Overview
Introducing Share Admin – a new administrative permission that will transform the way your organization’s privileged administrators manage shared folders and records. Keeper's Share Admin feature is a role-based permission that gives administrators elevated access rights over your organization's shared folders and records.

Share Admins have full user and record privileges for any shared record that they have access to (with some restrictions we’ll cover later in this video). Share Admins can add or remove records and users from shared folders, change folder default permissions, modify record permissions, transfer record ownership to other users and delete shared folders.

Use Cases
Some common use cases for Share Admin include: simplifying the process of editing record permissions when there are multiple users who contribute to a shared folder with mixed permission settings, easily updating shared folders that were created with unintentionally restrictive settings, moving records in a shared folder to another shared folder, transferring record ownership and temporarily elevating rights to make folder permission and record changes.

How Share Admin Works
From the console, assigning a user to a role with Share Admin permissions gives that user Share Admin rights over users in that node. A user with Share Admin permissions must be added to a folder or record in the vault. Once added, the user will immediately have full access rights over that folder or record.

It's important to review the conditions and limitations of the Share Admin feature. First, Share Admin can only take effect on shared folders and records that are owned or created by users within the Enterprise and within nodes under management of the Share Admin. These limitations are useful when you have Share Admins that are managing just an organizational unit or node and not the entire company. Additionally, a user with Share Admin permissions must be added to folders they wish to manage. Anyone with the "Can Manage Users" permission can add the Share Admin to the designated shared folder or record. You can easily view the Share Admins of a folder or record by clicking on the information icon.

Next, I will review what it looks like to implement a Share Admin in an organization.

How to Create a Share Admin
In support of least-privileged access, Share Admin permissions are granted via Role-Based Enforcement Policies. This provides the ability to grant Share Admin rights to a limited group of administrators and provide elevated access rights to your organization's shared records and folders.

To assign someone in your organization Share Admin permissions, first create a new role or select an existing role. The Keeper Administrator role will have Share Admin permissions enabled by default. Here I’ve created a “Share Admin” Role and added users, but you can select any role you would like. Next, click the gear icon under “Administrative Permissions”. Check the box next to “Share Admin” to enable it and click Save. This will make all users in this role, Share Admins for all users in the selected node.

Managing Share Admins in the Vault

To invite a Share Admin to a shared folder, select the folder you wish to share and click Edit, Users and then click within the user search bar. Your organization’s available Share Admins will appear at the top of the list. Select the Share Admin you would like to invite to the folder and click Save.

To share an individual record with a Share Admin, select the record and click Options then Sharing. Like the shared folder, your available Share Admins will appear at the top of the list. Select the Share Admin you would like to invite to the record and click Add.

Once a shared folder or record is shared with the Share Admin, they will immediately be granted full permissions over that folder or record.

Share Admin Features
A user with Share Admin permission for a shared folder will be able to view all folder content, change the folder’s “Settings”, add or remove records and users, and delete the folder. The Share Admin can also change record permissions for those records owned by users managed by the Share Admin. Changing record permissions includes editing, sharing, and transferring ownership. Now I will demonstrate each of these features in action.

Shared Folder & Record Information
Users can view who has Share Admin permissions over a folder or record including who created it by clicking on the information icon at the top of the detail pane. You can view individual record information, by clicking on the information icon next to each record name. You can also use the filters here to easily sort the records.

Learn more about Keeper at:
keepersecurity.com/

View our Keeper Enterprise Guide here:
docs.keeper.io/enterprise-guide/