# Enterprise Role Commands #### Usage ```bash enterprise-role command [--options] OR er command [--option] ``` **Alias:** `er` #### Commands | Command | Description | Alias | | ------------------------------------------- | --------------------------------- | ----- | | [`view`](#enterprise-role-view) | View enterprise role | `v` | | [`add`](#enterprise-info-tree) | Create enterprise role(s) | `a` | | [`edit`](#enterprise-info-tree-1) | Edit enterprise role(s) | `e` | | [`delete`](#enterprise-info-tree-2) | Delete enterprise role(s) | | | [`admin`](#enterprise-node-invite-email) | Manage enterprise admin role | | | [`membership`](#enterprise-role-membership) | Manage enterprise role membership | `m` | | [`copy`](#enterprise-role-copy) | Copy role with enforcements | | ### Enterprise Role view Command View enterprise role.

Dotnet CLI

**Command:** `enterprise-role name` **Example:** ``` My Vault> enterprise-role view "IT Admin" OR er view "IT Admin" ```

DotNet SDK

Data can be retrieved from `RoleData`\ \
**Function:** `RoleData` ```csharp public interface IRoleDataManagement ``` **Example:** ```csharp await roleData.Enterprise.Load(); ```

PowerCommander

**Command**: `Get-KeeperEnterpriseRole` **Syntax:** ```powershell Get-KeeperEnterpriseRole [[-Role] ] [] ``` **Aliases:** `ker` **Parameters:** * `-Name` - User email. * `-Filter` - Search filter. * `-Format` - Output format. * `-Output` - Output file name. **Examples**: ```powershell # List all roles PS> Get-KeeperEnterpriseRole ker # Get specific role PS> Get-KeeperEnterpriseRole -Role 123453e # Search role PS> Get-KeeperEnterpriseRole -Filter Test1 ``` **Command:** `Get-KeeperEnterpriseRoleUsers` / `Get-KeeperEnterpriseRoleTeams` Get role members **Syntax:** ```powershell Get-KeeperEnterpriseRoleUsers [-Role] [] Get-KeeperEnterpriseRoleTeams [-Role] [] ``` **Aliases:** `keru`, `kert` **Parameters:** * `-Role` - Role ID (required) **Examples:** ```powershell # Get users in role Get-KeeperEnterpriseRoleUsers -Role 12345 keru 12345 # Get teams in role Get-KeeperEnterpriseRoleTeams -Role 12345 kert 12345 ```

Python CLI

**Command:** `enterprise-role view` **Parameter**: `role` - Role Name or ID (required) **Flag:** * `-v`, `--verbose` - Print verbose information * `--format` - Output format: `json` * `--output` - Output filename

Python SDK

**Function:** ```python if isinstance(role_name, int): role = enterprise_data.roles.get_entity(role_name) elif isinstance(role_name, str): if role_name.isnumeric(): role = enterprise_data.roles.get_entity(int(role_name)) if not role: role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()] ```

### Enterprise Role Add Command Create enterprise role(s).

Dotnet CLI

**Command:** `enterprise-role add "Role Name" --node "Node Name" OR er add "Role Name" --node "Node Name"` **Example:** ``` My Vault> enterprise-role add "Help Desk" --node "IT Department" OR er add "Help Desk" --node "IT Department" ```

DotNet SDK

**Function:** `CreateRole` ``` Task CreateRole(string roleName, long nodeId, bool newUserInherit); ``` **Example:** ``` await roleData.CreateRole(arguments.Role, nodeId, arguments.NewUser); ```

PowerCommander

**Command:** `New-KeeperEnterpriseRole` **Aliases:** `keradd` **Parameters:**

Parameter	Required	Description
`-Role`	Yes	Role name(s). Can specify multiple roles.
`-ParentNode`	No	Parent node name or ID. Defaults to root node.
`-NewUser`	No	Assign role to new users. Values: `on`, `off`. Default: `off`.
`-VisibleBelow`	No	Make role visible to subnodes. Values: `on`, `off`. Default: `off`.
`-Enforcement`	No	Role enforcement in `KEY:VALUE` format. Can be repeated. list can be found here
`-Force`	No	Skip confirmation when role name already exists.

**Example:** ```powershell PS> New-KeeperEnterpriseRole -ParentNode test_node_updated2 -Role PowerShellTest -NewUser on -VisibleBelow on -Enforcement "RESTRICT_IMPORT:True","RESTRICT_EXPORT:True" Role with name "PowerShellTest" already exists. Do you want to create a new one? (Yes/No): yes Role "PowerShellTest" created successfully (ID: 894448862131) Id DisplayName NodeName NewUserInherit Users Teams IsAdminRole -- ----------- -------- -------------- ----- ----- ----------- 894448862131 PowerShellTest test_node_updated2 X 0 0 - ```

Python CLI

**Command:** `enterprise-role add` **Parameter**: `role` - Role Name. Can be repeated. (required) **Flag:** * `--parent` - Parent node name or ID * `--new-user` - Assign this role to new users: `on` or `off` * `--visible-below` - Visible to all nodes. 'add' only: `on` or `off` * `--enforcement` - Sets role enforcement. Format: `KEY:VALUE`. Can be repeated. * `-f`, `--force` - Do not prompt for confirmation

Python SDK

**Function:** ```python from keepersdk.enterprise import batch_management, enterprise_management roles = list['names of roles to add'] role_lookup: Dict[str, Union[enterprise_types.Role, List[enterprise_types.Role]]] = {} for role in e_data.roles.get_all_entities(): role_lookup[str(role.role_id)] = role if role.name: role_name = role.name.lower() n = role_lookup.get(role_name) if n is None: role_lookup[role_name] = role elif isinstance(n, list): n.append(role) elif isinstance(n, enterprise_types.Role): role_lookup[role_name] = [n, role] role_names: Optional[Dict[str, str]] = None if isinstance(roles, list): role_names = {x.lower(): x for x in roles} for role_key, role_name in list(role_names.items()): r = role_lookup.get(role_key) if r is not None: skip = False if isinstance(r, enterprise_types.Role): r = [r] for r1 in r: if r1.node_id == parent_node_id: logging.info('Role \"%s\" already exists', r1.name) skip = True break if skip: del role_names[role_key] roles_to_add = [enterprise_management.RoleEdit( role_id=enterprise_loader.get_enterprise_id(), name=x, node_id=parent_node_id, new_user_inherit=apply_to_new_user, visible_below=visible_to_all_nodes) for x in role_names.values()] batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger) batch.modify_roles(to_add=roles_to_add) batch.apply() ```

