Endpoint Privilege Manager Commands

Commands that control Keeper Endpoint Privilege Manager (PEDM) capabilities

Overview

Endpoint Privilege Manager is an advanced Privileged Elevation and Delegation Management (PEDM) solution that provides secure, just-in-time elevated privileges across your IT environments.

The PEDM commands make use of a local SQLite file that is generated in the user's configuration folder, such as ~/.keeper/keeper_db.sqlite. This database is used to cache all of the retrieved information across endpoints.

pedm Command

command: pedm

Detail: Manage Keeper Endpoint Privilege Manager deployments, agents, policies, collections and approvals.

My Vault> pedm -h                                                       
pedm command [--options]

Command     Description
----------  ------------------------------------
sync-down   Sync down PEDM data from the backend
deployment  Manage PEDM deployments 
agent       Manage PEDM agents
policy      Manage PEDM policies
collection  Manage PEDM collections 
scim        Sync PEDM user/group collections from AD or AzureAD
approval    Manage PEDM requests and approvals

Sub Commands

Sub-Command: sync-down

Detail: Sync down PEDM data from the backend

My Vault> pedm sync-down -h                                                 
usage: sync-down [-h] [--reload]

Sync down PEDM data from the backend

options:
  -h, --help  show this help message and exit
  --reload    Perform full sync

Sub-Command: deployment

Detail: Manage PEDM deployments

My Vault> pedm deployment -h
pedm command [--options]

Command    Description
---------  --------------------------------
list       List PEDM deployments
add        Add PEDM deployments
edit       Update PEDM deployment
delete     Delete PEDM deployment
download   Download PEDM deployment package

list

My Vault> pedm deployment list -h                       
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v]

List PEDM deployments

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information

add

My Vault> pedm deployment add -h                      
usage: add [-h] [-f] [--spiffe-cert SPIFFE] name

Add PEDM deployments

positional arguments:
  name                  Deployment name

options:
  -h, --help            show this help message and exit
  -f, --force           do not prompt for confirmation
  --spiffe-cert SPIFFE  File containing SPIFFE server certificate

edit

My Vault> pedm deployment edit -h
usage: update [-h] [--disable {on,off}] [--spiffe-cert SPIFFE] [--name NAME] DEPLOYMENT

Update PEDM deployment

positional arguments:
  DEPLOYMENT            Deployment name or UID

options:
  -h, --help            show this help message and exit
  --disable {on,off}    do not prompt for confirmation
  --spiffe-cert SPIFFE  File containing SPIFFE server certificate
  --name NAME           Deployment name

delete

My Vault> pedm deployment delete -h
usage: delete [-h] [-f] DEPLOYMENT [DEPLOYMENT ...]

Delete PEDM deployment

positional arguments:
  DEPLOYMENT   Deployment name or UID

options:
  -h, --help   show this help message and exit
  -f, --force  do not prompt for confirmation

download

My Vault> pedm deployment download -h                      
usage: download [-h] [--file FILE] DEPLOYMENT

Download PEDM deployment package

positional arguments:
  DEPLOYMENT   Deployment name or UID

options:
  -h, --help   show this help message and exit
  --file FILE  File name

Sub-Command: agent

Detail: Manage PEDM agents

My Vault> pedm agent -h                         
pedm command [--options]

Command     Description
----------  -------------------------
list        List PEDM agents
edit        Update PEDM agents
delete      Delete PEDM agents
collection  List PEDM agent resources

list

My Vault> pedm agent list -h             
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v]

List PEDM agents

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information

edit

My Vault> pedm agent edit -h                          
usage: update [-h] [--enable {on,off}] [--deployment DEPLOYMENT] agent [agent ...]

Update PEDM agents

positional arguments:
  agent                 Agent UID(s)

options:
  -h, --help            show this help message and exit
  --enable {on,off}     Enables or disables agents
  --deployment DEPLOYMENT
                        Moves agent to deployment

delete

My Vault> pedm agent delete -h                             
usage: update [-h] [--force] agent [agent ...]

