Enterprise Role Commands
Manage an enterprise role(s).
Usage
enterprise-role command [--options] OR er command [--option]Alias: er
Commands
Enterprise Role view
View enterprise role.
Dotnet CLI
Command: enterprise-role name
Example:
My Vault> enterprise-role view "IT Admin" OR er view "IT Admin"DotNet SDK
Data can be retrieved from RoleData
Function: RoleData
public interface IRoleDataManagementExample:
await roleData.Enterprise.Load();PowerCommander
Command: Get-KeeperEnterpriseRole
Syntax:
Get-KeeperEnterpriseRole [[-RoleId] <long>] [<CommonParameters>]Aliases: ker
Parameters:
-RoleId- Role ID (optional, lists all if omitted)
Examples:
# List all roles
Get-KeeperEnterpriseRole
ker
# Get specific role
Get-KeeperEnterpriseRole -RoleId 123453eCommand: Get-KeeperEnterpriseRoleUsers / Get-KeeperEnterpriseRoleTeams
Get role members
Syntax:
Get-KeeperEnterpriseRoleUsers [-RoleId] <long> [<CommonParameters>]
Get-KeeperEnterpriseRoleTeams [-RoleId] <long> [<CommonParameters>]Aliases: keru, kert
Parameters:
-RoleId- Role ID (required)
Examples:
# Get users in role
Get-KeeperEnterpriseRoleUsers -RoleId 12345
keru 12345
# Get teams in role
Get-KeeperEnterpriseRoleTeams -RoleId 12345
kert 12345Python CLI
Command: enterprise-role view
Parameter:
role - Role Name or ID (required)
Flag:
-v,--verbose- Print verbose information--format- Output format:json--output- Output filename
Python SDK
Function:
if isinstance(role_name, int):
role = enterprise_data.roles.get_entity(role_name)
elif isinstance(role_name, str):
if role_name.isnumeric():
role = enterprise_data.roles.get_entity(int(role_name))
if not role:
role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()]Enterprise Role Add
Create enterprise role(s).
Dotnet CLI
Command: enterprise-role add "Role Name" --node "Node Name" OR er add "Role Name" --node "Node Name"
Example:
My Vault> enterprise-role add "Help Desk" --node "IT Department"
OR
er add "Help Desk" --node "IT Department"DotNet SDK
Function: CreateRole
Task<EnterpriseRole> CreateRole(string roleName, long nodeId, bool newUserInherit);Example:
await roleData.CreateRole(arguments.Role, nodeId, arguments.NewUser);Python CLI
Command: enterprise-role add
Parameter:
role - Role Name. Can be repeated. (required)
Flag:
--parent- Parent node name or ID--new-user- Assign this role to new users:onoroff--visible-below- Visible to all nodes. 'add' only:onoroff--enforcement- Sets role enforcement. Format:KEY:VALUE. Can be repeated.-f,--force- Do not prompt for confirmation
Python SDK
Function:
from keepersdk.enterprise import batch_management, enterprise_management
roles = list['names of roles to add']
role_lookup: Dict[str, Union[enterprise_types.Role, List[enterprise_types.Role]]] = {}
for role in e_data.roles.get_all_entities():
role_lookup[str(role.role_id)] = role
if role.name:
role_name = role.name.lower()
n = role_lookup.get(role_name)
if n is None:
role_lookup[role_name] = role
elif isinstance(n, list):
n.append(role)
elif isinstance(n, enterprise_types.Role):
role_lookup[role_name] = [n, role]
role_names: Optional[Dict[str, str]] = None
if isinstance(roles, list):
role_names = {x.lower(): x for x in roles}
for role_key, role_name in list(role_names.items()):
r = role_lookup.get(role_key)
if r is not None:
skip = False
if isinstance(r, enterprise_types.Role):
r = [r]
for r1 in r:
if r1.node_id == parent_node_id:
logging.info('Role \"%s\" already exists', r1.name)
skip = True
break
if skip:
del role_names[role_key]
roles_to_add = [enterprise_management.RoleEdit(
role_id=enterprise_loader.get_enterprise_id(), name=x, node_id=parent_node_id,
new_user_inherit=apply_to_new_user, visible_below=visible_to_all_nodes)
for x in role_names.values()]
batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger)
batch.modify_roles(to_add=roles_to_add)
batch.apply()Enterprise Role Edit
Edit enterprise role(s).
Python CLI
Command: enterprise-role edit
Parameter:
role - Role Name or ID. Can be repeated. (required)
Flag:
--parent- Parent node name or ID--name,--displayname- Set role display name--new-user- Assign this role to new users:onoroff--visible-below- Visible to all nodes:onoroff--enforcement- Sets role enforcement. Format:KEY:VALUE. Can be repeated.