### Enterprise Role Edit Command Edit enterprise role(s).

DotNet CLI

Command: `enterprise-role update` **Usage :** `enterprise-role update role-name --flags=values` **flags:**

Parameter	Description
`-new-user`	Set role as default for new users in the node
`-visible-below`	Set role visibility to subnodes
`-new-role-name`	New role display name

**Example:** ```console My Vault> enterprise-role update Analyst --new-user=true --visible-below=true Role "Analyst" updated successfully. Role Name: Analyst Visible Below: X New User Inherit: X My Vault> enterprise-role update Test1 --new-user=false --visible-below=false Role "Test1" updated successfully. Role Name: Test1 Visible Below: - New User Inherit: - ```

DotNet SDK

**Function:** `UpdateRole` **Usage:** ```csharp public async Task UpdateRole(EnterpriseRole role, bool? newUserInherit = null, bool? visibleBelow = null, string displayName = null) ``` **Parameters:**

	Description
`newUserInherit`	Sets the current role we are editing as a default role
`visibleBelow`	Set role visibility to subnodes. If null, property is not changed
`displayName`	New role display name. If null, property is not changed.

\ **Example:** ```csharp roleData.UpdateRole( updateParams['newUserInherit'], updateParams['visibleBelow'], updateParams['displayName'] ) ```

PowerCommander

**Command:** `Set-KeeperEnterpriseRole` **Usage:** `Set-KeeperEnterpriseRole -NewUserInherit $true` **Options:**

Parameter	Description
`-Role`	Role Name, ID, or EnterpriseRole object (mandatory)
`-NewUserInherit`	Set role as default for new users in the node
`-VisibleBelow`	Set role visibility to subnodes
`-NewDisplayName`	New role display name

**Example:** ```powershell PS> Set-KeeperEnterpriseRole Test1 -NewUserInherit $true Role "Test1" updated successfully Id DisplayName NodeName NewUserInherit Users Teams IsAdminRole -- ----------- -------- -------------- ----- ----- ----------- 894122414228537 Test1 Metronlabs X 1 0 - ```

Python CLI

**Command:** `enterprise-role edit` **Parameter**: `role` - Role Name or ID. Can be repeated. (required) **Flag:** * `--parent` - Parent node name or ID * `--name`, `--displayname` - Set role display name * `--new-user` - Assign this role to new users: `on` or `off` * `--visible-below` - Visible to all nodes: `on` or `off` * `--enforcement` - Sets role enforcement. Format: `KEY:VALUE`. Can be repeated.

Python SDK

### Enterprise Role Delete Command Delete enterprise role(s).

DotNet CLI

**Command:** `enterprise-role delete <"Role name"> OR er delete <"Role name">` **Example:** ``` My Vault> enterprise-role delete "Help Desk" ```

DotNet SDK

**Function:** `DeleteRole()` **Usage:** ```csharp public async Task DeleteRole(EnterpriseRole role) ``` **Example:** ```csharp await roleData.DeleteRole(role) ```

PowerCommander

**Command** : `Remove-KeeperEnterpriseRole` **Aliases** : `kerdel` **Parameters:** `-Force` : skips confirmation prompt **Example:** ```powershell PS> Remove-KeeperEnterpriseRole PowerShellTest Confirm Are you sure you want to perform this action? Performing the operation "Delete Enterprise Role" on target "Role "PowerShellTest" (ID: 894448414228628)". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A Role "PowerShellTest" (ID: 894448414228628) deleted successfully ```

Python CLI

**Command:** `enterprise-role delete` **Parameter:** * `role` - Role Name or ID. Can be repeated. (required)

Python SDK

### Enterprise Role Admin Command Manage enterprise admin role.

DotNet CLI

**Command :** `enterprise-role add-users-to-admin-role OR` `er add-users-to-admin-role ` **Example :** ``` enterprise-role add-users-to-admin-role "Administrator" "test@demo.com" ```

DotNet SDK

**Function:** `AddUserToAdminRole` **Usage:** ```csharp public async Task AddUserToAdminRole(EnterpriseRole role, EnterpriseUser user) ```

PowerCommander

The commands are seperated here and have different commands for each functionality check the below commands for details on functionality. | [Add-KeeperEnterpriseRoleManagedNode](#enterprise-role-managed-node-add-command) | | ----------------------------------------------------------------------------------------------- | | [Remove-KeeperEnterpriseRoleManagedNode](#enterprise-role-managed-node-delete-command) | | [Add-KeeperEnterpriseRolePrivilege](#enterprise-role-managed-node-privileges-add-command) | | [Remove-KeeperEnterpriseRolePrivilege](#enterprise-role-managed-node-privileges-remove-command) |

Python CLI

**Command:** `enterprise-role admin` **Parameter**: `role` - Role Name or ID (required) **Flag:** * `-aa`, `--add-admin` - Add managed node to role. Can be repeated. * `-ra`, `--remove-admin` - Remove managed node from role. Can be repeated. * `-ap`, `--add-privilege` - Add privilege to managed node. Can be repeated. * `-rp`, `--remove-privilege` - Remove privilege from managed node. Can be repeated. * `--cascade` - Apply to the child nodes. "--add-admin" only: `on` or `off`

