# Nested Share Subfolders

<figure><img src="/files/Syf7O074ro3XoGWyuxVx" alt=""><figcaption></figcaption></figure>

## Introducing Nested Share Subfolders

Keeper is redefining how users and teams organize, share and protect their most sensitive records. With the introduction of **Nested Share Subfolders with Role-Based Folder Permissions**, we’ve rebuilt the vault’s folder, sharing and permissions model from the ground up, delivering a more flexible and scalable experience for every user and team.&#x20;

During this transition, the new, Nested Share Subfolder system will exist alongside the existing Classic folder system and permission model, with two distinct folder icons to help users easily differentiate between them.&#x20;

To maintain clarity and prevent compatibility issues, the Classic and Nested Share folder systems cannot coexist or be mixed in the same folder structure. Existing workflows remain unaffected while organizations adopt the new experience at their own pace. In the future, we plan to support conversion between the two systems — for now, they remain separate.

{% hint style="info" %}
This feature is currently available by invitation only. To request access or learn more, please contact your Keeper representative or visit [keepersecurity.com/contact](https://www.keepersecurity.com/contact.html).
{% endhint %}

<figure><img src="/files/LcRx5o5uc7m6szyUQts3" alt=""><figcaption><p>Nested Share Subfolders</p></figcaption></figure>

## Key Features

* **Hierarchical organization up to five levels deep** — Create folders and subfolders with independent sharing configurations at each level, enabling logical organization that scales with your team structure.
* **Role-based folder permissions** — Assign granular permissions at both the folder and record level, giving every user exactly the access their role requires. Permissions can be applied through inheritance (flowing automatically from parent to child folders), direct folder assignment, or direct record assignment.
* **Permission inheritance with targeted overrides** — Broad access policies apply consistently across a folder structure, with the flexibility to make precise exceptions at any level. When multiple permission paths apply, precedence rules ensure the most specific assignment wins — record-level permissions override folder-level ones, which override inherited permissions from a parent.
* **Access management controls** — Share managers can add users and teams, perform bulk permission changes, and set access expiration dates or revoke access entirely at the folder or record level. Users cannot grant permissions higher than their own access level.

## Permissions & Access Model

Role-Based Folder Permissions give administrators granular control over exactly who can view, edit, share and manage content at every level of the folder hierarchy — whether you're an individual user, managing a small team, or operating across a global enterprise.

Permissions can be applied in three ways:

* **Inherited access** — permissions flow down automatically from a parent folder through all nested subfolders and records within it, so broad access policies apply consistently without manual effort
* **Direct folder permissions** — a specific permission level is assigned to a user or team on a particular folder
* **Direct record permissions** — a specific permission level is assigned to a user or team on an individual record

When multiple paths apply, precedence rules determine the effective access level — enabling administrators to set broad policies at the top of a structure while making precise exceptions wherever needed. User roles define the scope of what each individual can do, ranging from record-level work to administrative control across the organization.

{% hint style="info" %}
To learn more about precedence rules, keep reading or click [here](#how-precedence-rules-work).&#x20;
{% endhint %}

## Permission Types

| Permission Type           | Permissions                                                      | Limitations                                                                                                   |
| ------------------------- | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- |
| Viewer                    | Can view content and participants                                | Cannot edit content, share with others, or manage permissions                                                 |
| Share Manager             | Can manage share permissions, invite others and approve requests | Cannot grant higher access than they have, share linked objects, or raise their own permissions               |
| Content Manager           | Can edit and add content                                         | Cannot manage sharing or permissions                                                                          |
| Content and Share Manager | Can manage content and share permissions                         | Cannot grant higher access than they have, share linked objects, or permanently delete records from the vault |
| Full Manager              | Can edit, share and manager ownership                            | Cannot manage organization-wide admin settings                                                                |

#### Important Notes About Permissions

* Sharing limits apply to the sharer's own access level. Users who manage sharing cannot grant permissions higher than what they themselves have. For example, a Share Manager cannot elevate someone else to Full Manager.
* Removing a record from a folder is not the same as deleting it. Some roles can remove records from a folder without the ability to permanently delete them from the Vault entirely.

## How Precedence Rules Work

When a user has permissions from multiple sources — for example, an inherited role from a parent folder *and* a direct role on a specific record — precedence rules determine which one applies.

The logic is straightforward:

* **Direct permissions override inherited ones.** A user who inherits "Viewer" access but is explicitly granted "Content Manager" on a specific record will have "Content Manager" access on that record.
* **More specific assignments win.** Record-level permissions override folder-level ones, which override inherited permissions from a parent.

