Sharing Commands
Commands related to sharing records and shared folders


Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Sharing Commands
share-record or sr
Grant or revoke user access to a record
share-folder or sf
Change shared folder permissions
Change record permissions of a folder
Create a one-time share URL

share-record command

Command: share-record or sr
Detail: Grant or revoke user access to a record given that record's path or UID
Path or UID of record
-e, --email <EMAIL> email of account to edit permissions for (required)
-a, --action <{grant, revoke, owner, cancel}> permission to set for record
-s, --share allow user to share record
-w, --write allow user to modify record
share-record memberships/Gym -e [email protected]
sr g6rvo2-Uv-BC16ZM33CF3w -e [email protected] --share
sr social/Twitter -e [email protected] --action owner
  1. 1.
    Share the "Gym" record in the "memberships" folder with user John Smith
  2. 2.
    Share a record with the given UID with user John smith and allow him to share the record with others
  3. 3.
    Transfer record ownership of the "Twitter" records from the "social" folder with user John Smith

share-folder command

Command: share-folder or sf
Detail: Grant or revoke user or default permissions for a given shared folder
See the mkdir command for details on creating shared folders
Path or UID of folder
-a, --action <{grant, revoke}> permission to set for record
-e, --email <EMAIL, TEAM, *>
  • email - user's email to set folder permissions for
  • team - name of a team to set folder permissions for
  • * - apply to all users that the folder is shared with
-r, --record <RECORD NAME, UID, *>
  • record name / UID - specific record to set permissions for
  • * - default folder permissions
-p, --manage-records allow managing records
-o, --manage-users allow managing users
-s, --can-share allow sharing records
-d, --can-edit allow modifying records in the folder
-f, --force apply permissions changes ignoring default folder permissions
Shared folder permissions are additive. If the default folder permissions allow a permission, all users and teams that folder is shared with will have that permission unless it is specifically revoked using -a revoke
share-folder memberships -e [email protected] -p -s -d
sf memberships -e [email protected] -r memberships/gym -a revoke
sf jdrkYEaf03bG0ShCGlnKww -e DB_ADMINS -p
sf "Team Passwords" -e "Marketing Team" -a grant -d
  1. 1.
    Share the "memberships" shared folder with user [email protected] Allow the user to manage records, share the folder, and edit records
  2. 2.
    Revoke user [email protected]'s access to the "gym" record in the "memberships" shared folder
  3. 3.
    Share the folder with the given UID with the "DB_ADMINS" team and allow them to manage records in the shared folder
  4. 4.
    Share a "Team Passwords" folder with a team called "Marketing Team" and give them edit access

record-permission command

Command: record-permission
Detail: Change the permissions for all records in a shared folder
Path or UID of folder
-a, --action <{grant, revoke}> permission access to set for record
-s, --can-share allow sharing records
-d, --can-edit allow modifying records in the folder
-f, --force apply permissions changes without prompting
-R, --recursive apply permission changes to all sub folders
--dry-run Display permission changes made by command without actually changing the permissions
--share-record change a record's sharing permissions
--share-folder change a folder's sharing permissions
record-permission memberships --action grant --can-share
record-permission jdrkYEaf03bG0ShCGlnKww -a revoke -d -R
record-permission social -a grant -s --dry-run
  1. 1.
    Grant sharing permission to all records in the "memberships" shared folder
  2. 2.
    Revoke edit permission from all records in the folder with the given UID and all sub folders
  3. 3.
    See the changes that would be made by granting sharing permissions to the "social" folder but don't apply the permission change

one-time-share Command

Requires Commander version 16.6.3+
Command: one-time-share
Detail: Create, list, or remove a one-time share URL for a given record
Sub Commands:
list - show one time shares
create - create a new one time share URL
remove - remove a one time share
name or UID of record
one-time share name or ID (remove only)
-a --all show all one time shares, including expired shares
--format <table, csv, json> the format to show the one time shares in
-v --verbose Verbose output
--output <clipboard, stdout> choose to put the URL in the clipboard, or to stdout (default)
--name name the one time share
-e <TIME> --expire <TIME> how long the one time share will remain active
format: <NUMBER>[(m)inutes|(h)ours|(d)ays] e.g. 1h for 1 hour
My Vault> one-time-share list dIGd46nq2uE_q1fXlAQGkw --all
Record UID Name Share Link ID Generated Opened Expires Status
---------------------- ----------- ----------------------- ------------------- -------- ------------------- ---------
dIGyf6nq2uE_q1fXlAQGkw MyShare vhSIl2fnjp5tTaE4w9DC... 2022-04-29 11:01:19 2022-04-29 12:01:19 Expired
dIGyf6nq2uE_q1fXlAQGkw LwIdbnYa160 bOuAQzCoYL8XIcQpz2KU... 2022-04-29 15:38:27 2022-04-29 16:38:27 Generated
My Vault> one-time-share create dIGyf6nq2uE_q1fXlAQGkw -e 1h
URL :[...]
My Vault> one-time-share remove dIGyf6nq2uE_q1fXlAQGkw MyShare
One-time share "MyShare" is removed from record "dIGyf6nq2uE_q1fXlAQGkw"

Bulk Record Permission Changes

In this example, we will recursively change the record permissions in a Shared Folder.

1. Identify Shared Folder UID

On Commander, you can use the "ls -l" command, similar to a Bash shell.
On the Vault user interface, you can click on the info dialog to get the Shared Folder UID.

2. Validate Record Permissions Change with Commander

With Commander, execute the record-permission command with the --dry-run option to simulate the command. In this example, the Shared Folder UID is "-FHdesR_GSERHUwBg4vTXw". The command is below: record-permission --dry-run --recursive --action grant --can-edit -- -FHdesR_GSERHUwBg4vTXw
Since the Shared Folder UID beings with '-' in this example, '--' must be added before the identifier
Running this command produces the following output:
The "SKIP" section is saying that the current user on Commander cannot make those requested changes, because we are not the owner of the record. The "GRANT" section indicates the changes that will be allowed.

3. Execute Permissions Change Command with Commander

To execute the command, we remove the "--dry-run" portion:
Now, on the Vault UI, the permission of those affected records has been changed to "Can Edit".

Shared Folders With Multiple Record Owners

If you are in a situation with many record owners in the same shared folder that require update, each of those users can simply run the above Commander action to change the permissions of their respective records.
Export as PDF
Copy link
On this page
share-record command
share-folder command
record-permission command
one-time-share Command
Bulk Record Permission Changes