Python SDK

**Function:** ``` from keepersdk.enterprise import batch_management, enterprise_management batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger) if isinstance(role_name, int): role = enterprise_data.roles.get_entity(role_name) elif isinstance(role_name, str): if role_name.isnumeric(): role = enterprise_data.roles.get_entity(int(role_name)) if not role: role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()] existing_nodes = {x.managed_node_id: x for x in enterprise_data.managed_nodes.get_links_by_subject(role.role_id)} nodes_to_add_admin = ['list of nodes'] nodes_to_remove_admin = ['list of nodes'] nodes_to_add_admin: Optional[List[enterprise_types.Node]] = None nodes_to_remove_admin: Optional[List[enterprise_types.Node]] = None cascade: Optional[bool] = None add_admins = ['nodes'] if isinstance(add_admins, list): for admin in add_admins: if isintance(admin, int): node = enterprise_data.nodes.get_entity(admin) elif isintance(admin, str): node = [node for node in enterprise_data.nodes.get_all_entities() if node.name.lower() == admin] nodes_to_add_admin.append(node) remove_admins = ['nodes'] if isinstance(remove_admins, list): for admin in remove_admins: if isintance(admin, int): node = enterprise_data.nodes.get_entity(admin) elif isintance(admin, str): node = [node for node in enterprise_data.nodes.get_all_entities() if node.name.lower() == admin] nodes_to_remove_admin.append(node) add_privileges = ['privileges to be granted'] remove_priviliges = ['privileges to be removed'] if nodes_to_add_admin is not None: aps: Optional[Set[str]] = None rps: Optional[Set[str]] = None if isinstance(add_privileges, list): privilege = enterprise_types.RolePrivileges(role_id=0, managed_node_id=0) for p in add_privileges: if not privilege.set_by_name(p, True): logger.info('Invalid privilege "%s"', p) aps = privilege.to_set() if isinstance(remove_privileges, list): privilege = enterprise_types.RolePrivileges(role_id=0, managed_node_id=0) for p in remove_privileges: if not privilege.set_by_name(p, False): logger.info('Invalid privilege "%s"', p) rps = privilege.to_set() for node in nodes_to_add_admin: mne = enterprise_management.ManagedNodeEdit( role_id=role.role_id, managed_node_id=node.node_id, cascade_node_management=cascade) if aps and len(aps) > 0: if mne.privileges is None: mne.privileges = {} for p in aps: mne.privileges[p] = True if rps and len(rps) > 0: if mne.privileges is None: mne.privileges = {} for p in rps: mne.privileges[p] = False if node.node_id in existing_nodes: en = existing_nodes[node.node_id] assert en if (isinstance(cascade, bool) and en.cascade_node_management != cascade) or aps or rps: batch.modify_managed_nodes(to_update=[mne]) else: batch.modify_managed_nodes(to_add=[mne]) if nodes_to_remove_admin is not None: for node in nodes_to_remove_admin: if node.node_id in existing_nodes: batch.modify_managed_nodes(to_remove=[enterprise_management.ManagedNodeEdit( role_id=role.role_id, managed_node_id=node.node_id)]) batch.apply() ```

### Enterprise Role Membership Command Manage enterprise role membership.

DotNet CLI

**Command:** `enterprise-role add-members "Role Name"` **Aliases**: `er` **Example:** ``` My Vault> enterprise-role add-members "IT Admin" admin1@company.com My Vault> enterprise-role remove-members "IT Admin" admin1@company.com ```

DotNet SDK

**Function:** `AddUserToAdminRole` - To add user as admin `RemoveUserFromRole` - To remove admin role from user **Examples:** ```csharp public async Task AddUserToAdminRole(EnterpriseRole role, EnterpriseUser user) ``` ```csharp public async Task RemoveUserFromRole(EnterpriseRole role, EnterpriseUser user) ```

PowerCommander

**Add Users to a given Role** **Command:** `Grant-KeeperEnterpriseRoleToUser` **Aliases:** `kerua` **Flags:** * `-Role` : Role Name, ID, or EnterpriseRole object * `-User` : User email, ID, or EnterpriseUser object **Example:** ```ps1 PS > Grant-KeeperEnterpriseRoleToUser -Role "Administrator Role" -User "user@example.com" User "user@example.com" added to role "Administrator Role" ``` **Remove Users from a given role:** **Command:** `Revoke-KeeperEnterpriseRoleFromUser` **Aliases:** `kerur` **Flags:** * `-Role` : Role Name, ID, or EnterpriseRole object * `-User` : User email, ID, or EnterpriseUser object **Example:** ```ps1 PS > Revoke-KeeperEnterpriseRoleFromUser -Role "Administrator Role" -User "user@example.com" User "user@example.com" removed from role "Administrator Role" ```

Python CLI

**Command:** `enterprise-role membership` **Parameter:** * `role` - Role Name or ID (required) **Options**:\ `-h, --help` show this help message and exit\ `-au, --add-user` EMAIL - add user to role. Can be repeated.\ `-ru, --remove-user` EMAIL - remove user (Email, User ID, @all) from role. Can be repeated.\ `-at, --add-team` TEAM - add team to role. Can be repeated.\ `-rt, --remove-team` TEAM - remove team (Name, Team UID, @all) from role. Can be repeated. **Warning:** This action cannot be undone and will remove all users, roles, teams, and subnodes.