Delete PEDM agents

positional arguments:
  agent       Agent UID(s)

options:
  -h, --help  show this help message and exit
  --force     do not prompt for confirmation

collection

My Vault> pedm agent collection -h 
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--type TYPE] agent

List PEDM agent resources

positional arguments:
  agent                 Agent UID

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --type TYPE           collection type filter

Sub-Command: policy

Detail: Manage PEDM policies

My Vault> pedm policy -h  
pedm command [--options]

Command    Description
---------  ----------------------------
list       List PEDM policies
add        Add PEDM policy
edit       Edit PEDM policy
view       View PEDM policy
agents     Show agents for policies
assign     Assign collections to policy
delete     Delete PEDM policy

list

My Vault> pedm policy list -h               
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT]

List PEDM policies

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)

add

My Vault> pedm policy add -h      
usage: add [-h] [--user-filter USER_FILTER] [--machine-filter MACHINE_FILTER] [--app-filter APP_FILTER] [--date-filter DATE_FILTER]
           [--time-filter TIME_FILTER] [--day-filter DAY_FILTER] [--risk-level RISK_LEVEL]
           [--policy-type {elevation,file_access,command,least_privilege}] [--policy-name POLICY_NAME]
           [--control {allow,deny,audit,notify,mfa,justify,approval}] [--status {enforce,monitor,monitor_and_notify}] [--enable {on,off}]

Add PEDM policy

options:
  -h, --help            show this help message and exit
  --user-filter USER_FILTER
                        Policy user filter. User collection UID or *
  --machine-filter MACHINE_FILTER
                        Policy machine filter. Machine collection UID
  --app-filter APP_FILTER
                        Policy application filter. Application collection UID
  --date-filter DATE_FILTER
                        Policy date filter. Date range in ISO format. YYYY-MM-DD:YYYY-MM-DD
  --time-filter TIME_FILTER
                        Policy time filter. Time. 24 hours format: HH:MM-HH:MM
  --day-filter DAY_FILTER
                        Policy day filter. Day of Week
  --risk-level RISK_LEVEL
                        Policy risk level
  --policy-type {elevation,file_access,command,least_privilege}
                        Policy type
  --policy-name POLICY_NAME
                        Policy name
  --control {allow,deny,audit,notify,mfa,justify,approval}
                        Policy controls
  --status {enforce,monitor,monitor_and_notify}
                        Policy Status
  --enable {on,off}     Enables or disables policy

edit

My Vault> pedm policy edit -h                                                                                                                           
usage: edit [-h] [--user-filter USER_FILTER] [--machine-filter MACHINE_FILTER] [--app-filter APP_FILTER] [--date-filter DATE_FILTER]
            [--time-filter TIME_FILTER] [--day-filter DAY_FILTER] [--risk-level RISK_LEVEL] [--policy-name POLICY_NAME]
            [--control {allow,deny,audit,notify,mfa,justify,approval}] [--status {enforce,monitor,monitor_and_notify}] [--enable {on,off}]
            policy

Edit PEDM policy

positional arguments:
  policy                Policy UID

options:
  -h, --help            show this help message and exit
  --user-filter USER_FILTER
                        Policy user filter. User collection UID or *
  --machine-filter MACHINE_FILTER
                        Policy machine filter. Machine collection UID
  --app-filter APP_FILTER
                        Policy application filter. Application collection UID
  --date-filter DATE_FILTER
                        Policy date filter. Date range in ISO format. YYYY-MM-DD:YYYY-MM-DD
  --time-filter TIME_FILTER
                        Policy time filter. Time. 24 hours format: HH:MM-HH:MM
  --day-filter DAY_FILTER
                        Policy day filter. Day of Week
  --risk-level RISK_LEVEL
                        Policy risk level
  --policy-name POLICY_NAME
                        Policy name
  --control {allow,deny,audit,notify,mfa,justify,approval}
                        Policy controls
  --status {enforce,monitor,monitor_and_notify}
                        Policy Status
  --enable {on,off}     Enables or disables policy

view

My Vault> pedm policy view -h                                     
usage: view [-h] [--format {table,json}] [--output OUTPUT] policy

View PEDM policy

positional arguments:
  policy                Policy UID or name

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)

agents

My Vault> pedm policy agents -h                                 
usage: agent [-h] policy [policy ...]