## End-User Experience

#### Create a Folder

To create a new folder, click **Create New** > **Folder —** no need to decide between a regular or shared folder, you will have the opportunity to share the folder once its been created. Select the folder location from the dropdown menu and enter the folder name.&#x20;

<figure><img src="/files/EMvTLzCNj9jBD3tmGE7T" alt=""><figcaption><p>Create a Folder</p></figcaption></figure>

Here you will have the option to use the Classic permission model by checking the box. This will limit sharing to basic access levels and can be used for compatibility with older workflows.&#x20;

<figure><img src="/files/fT1mlsliE71zdSKGl5wp" alt=""><figcaption><p>Classic Permission Model Checkbox</p></figcaption></figure>

Classic and Nested Share folders are easily distinguished by two distinct folder icons — Nested Folders display as solid in color, while Classic folders appear with a transparent icon

<figure><img src="/files/JgwubGLZfbs5R3SN9AGE" alt=""><figcaption><p>Nested Share Folders vs. Classic Folder Icons</p></figcaption></figure>

#### **Create Nested Subfolders**

To create subfolders, right click on the parent folder and select **New Folder,** enter the folder name and click **Create**. You can create subfolders up to 5 levels deep with independent sharing configurations at each level.

<figure><img src="/files/B95UHQU3Eax1kklNt0gB" alt=""><figcaption><p>Create Subfolders</p></figcaption></figure>

#### **Add Records**

Once you've created the folder and any subfolders, you can begin adding records.&#x20;

Add records by clicking the **edit icon** on the folder and adding them from the search bar dropdown menu.&#x20;

<figure><img src="/files/vAN1Qa1G5zTCZMDVgIuN" alt=""><figcaption><p>Edit Folder to Add Records</p></figcaption></figure>

<figure><img src="/files/bZYEhdsvnPrDamZXU9Wk" alt=""><figcaption><p>Record Selection from Search Bar</p></figcaption></figure>

#### **Share & Set Permissions**

To share at the record or folder level, with the record/folder selected, click the **Share** button and add users or teams from the search bar.&#x20;

<figure><img src="/files/56DRkuJwJjk6v2PKgxeY" alt=""><figcaption><p>Share Button on Selected Folder</p></figcaption></figure>

<figure><img src="/files/btoeTadJ21MIMh6DDB53" alt=""><figcaption><p>Add Users Or Teams to Folder</p></figcaption></figure>

You can now begin assigning permissions to each user/team as you add them by right clicking on the dropdown icon next to each. Click [here](#introducing-nested-share-subfolders) to learn about each permission type.&#x20;

In addition to setting the permissions you can also take the following actions:

* **Set Expiration**: Set a date after which record/folder access is automatically revoked
* **Remove Access**: Immediately revoke a user's record/folder access entirely

<figure><img src="/files/xiNo3jQvXpEsACLdP86P" alt=""><figcaption><p>Select Permissions, Set Expiration and Remove Access</p></figcaption></figure>

Achieve a bulk permission change by checking the box next to the users/teams, clicking the **Options** dropdown menu that will appear and selecting the desired permission.&#x20;

Click on a record within a folder to view all "Users with Access" and all "Shared Folders" the record resides in. This clarifies whether the record is shared from a parent folder through inheritance and/or from an individual folder lower in the hierarchy.&#x20;

<figure><img src="/files/pPcLKj4UY3L38BthfQPv" alt=""><figcaption><p>Users With Access and Shared Folder Detail</p></figcaption></figure>

## Record Deletion

Record deletion follows the same role-based permissions that control all other access in the vault. Only users with the appropriate permission level can delete records — ensuring that who can remove a record is governed by their role, not the folder system they're working in.

## Rollout Approach

The rollout of Nested Shared Subfolders is designed to minimize disruption and maximize flexibility:

* The Classic folder system remains fully supported and operational during the transition period
* The Nested Share Subfolder system is available by request only at this time
* There is NO forced migration
* There is currently NO automatic conversion between Classic folders and Nested Share Subfolders
* Both systems can operate in parallel during the transition

This approach gives organizations the freedom to move at their own pace, while exploring Nested Share Subfolders when ready, without any pressure to abandon their existing vault workflows.

## Roadmap <a href="#roadmap" id="roadmap"></a>

The Nested Share Subfolder feature is available through a "feature flag" that can be enabled by the Keeper support team. Over the coming weeks, we plan to gather customer feedback and roll out critical capabilities which include:

* Vault Transfer Policy
* Deletion and Restore
* Moving records
* Import
* One-Time Share
* Drag-and-Drop
* Migration from Classic shared folders
* iOS, Android, Browser Extension end-user application support
* Secrets Manager SDKs and integrations

## Frequently Asked Questions

<details>

<summary><strong>Can I grant a role that exceeds my own permission level?</strong></summary>

No. You can only grant roles up to and including your own permission level.

</details>

<details>

<summary><strong>What is the difference between Content Manager and Content and Share Manager?</strong></summary>

Content Manager can edit and create records, but cannot manage who has access to the folder. Content and Share Manager combines content management with the ability to invite users and control sharing.

</details>

<details>

<summary>Does removing someone's access to a folder affect the records inside it?</summary>

Yes. If a user's access to a folder is removed, they will also lose access to the records within that folder unless they have direct permissions on individual records.

</details>

<details>

<summary><strong>What happens when I set an expiration date?</strong> </summary>

Access is automatically revoked on the expiration date. No manual action is needed. This is useful for temporary access scenarios (e.g. contractor access or time-limited projects).

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/user-guides/sharing/nested-share-subfolders.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.