Python SDK

**Function:** ```python from keepersdk.enterprise import batch_management, enterprise_management if isinstance(role_name, int): role = enterprise_data.roles.get_entity(role_name) elif isinstance(role_name, str): if role_name.isnumeric(): role = enterprise_data.roles.get_entity(int(role_name)) if not role: role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()] role_list = [role] users_to_add: Optional[List[enterprise_types.User]] = None teams_to_add: Optional[List[enterprise_types.Team]] = None users_to_remove: Optional[List[enterprise_types.User]] = None teams_to_remove: Optional[List[enterprise_types.Team]] = None add_users = ['list of user to add'] add_teams = ['list of teams to add'] remove_users = ['list of user to remove'] has_remove_all_users: bool = False remove_teams = ['list of teams to remove'] has_remove_all_teams: bool = False if isinstance(add_users, list): for add_user in add_users: user = [user for user in enterprise_data.users.get_all_entities() if user.username.lower() == add_user.lower()] users_to_add.append(user) if isinstance(add_teams, list): team_lookup: Dict[str, Union[enterprise_types.Team, List[enterprise_types.Team]]] = {} for team in enterprise_data.teams.get_all_entities(): team_lookup[team.team_uid] = team team_name = team.name.lower() t = team_lookup.get(team_name) if t is None: team_lookup[team_name] = team elif isinstance(t, list): t.append(team) elif isinstance(t, enterprise_types.Team): team_lookup[team_name] = [t, team] found_teams: Dict[str, enterprise_types.Team] = {} t: Optional[enterprise_types.Team] for team_name in add_teams: t = None if isinstance(team_name, str): t = enterprise_data.teams.get_entity(team_name) if t is None: tt = team_lookup.get(team_name.lower()) if isinstance(tt, list): if len(tt) == 1: t = tt[0] elif len(tt) >= 2: continue elif isinstance(tt, enterprise_types.Team): t = tt if t is None: continue found_teams[t.team_uid] = t teams_to_add = list(found_teams.values()) if isinstance(remove_users, list): has_remove_all_users = any((True for x in remove_users if x == '@all')) if not has_remove_all_users: for remove_user in remove_users: user = [user for user in enterprise_data.users.get_all_entities() if user.username.lower() == remove_user.lower()] users_to_remove.append(user) if isinstance(remove_teams, list): has_remove_all_teams = any((True for x in remove_teams if x == '@all')) if not has_remove_all_teams: team_lookup: Dict[str, Union[enterprise_types.Team, List[enterprise_types.Team]]] = {} for team in enterprise_data.teams.get_all_entities(): team_lookup[team.team_uid] = team team_name = team.name.lower() t = team_lookup.get(team_name) if t is None: team_lookup[team_name] = team elif isinstance(t, list): t.append(team) elif isinstance(t, enterprise_types.Team): team_lookup[team_name] = [t, team] found_teams: Dict[str, enterprise_types.Team] = {} t: Optional[enterprise_types.Team] for team_name in remove_teams: t = None if isinstance(team_name, str): t = enterprise_data.teams.get_entity(team_name) if t is None: tt = team_lookup.get(team_name.lower()) if isinstance(tt, list): if len(tt) == 1: t = tt[0] elif len(tt) >= 2: continue elif isinstance(tt, enterprise_types.Team): t = tt if t is None: continue found_teams[t.team_uid] = t teams_to_remove = list(found_teams.values()) batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger) for role in role_list: existing_users = {x.enterprise_user_id for x in enterprise_data.role_users.get_links_by_subject(role.role_id)} existing_teams = {x.team_uid for x in enterprise_data.role_teams.get_links_by_subject(role.role_id)} if users_to_add: users_to_add = [x for x in users_to_add if x.enterprise_user_id not in existing_users] if users_to_add: batch.modify_role_users(to_add=[enterprise_management.RoleUserEdit( role_id=role.role_id, enterprise_user_id=x.enterprise_user_id) for x in users_to_add]) if teams_to_add: teams_to_add = [x for x in teams_to_add if x.team_uid not in existing_teams] if teams_to_add: batch.modify_role_teams(to_add=[enterprise_management.RoleTeamEdit( role_id=role.role_id, team_uid=x.team_uid) for x in teams_to_add]) if has_remove_all_users: batch.modify_role_users(to_remove=[enterprise_management.RoleUserEdit( role_id=role.role_id, enterprise_user_id=x) for x in existing_users]) elif users_to_remove: batch.modify_role_users(to_remove=[enterprise_management.RoleUserEdit( role_id=role.role_id, enterprise_user_id=x.enterprise_user_id) for x in users_to_remove]) if has_remove_all_teams: batch.modify_role_teams(to_remove=[enterprise_management.RoleTeamEdit( role_id=role.role_id, team_uid=x) for x in existing_teams]) elif teams_to_remove: batch.modify_role_teams(to_remove=[enterprise_management.RoleTeamEdit( role_id=role.role_id, team_uid=x.team_uid) for x in teams_to_remove]) batch.apply() ```

#### Enterprise Role Copy Command Copy role with enforcement.

DotNet CLI

**Command:** ```bash enterprise-role copy --node --new-role-name ``` **Parameters** | Parameter | Required | Description | | ----------------- | -------- | --------------------------------------------------------------- | | `copy` | Yes | Command: must be `copy`. | | `` | Yes | Role name or Role ID to copy from. Must match exactly one role. | | `--node` | Yes | Target node name or Node ID where the new role will be created. | | `--new-role-name` | Yes | Display name for the new role. | **Examples:** ```bash My Vault> enterprise-role copy "Test2 Role" --node "dev" --new-role-name "third dev 2" Role "third dev 2" created with enforcements from "Test2 Role" (10 user(s), 2 team(s) copied). ```

DotNet SDK

Not Implemented

PowerCommander

**Command:** ```powershell Copy-KeeperEnterpriseRole -SourceRole -TargetNode -NewRoleName [-CopyUsers ] [-CopyTeams ] [-Force] ``` **Alias:** `kercopy` **Parameters** | Parameter | Type | Required | Default | Description | | ------------- | ------- | -------- | ------- | --------------------------------------------------------------- | | `SourceRole` | Object | Yes | — | Role name, Role ID, or `EnterpriseRole` object to copy from. | | `TargetNode` | String | Yes | — | Target node name or Node ID where the new role will be created. | | `NewRoleName` | String | Yes | — | Display name for the new role. | | `CopyUsers` | Boolean | No | `$true` | Copy users from the source role to the new role. | | `CopyTeams` | Boolean | No | `$true` | Copy teams from the source role to the new role. | | `Force` | Switch | No | — | Reload enterprise data before running. | **Examples:** ```powershell PowerCommander> Copy-KeeperEnterpriseRole -SourceRole "Test2 Role" -TargetNode "dev" -NewRoleName "second dev" Role "second dev" created with enforcements from "Test2 Role" (10 user(s), 4 team(s) copied). ```

Python CLI

**Command:** `enterprise-role copy` **Parameter**: `role` - Role Name or ID (required) **Flag:** * `--node` - New role node name or ID (required) * `--name`, `--displayname` - New role name (required)

Python SDK

### Enterprise Role Team Management Command This command assigns or unassigne a role to team

DotNet CLI

**Command:** `enterprise-role` **Add Team to a Role:** **Action:** `add-members` **Flags:** * `--help` : Display this help screen. * `--version` : Display version information. * `value pos. 0` : KSM command: "add-members" * `value pos. 1` : Role Name or ID * `value pos. 2` : User Email, User ID, Team Name, or Team UID (space-separated list) **Example:** ``` My Vault > enterprise-role add-members "Administrator Role" "Engineering Team" Adding members to role "Administrator Role" Team: "Engineering Team" : Success ``` \ **Remove Team from a Role:** **Action:** `remove-members` **Flags:** * `--help` : Display this help screen. * `--version` : Display version information. * `value pos. 0` : KSM command: "remove-members" * `value pos. 1` : Role Name or ID * `value pos. 2` : User Email, User ID, Team Name, or Team UID (space-separated list) **Example:** ``` My Vault > enterprise-role remove-members "Administrator Role" "Engineering Team" Removing members from role "Administrator Role" Team: "Engineering Team" : Success ```