Show agents for policies

positional arguments:
  policy      Policy UID or name

options:
  -h, --help  show this help message and exit

assign

My Vault> pedm policy assign -h                          
usage: assign [-h] [-c COLLECTION] policy [policy ...]

Assign collections to policy

positional arguments:
  policy                Policy UID or name

options:
  -h, --help            show this help message and exit
  -c, --collection COLLECTION
                        Collection UID

delete

My Vault> pedm policy delete -h
usage: delete [-h] policy [policy ...]

Delete PEDM policy

positional arguments:
  policy      Policy UID or name

options:
  -h, --help  show this help message and exit

Sub-Command: collection

Detail: Manage PEDM collections

My Vault> pedm collection -h                                   
pedm command [--options]

Command     Description
----------  -----------------------------------
list        List PEDM collections
view        Show PEDM collection details
add         Creates PEDM collections
update      Update PEDM collection
delete      Delete PEDM collections
connect     Link values to PEDM collection
disconnect  Unlink values from PEDM collections
wipe-out    Wipe out PEDM collections

list

My Vault> pedm collection list -h                                                                                       
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--type TYPE] [--pattern PATTERN]

List PEDM collections

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --type TYPE           collection type filter
  --pattern PATTERN     collection search pattern

view

My Vault> pedm collection view -h                                                                                                                       
usage: view [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--link LINK] collection [collection ...]

Show PEDM collection details

positional arguments:
  collection            Collection UID

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --link LINK           Show link details

add

My Vault> pedm collection add -h                                           
usage: add [-h] [--type TYPE] collection [collection ...]

Creates PEDM collections

positional arguments:
  collection   Collection name

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type

update

My Vault> pedm collection update -h                               
usage: update [-h] [--type TYPE] --name NAME collection

Update PEDM collection

positional arguments:
  collection   Collection

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type (optional)
  --name NAME  Collection name

delete

My Vault> pedm collection delete -h                         
usage: delete [-h] [-f] collection [collection ...]

Delete PEDM collections

positional arguments:
  collection   Collection or @orphan_resource

options:
  -h, --help   show this help message and exit
  -f, --force  do not prompt for confirmation

disconnect

My Vault> pedm collection disconnect -h                 
usage: unlink [-h] [--collection COLLECTION] [-f] links [links ...]

Unlink values from PEDM collections

positional arguments:
  links                 UIDs to unlink

options:
  -h, --help            show this help message and exit
  --collection, -c COLLECTION
                        Parent collection UID or name
  -f, --force           do not prompt for confirmation

wipe-out

My Vault> pedm collection wipe-out -h                                            
usage: wipe-out [-h] [--type TYPE]

Wipe out PEDM collections

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type

Sub-Command: approval

Detail: Manage PEDM requests and approvals

My Vault> pedm approval -h                                                    
pedm command [--options]

Command    Description
---------  -----------------------------
list       List PEDM approval requests
action     Modify PEDM approval requests

list

Get the current list of outstanding approvals

My Vault> pedm approval list -h 
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [--type {approved,denied,pending}]

List PEDM approval requests

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  --type {approved,denied,pending,expired}
                        approval type filter

action

Perform an action on a request, such as approving, removing or denying the request.

