we'll be using the shared folder with UID -FHdesR_GSERHUwBg4vTXw
2. Validate Record-Ownership Transfer Command with Commander
Similar to the previous example, we can simulate the desired action prior to its actual execution by running the share-record command with the --dry-run option in Commander (Note: unlike the previous example, we will also need to specify the username -- john.smith@gmail.com in this example -- for the account to which ownership of records should be transferred). The command is as follows:
share-record --action owner --email john.smith@gmail.com --dry-run --recursive -- -FHdesR_GSERHUwBg4vTXw
3. Execute Record-Ownership Transfer Command with Commander
Finally, as in the previous example, we remove the --dry-run option from our command call to perform the desired action, like so:
share-record --action owner --email john.smith@gmail.com --recursive -- -FHdesR_GSERHUwBg4vTXw
Last updated