DotNet SDK

**Add Team to a Role:** **Function:** `AddTeamToRole` ```csharp Task AddTeamToRole(EnterpriseRole role, EnterpriseTeam team); ``` **Arguments:** `role` - EnterpriseRole object representing the role to which the team will be added `team` - EnterpriseTeam object representing the team to be added to the role **Remove Team from a Role:** **Function:** `RemoveTeamFromRole` ```csharp Task RemoveTeamFromRole(EnterpriseRole role, EnterpriseTeam team); ``` **Arguments:** `role` - EnterpriseRole object representing the role from which the team will be removed `team` - EnterpriseTeam object representing the team to be removed from the role

PowerCommander

**Add Team to a Role:** **Command:** `Grant-KeeperEnterpriseRoleToTeam` **Aliases:** `kerta` **Flags:** * `-Role` : Role Name, ID, or EnterpriseRole object * `-Team` : Team UID, Name, or EnterpriseTeam object **Example:** ``` PS > Grant-KeeperEnterpriseRoleToTeam -Role "Administrator Role" -Team "Engineering Team" Team "Engineering Team" added to role "Administrator Role" ``` **Remove Team from a Role:** **Command:** `Revoke-KeeperEnterpriseRoleFromTeam` **Aliases:** `kertr` **Flags:** * `-Role` : Role Name, ID, or EnterpriseRole object * `-Team` : Team UID, Name, or EnterpriseTeam object **Example:** ``` PS > Revoke-KeeperEnterpriseRoleFromTeam -Role "Administrator Role" -Team "Engineering Team" Team "Engineering Team" removed from role "Administrator Role" ```

### Enterprise Role Managed Node Add Command This command/function helps to add a managed node to a role.

DotNet CLI

im**Command:** `enterprise-role roll_name --node= --cascade OR er roll_name --node= --cascade` **Parameter:** `roll_name` - Role name or ID. `node_name` - Node name or ID. `cascade` - cascade includes it is true else false **Examples:** ```sh My Vault> enterprise-role managed-node-add "Test4" --node="Test1" --cascade ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

DotNet SDK

**Add Managed Node:** **Function:** `RoleManagedNodeAdd` **Usage:** ```csharp public async Task RoleManagedNodeAdd(EnterpriseRole role, EnterpriseNode node, bool cascadeNodeManagement) ``` **Parameters:**

	Description
`role`	EnterpriseRole object representing the role
`node`	EnterpriseNode object representing the node
`cascade`	do the privileges for this managed node apply to the children nodes - `true / false`

**Example:** {% code overflow="wrap" %} ```csharp await EnterpriseManagementExamples.EnterpriseRoleExamples.RoleManagedNodeExample.RoleManagedNodeAdd(roleName: "Test2", nodeId: 70411693850884, cascadeNodeManagement: true); ``` {% endcode %} **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

PowerCommander

**Command:** `Add-KeeperEnterpriseRoleManagedNode` **Flags:**

Parameter	Description
`Role`	Role Name or ID
`Node`	Node name or ID to add as a managed node
`Cascade`	Cascade node management to subnodes

**Example:** ```powershell PS> Add-KeeperEnterpriseRoleManagedNode -Role PCRTest -Node PCTNode -Cascade Managed node "PCTNode" added to role "PCRTest" successfully. ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python CLI

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python SDK

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

### Enterprise Role Managed Node Update Command This command/function helps to update a managed node to a role.

DotNet CLI

**Command:** `enterprise-role roll_name --node= --cascade OR er roll_name --node= --cascade` **Parameter:** `roll_name` - Role name or ID. `node_name` - Node name or ID. `cascade` - cascade includes it is true else false **Examples:** ```sh My Vault> enterprise-role managed-node-update "Test4" --node="Test1" --cascade ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

DotNet SDK

**Update Managed Node:** **Function:** `RoleManagedNodeUpdate` **Usage:** ```csharp public async Task RoleManagedNodeUpdate(EnterpriseRole role, EnterpriseNode node, bool cascadeNodeManagement) ``` **Parameters:**

	Description
`role`	EnterpriseRole object representing the role
`node`	EnterpriseNode object representing the node
`cascade`	do the privileges for this managed node apply to the children nodes - `true / false`

**Example:** {% code overflow="wrap" %} ```csharp await EnterpriseManagementExamples.EnterpriseRoleExamples.RoleManagedNodeExample.RoleManagedNodeUpdate(roleName: "Test2", nodeId: 70411693850884, cascadeNodeManagement: true); ``` {% endcode %} **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

PowerCommander

**Command**:`Update-KeeperEnterpriseRoleManagedNode` **Flags**:

Parameter	Description
`Role`	Role Name or ID
`Node`	Node name or ID to add as a managed node
`Cascade`	Cascade node management to subnodes

**Example**: ```powershell PS> Update-KeeperEnterpriseRoleManagedNode -Role PCRTest -Node PCTNode Managed node "PCTNode" updated for role "PCRTest" successfully. ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python CLI

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python SDK

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

### Enterprise Role Managed Node Delete Command This command/function helps to delete a managed node to a role.

DotNet CLI

**Command:** `enterprise-role roll_name --node= OR er roll_name --node=` **Parameter:** `roll_name` - Role name or ID. `node_name` - Node name or ID. **Examples:** ```sh My Vault> enterprise-role managed-node-delete "Test4" --node="Test1" ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

DotNet SDK

**Remove Managed Node:** **Function:** `RoleManagedNodeRemove` **Usage:** ```csharp public async Task RoleManagedNodeRemove(EnterpriseRole role, EnterpriseNode node) ``` **Parameters:**

	Description
`role`	EnterpriseRole object representing the role
`node`	EnterpriseNode object representing the node

**Example:** {% code overflow="wrap" %} ```csharp await EnterpriseManagementExamples.EnterpriseRoleExamples.RoleManagedNodeExample.RoleManagedNodeRemove(roleName: "Test1", nodeId: 70411693850884); ``` {% endcode %} **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

PowerCommander

Command: `Remove-KeeperEnterpriseRoleManagedNode` Flags:

Parameter	Description
`Role`	Role Name or ID
`Node`	Node name or ID to add as a managed node

**Example:** ``` PS> Remove-KeeperEnterpriseRoleManagedNode -Role PCRTest -Node PCTNode Managed node PCTNode deleted from role PCRTest successfully. ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python CLI

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python SDK

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

### Enterprise Role Managed Node Privileges Add Command This command/function helps to add a batch or individual privileges to managed node.