My Vault> pedm approval action -h 
usage: action [-h] [--approve APPROVE] [--deny DENY] [--remove REMOVE]

Modify PEDM approval requests

options:
  -h, --help         show this help message and exit
  --approve APPROVE  Request UIDs for approval
  --deny DENY        Request UIDs for denial
  --remove REMOVE    Request UIDs for removal. UID, @approved, @denied, @pending

Sub-Command: scim

Detail: Sync PEDM user/group collections from AD or AzureAD

My Vault> pedm scim -h                                                                                                                                                                                                     
usage: scim [-h] {record,azure,ad} ...

Sync PEDM user/group collections from AD or AzureAD

options:
  -h, --help         show this help message and exit

Directory Type:
  {record,azure,ad}  Authentication method
    record           Connection parameters from Keeper record
    azure            Connect via Azure AD
    ad               Connect via Active Directory

Azure AD connection parameters

My Vault> pedm scim azure -h                                                                                                                                                                                               
usage: scim azure [-h] --tenant-id TENANT_ID --client-id CLIENT_ID --client-secret CLIENT_SECRET [--azure-cloud {US,GOV,CN,EU}]

options:
  -h, --help            show this help message and exit
  --tenant-id TENANT_ID
  --client-id CLIENT_ID
  --client-secret CLIENT_SECRET
  --azure-cloud {US,GOV,CN,EU}
                        Azure cloud (AzureCloud, AzureChinaCloud, etc.)

Azure Client ID -> Login

Azure Client Secret -> Password

"Azure Tenant ID" -> Custom field

How to register an app in Microsoft Entra ID - Microsoft identity platformMicrosoftLearn

Microsoft Graph permissions: User.Read.All, Group.Read.All, Directory.Read.All

Create Client Application Secret

Active Directory connection parameters

My Vault> pedm scim ad -h                                                                                                                                                                                                  
usage: scim ad [-h] [--ad-url AD_URL] [--ad-user AD_USER] [--ad-password AD_PASSWORD] [--group GROUPS] [--netbios-domain]

options:
  -h, --help            show this help message and exit
  --ad-url AD_URL       AD LDAP URL (e.g., ldap(s)://<host>)
  --ad-user AD_USER     AD bind user (DOMAIN\username or DN)
  --ad-password AD_PASSWORD
                        AD password
  --group GROUPS        AD group name or DN (repeatable)
  --netbios-domain      Use NetBIOS domain names (e.g., TEST) instead of DNS names (e.g., test.local)

AD User -> Login

AD User Password -> Password

AD URL -> Website Address

NetBIOS Domain -> Custom field (TRUE use NetBIOS domain name)

PreviousKeeperPAM Commands NextConnection Commands

Last updated 19 days ago

Was this helpful?

hashtagOverview

hashtagpedm Command

hashtagSub-Command: sync-down

hashtagSub-Command: deployment

hashtaglist

hashtagadd

hashtagedit

hashtagdelete

hashtagdownload

hashtagSub-Command: agent

hashtaglist

hashtagedit

hashtagdelete

hashtagcollection

hashtagSub-Command: policy

hashtaglist

hashtagadd

hashtagedit

hashtagview

hashtagagents

hashtagassign

hashtagdelete

hashtagSub-Command: collection

hashtaglist

hashtagview

hashtagadd

hashtagupdate

hashtagdelete

hashtagdisconnect

hashtagwipe-out

hashtagSub-Command: approval

hashtaglist

hashtagaction

hashtagSub-Command: scim

hashtagAzure AD connection parameters

hashtagActive Directory connection parameters

Overview

pedm Command

Sub-Command: sync-down

Sub-Command: deployment

list

add

edit

delete

download

Sub-Command: agent

list

edit

delete

collection

Sub-Command: policy

list

add

edit

view

agents

assign

delete

Sub-Command: collection

list

view

add

update

delete

disconnect

wipe-out

Sub-Command: approval

list

action

Sub-Command: scim

Azure AD connection parameters

Active Directory connection parameters