DotNet CLI

**Command:** `enterprise-role roll_name --node= --privileges= OR er roll_name --node= --privileges=` **Parameter:** `roll_name` - Role name or ID. `node_name` - Node name or ID. `privileges` - comma separated privileges inside a string. **Examples:** ```sh My Vault> er add-privileges "Test4" --node="Ananth-Test" --privileges="manage_nodes,manage_user,run_reports" ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

DotNet SDK

**Add Privileges to Managed Node:** **Function:** `RoleManagedNodePrivilegeAddBatch` **Usage:** ```csharp public async Task> RoleManagedNodePrivilegeAddBatch(EnterpriseRole role, EnterpriseNode node, List privileges) ``` **Parameters:**

Description

role EnterpriseRole object representing the role

node EnterpriseNode object representing the node

privileges

Adds a list of privileges of type

List<RoleManagedNodePrivilege>

**Example:** {% code overflow="wrap" %} ```csharp await EnterpriseManagementExamples.EnterpriseRoleExamples.RoleManagedNodeExample.RoleManagedNodePrivilegeAdd(roleName: "Test1", nodeId: 70411693850884, privileges: new List { RoleManagedNodePrivilege.MANAGE_USER, RoleManagedNodePrivilege.TRANSFER_ACCOUNT }); ``` {% endcode %} **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

PowerCommander

**Command:** `Add-KeeperEnterpriseRolePrivilege` **Aliases:** `Add-KeeperRolePrivilege` **Flags:**

Flag	Description
`-Role`	Role Name or ID (Mandatory, Position 0)
`-Node`	Node name or ID of the managed node (Mandatory, Position 1)
`-Privilege`	One or more privilege names to add. Valid values: MANAGE_NODES, MANAGE_USER, MANAGE_LICENCES, MANAGE_ROLES, MANAGE_TEAMS, TRANSFER_ACCOUNT, RUN_REPORTS, VIEW_TREE, MANAGE_BRIDGE, MANAGE_COMPANIES, SHARING_ADMINISTRATOR, APPROVE_DEVICE, MANAGE_RECORD_TYPES, RUN_COMPLIANCE_REPORTS (Mandatory, Position 2)

Example: ```powershell PS> Add-KeeperEnterpriseRolePrivilege -Role PCRTest -Node PCTNode -Privilege MANAGE_NODES,MANAGE_USER,MANAGE_LICENCES,MANAGE_ROLES,MANAGE_TEAMS,TRANSFER_ACCOUNT,VIEW_TREE,MANAGE_COMPANIES,SHARING_ADMINISTRATOR,APPROVE_DEVICE,MANAGE_RECORD_TYPES,RUN_COMPLIANCE_REPORTS Command: managed_node_privilege_add, Privilege: MANAGE_NODES, Result: success Command: managed_node_privilege_add, Privilege: MANAGE_USER, Result: success Command: managed_node_privilege_add, Privilege: MANAGE_LICENCES, Result: success Command: managed_node_privilege_add, Privilege: MANAGE_ROLES, Result: success Command: managed_node_privilege_add, Privilege: MANAGE_TEAMS, Result: success Command: managed_node_privilege_add, Privilege: TRANSFER_ACCOUNT, Result: success Command: managed_node_privilege_add, Privilege: VIEW_TREE, Result: fail, Code: access_denied, Message: You do not have the required privilege to perform this operation. Command: managed_node_privilege_add, Privilege: MANAGE_COMPANIES, Result: fail, Code: access_denied, Message: You do not have the required privilege to perform this operation. Command: managed_node_privilege_add, Privilege: SHARING_ADMINISTRATOR, Result: success Command: managed_node_privilege_add, Privilege: APPROVE_DEVICE, Result: success Command: managed_node_privilege_add, Privilege: MANAGE_RECORD_TYPES, Result: success Command: managed_node_privilege_add, Privilege: RUN_COMPLIANCE_REPORTS, Result: success ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python CLI

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python SDK

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

### Enterprise Role Managed Node Privileges Remove Command This command/function helps to remove a batch or individual privileges to managed node.

DotNet CLI

**Command:** `enterprise-role roll_name --node= --privileges= OR er roll_name --node= --privileges=` **Parameter:** `roll_name` - Role name or ID. `node_name` - Node name or ID. `privileges` - comma separated privileges inside a string. **Examples:** ```sh My Vault> er remove-privileges "Test4" --node="Ananth-Test" --privileges="manage_nodes,manage_user,run_reports" ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

DotNet SDK

**Remove Privileges of Managed Node:** **Function:** `RoleManagedNodePrivilegeRemoveBatch` **Usage:** ```csharp public async Task> RoleManagedNodePrivilegeRemoveBatch(EnterpriseRole role, EnterpriseNode node, List privileges) ``` **Parameters:**

Description

role EnterpriseRole object representing the role

node EnterpriseNode object representing the node

privileges

Removes a list of privileges of type

List<RoleManagedNodePrivilege>

**Example:** {% code overflow="wrap" %} ```csharp await EnterpriseManagementExamples.EnterpriseRoleExamples.RoleManagedNodeExample.RoleManagedNodePrivilegeRemove(roleName: "Test1", nodeId: 70411693850884, privileges: new List { RoleManagedNodePrivilege.MANAGE_USER, RoleManagedNodePrivilege.TRANSFER_ACCOUNT }); ``` {% endcode %} **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

PowerCommander

**Command:** `Remove-KeeperEnterpriseRolePrivilege` **Aliases:** `Remove-KeeperRolePrivilege` **Flags:**

Flag	Description
`-Role`	Role Name or ID (Mandatory, Position 0)
`-Node`	Node name or ID of the managed node (Mandatory, Position 1)
`-Privilege`	One or more privilege names to remove. Valid values: MANAGE_NODES, MANAGE_USER, MANAGE_LICENCES, MANAGE_ROLES, MANAGE_TEAMS, TRANSFER_ACCOUNT, RUN_REPORTS, VIEW_TREE, MANAGE_BRIDGE, MANAGE_COMPANIES, SHARING_ADMINISTRATOR, APPROVE_DEVICE, MANAGE_RECORD_TYPES, RUN_COMPLIANCE_REPORTS (Mandatory, Position 2)

**Example:** ```powershell PS> Remove-KeeperEnterpriseRolePrivilege -Role PCRTest -Node PCTNode -Privilege MANAGE_NODES,MANAGE_USER,MANAGE_LICENCES,MANAGE_ROLES,MANAGE_TEAMS,TRANSFER_ACCOUNT,VIEW_TREE,MANAGE_COMPANIES,SHARING_ADMINISTRATOR,APPROVE_DEVICE,MANAGE_RECORD_TYPES,RUN_COMPLIANCE_REPORTS Command: managed_node_privilege_remove, Privilege: MANAGE_NODES, Result: success Command: managed_node_privilege_remove, Privilege: MANAGE_USER, Result: success Command: managed_node_privilege_remove, Privilege: MANAGE_LICENCES, Result: success Command: managed_node_privilege_remove, Privilege: MANAGE_ROLES, Result: success Command: managed_node_privilege_remove, Privilege: MANAGE_TEAMS, Result: success Command: managed_node_privilege_remove, Privilege: TRANSFER_ACCOUNT, Result: success Command: managed_node_privilege_remove, Privilege: VIEW_TREE, Result: fail, Code: doesnt_exist, Message: This object no longer exists. Command: managed_node_privilege_remove, Privilege: MANAGE_COMPANIES, Result: fail, Code: doesnt_exist, Message: This object no longer exists. Command: managed_node_privilege_remove, Privilege: SHARING_ADMINISTRATOR, Result: success Command: managed_node_privilege_remove, Privilege: APPROVE_DEVICE, Result: success Command: managed_node_privilege_remove, Privilege: MANAGE_RECORD_TYPES, Result: success Command: managed_node_privilege_remove, Privilege: RUN_COMPLIANCE_REPORTS, Result: success ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python CLI

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python SDK

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

### Enterprise Role Add Enforcement Policies Command This command/function helps to add a batch or individual enforcement policies to a role.

DotNet CLI

**Command:** `enterprise-role role_name --enforcements="key1=value1; key2="value2"" OR er role_name --enforcements="key1=value1; key2="value2""` **Parameter:** `roll_name` - Role name or ID. `enforcements` - Give enforcements in the form of key and value pair inside the string. **Examples:** ```sh My Vault> er add-enforcements "Test4" --enforcements="RESTRICT_FILE_UPLOAD=true; TWO_FACTOR_DURATION_WEB="0,12,24"" ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

DotNet SDK

**Add Enforcement Policies to Role:** **Function:** `RoleEnforcementAddBatch` **Usage:** ```csharp public async Task> RoleEnforcementAddBatch(EnterpriseRole role, IDictionary enforcements) ``` **Parameters:**

Description

role EnterpriseRole object representing the role

	Description
`role`	`EnterpriseRole` object representing the role
`enforcements`	Adds a batch of enforcement policies of type `Dictionary<RoleEnforcementPolicies, string>`

enforcements

Adds a batch of enforcement policies of type

Dictionary<RoleEnforcementPolicies, string>

**Example:** {% code overflow="wrap" %} ```csharp var enforcements = new Dictionary { { RoleEnforcementPolicies.RESTRICT_FILE_UPLOAD, "true" }, { RoleEnforcementPolicies.RESTRICT_IP_ADDRESSES, "1.1.1.1-2.2.2.2" }, { RoleEnforcementPolicies.MASTER_PASSWORD_MINIMUM_LENGTH, "10"}, { RoleEnforcementPolicies.RESTRICT_DOMAIN_ACCESS, "192.168.1.100/app123"}, { RoleEnforcementPolicies.GENERATED_PASSWORD_COMPLEXITY, "google.com|12|4|1|3|1"}, }; await EnterpriseManagementExamples.EnterpriseRoleExamples.RoleManagedNodeExample.RoleEnforcementAdd(roleName: , enforcements: enforcements); ``` {% endcode %} **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

PowerCommander

**Command:** `Add-KeeperEnterpriseRoleEnforcement` **Aliases:** `Add-KeeperRoleEnforcement` **Flags:** | Flag | Description | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-Role` | Role Name or ID (Mandatory, Position 0) | | `-Enforcement` | Enforcement(s) in KEY=value format. Can be semicolon or comma separated. Multiple enforcements can be provided as an array. Supports both `=` and `:` as separators. (Mandatory, Position 1) | **Example:** ``` PS > Add-KeeperEnterpriseRoleEnforcement -Role PCRTest -Enforcement RESTRICT_FILE_UPLOAD=$true,RESTRICT_EXPORT=$true Command: role_enforcement_add, Enforcement: RESTRICT_FILE_UPLOAD=True, Result: success Command: role_enforcement_add, Enforcement: RESTRICT_EXPORT=True, Result: success ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python CLI

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python SDK

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

### Enterprise Role Update Enforcement Policies Command This command/function helps to update a batch or individual enforcement policies to a role.

DotNet CLI

**Command:** `enterprise-role role_name --enforcements="key1=value1; key2=value2" OR er role_name --enforcements="key1=value1; key2=value2"` **Parameter:** `roll_name` - Role name or ID. `enforcements` - Give enforcements in the form of key and value pair inside the string. **Examples:** ```sh My Vault> er update-enforcements "Test4" --enforcements="RESTRICT_FILE_UPLOAD=false; TWO_FACTOR_DURATION_WEB="0,12,24,30"" ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

DotNet SDK

**Update Enforcement Policies to Role:** **Function:** `RoleEnforcementUpdateBatch` **Usage:** ```csharp public async Task> RoleEnforcementUpdateBatch(EnterpriseRole role, IDictionary enforcements) ``` **Parameters:**

Description

role EnterpriseRole object representing the role

enforcements

Adds a batch of enforcement policies of type

Dictionary<RoleEnforcementPolicies, string>

**Example:** {% code overflow="wrap" %} ```csharp var enforcements = new Dictionary { { RoleEnforcementPolicies.RESTRICT_FILE_UPLOAD, "false" }, { RoleEnforcementPolicies.RESTRICT_IP_ADDRESSES, "2.2.2.2-3.3.3.3" }, { RoleEnforcementPolicies.MASTER_PASSWORD_MINIMUM_LENGTH, "20"}, { RoleEnforcementPolicies.RESTRICT_DOMAIN_ACCESS, "192.168.1.100/app345"}, { RoleEnforcementPolicies.GENERATED_PASSWORD_COMPLEXITY, "google.com|12|4|1|3|1"}, }; await EnterpriseManagementExamples.EnterpriseRoleExamples.RoleManagedNodeExample.RoleEnforcementUpdate(roleName: , enforcements: enforcements); ``` {% endcode %} **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

PowerCommander

**Command:** `Update-KeeperEnterpriseRoleEnforcement` **Aliases:** `Update-KeeperRoleEnforcement` **Flags:** | Flag | Description | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-Role` | Role Name or ID (Mandatory, Position 0) | | `-Enforcement` | Enforcement(s) in KEY=value format. Can be semicolon or comma separated. Multiple enforcements can be provided as an array. Supports both `=` and `:` as separators. (Mandatory, Position 1) | **Example:** ```powershell PS > Update-KeeperEnterpriseRoleEnforcement -Role PCRTest -Enforcement RESTRICT_FILE_UPLOAD=$true,RESTRICT_EXPORT=$true Command: role_enforcement_add, Enforcement: RESTRICT_FILE_UPLOAD=True, Result: success Command: role_enforcement_add, Enforcement: RESTRICT_EXPORT=True, Result: success ``` Separator as Semicolon: ```powershell PS > Update-KeeperEnterpriseRoleEnforcement -Role "AdminRole" -Enforcement "TWO_FACTOR_DURATION_WEB=7200;MASTER_PASSWORD_MINIMUM_LENGTH=16" Command: role_enforcement_update, Enforcement: TWO_FACTOR_DURATION_WEB=7200, Result: success Command: role_enforcement_update, Enforcement: MASTER_PASSWORD_MINIMUM_LENGTH=16, Result: success ``` Separator as Comma: ```powershell PS > Update-KeeperEnterpriseRoleEnforcement -Role "AdminRole" -Enforcement "TWO_FACTOR_DURATION_WEB=7200,MASTER_PASSWORD_MINIMUM_LENGTH=16" Command: role_enforcement_update, Enforcement: TWO_FACTOR_DURATION_WEB=7200, Result: success Command: role_enforcement_update, Enforcement: MASTER_PASSWORD_MINIMUM_LENGTH=16, Result: success ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python CLI

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python SDK

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

### Enterprise Role Remove Enforcement Policies Command This command/function helps to Remove a batch or individual enforcement policies to a role.

DotNet CLI

**Command:** `enterprise-role role_name --enforcements="key1; key2; key3" OR er role_name --enforcements="key1; key2; key3"` **Parameter:** `roll_name` - Role name or ID. `enforcements` - comma separated enforcements inside a string. **Examples:** ```sh My Vault> er remove-enforcements "Test4" --enforcements="RESTRICT_FILE_UPLOAD; TWO_FACTOR_DURATION_WEB" ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

DotNet SDK

**Remove Enforcement Policies to Role:** **Function:** `RoleEnforcementRemoveBatch` **Usage:** ```csharp public async Task> RoleEnforcementRemoveBatch(EnterpriseRole role, List enforcements) ``` **Parameters:**

Description

role EnterpriseRole object representing the role

enforcements

Adds a batch of enforcement policies of type

List<RoleEnforcementPolicies>

**Example:** {% code overflow="wrap" %} ```csharp var enforcements = new List { { RoleEnforcementPolicies.RESTRICT_FILE_UPLOAD}, { RoleEnforcementPolicies.RESTRICT_IP_ADDRESSES}, { RoleEnforcementPolicies.MASTER_PASSWORD_MINIMUM_LENGTH}, { RoleEnforcementPolicies.RESTRICT_DOMAIN_ACCESS}, { RoleEnforcementPolicies.GENERATED_PASSWORD_COMPLEXITY}, }; await EnterpriseManagementExamples.EnterpriseRoleExamples.RoleManagedNodeExample.RoleEnforcementRemove(roleName: , enforcement: enforcements); ``` {% endcode %} **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

PowerCommander

**Command:** `Remove-KeeperEnterpriseRoleEnforcement` **Aliases:** `Remove-KeeperRoleEnforcement` **Flags:** | Flag | Description | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-Role` | Role Name or ID (Mandatory, Position 0) | | `-Enforcement` | Enforcement key(s) to remove. Can be semicolon or comma separated. For remove operations, use KEY only (no value). If KEY=value format is provided, only the key portion will be used. (Mandatory, Position 1) | **Example:** ```powershell PS> Remove-KeeperEnterpriseRoleEnforcement -Role PCRTest -Enforcement RESTRICT_FILE_UPLOAD Command: role_enforcement_remove, Enforcement: RESTRICT_FILE_UPLOAD, Result: success ``` Separator as Semicolon: ```powershell PS > Remove-KeeperEnterpriseRoleEnforcement -Role "AdminRole" -Enforcement "TWO_FACTOR_DURATION_WEB;MASTER_PASSWORD_MINIMUM_LENGTH" Command: role_enforcement_remove, Enforcement: TWO_FACTOR_DURATION_WEB, Result: success Command: role_enforcement_remove, Enforcement: MASTER_PASSWORD_MINIMUM_LENGTH, Result: success ``` Separator as Comma: ```powershell PS > Remove-KeeperEnterpriseRoleEnforcement -Role "AdminRole" -Enforcement "TWO_FACTOR_DURATION_WEB,MASTER_PASSWORD_MINIMUM_LENGTH" Command: role_enforcement_remove, Enforcement: TWO_FACTOR_DURATION_WEB, Result: success Command: role_enforcement_remove, Enforcement: MASTER_PASSWORD_MINIMUM_LENGTH, Result: success ``` **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python CLI

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)

Python SDK

Comming Soon **Reference:** [Commander Reference](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#changing-role-enforcements-and-privileges)