Python SDK
Function:
from keepersdk.enterprise import batch_management, enterprise_management
if isinstance(role_name, int):
role = enterprise_data.roles.get_entity(role_name)
elif isinstance(role_name, str):
if role_name.isnumeric():
role = enterprise_data.roles.get_entity(int(role_name))
if not role:
role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()]
role_list = [role]
batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger)
roles_to_update = [enterprise_management.RoleEdit(
role_id=x.role_id, name=role_name, node_id=parent_id,
new_user_inherit=new_user_inherit, visible_below=visible_below)
for x in role_list]
batch.modify_roles(to_update=roles_to_update
batch.apply()Enterprise Role Delete
Delete enterprise node(s).
Dotnet CLI
Command: enterprise-role delete <"Node name"> OR er delete <"Node name">
Example:
My Vault> enterprise-role delete "Help Desk"DotNet SDK
Function: DeleteRole()
Usage:
public async Task DeleteRole(EnterpriseRole role)Example:
await roleData.DeleteRole(role)Python CLI
Command: enterprise-node delete
Parameter:
role- Role Name or ID. Can be repeated. (required)
Python SDK
Function:
from keepersdk.enterprise import batch_management, enterprise_management
if isinstance(role_name, int):
role = enterprise_data.roles.get_entity(role_name)
elif isinstance(role_name, str):
if role_name.isnumeric():
role = enterprise_data.roles.get_entity(int(role_name))
if not role:
role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()]
role_list = [role]
batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger)
batch.modify_roles(to_remove=(enterprise_management.RoleEdit(role_id=x.role_id) for x in role_list))
batch.apply()Enterprise Role Admin
Manage enterprise admin role.
DotNet SDK
Function: AddUserToAdminRole
Usage:
public async Task AddUserToAdminRole(EnterpriseRole role, EnterpriseUser user)PowerCommander
Command: Get-KeeperEnterpriseAdminRole
Get roles with admin privileges for user
Syntax:
Get-KeeperEnterpriseAdminRole [-Email] <string> [<CommonParameters>]Aliases: kerap
Parameters:
-Email- User email
Examples:
Get-KeeperEnterpriseAdminRole
OR
Get-KeeperEnterpriseAdminRole -Email "[email protected]"
kerap "[email protected]"Python CLI
Command: enterprise-role admin
Parameter:
role - Role Name or ID (required)
Flag:
-aa,--add-admin- Add managed node to role. Can be repeated.-ra,--remove-admin- Remove managed node from role. Can be repeated.-ap,--add-privilege- Add privilege to managed node. Can be repeated.-rp,--remove-privilege- Remove privilege from managed node. Can be repeated.--cascade- Apply to the child nodes. "--add-admin" only:onoroff
Python SDK
Function:
from keepersdk.enterprise import batch_management, enterprise_management
batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger)
if isinstance(role_name, int):
role = enterprise_data.roles.get_entity(role_name)
elif isinstance(role_name, str):
if role_name.isnumeric():
role = enterprise_data.roles.get_entity(int(role_name))
if not role:
role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()]
existing_nodes = {x.managed_node_id: x for x in enterprise_data.managed_nodes.get_links_by_subject(role.role_id)}
nodes_to_add_admin = ['list of nodes']
nodes_to_remove_admin = ['list of nodes']
nodes_to_add_admin: Optional[List[enterprise_types.Node]] = None
nodes_to_remove_admin: Optional[List[enterprise_types.Node]] = None
cascade: Optional[bool] = None
add_admins = ['nodes']
if isinstance(add_admins, list):
for admin in add_admins:
if isintance(admin, int):
node = enterprise_data.nodes.get_entity(admin)
elif isintance(admin, str):
node = [node for node in enterprise_data.nodes.get_all_entities() if node.name.lower() == admin]
nodes_to_add_admin.append(node)
remove_admins = ['nodes']
if isinstance(remove_admins, list):
for admin in remove_admins:
if isintance(admin, int):
node = enterprise_data.nodes.get_entity(admin)
elif isintance(admin, str):
node = [node for node in enterprise_data.nodes.get_all_entities() if node.name.lower() == admin]
nodes_to_remove_admin.append(node)
add_privileges = ['privileges to be granted']
remove_priviliges = ['privileges to be removed']
if nodes_to_add_admin is not None:
aps: Optional[Set[str]] = None
rps: Optional[Set[str]] = None
if isinstance(add_privileges, list):
privilege = enterprise_types.RolePrivileges(role_id=0, managed_node_id=0)
for p in add_privileges:
if not privilege.set_by_name(p, True):
logger.info('Invalid privilege "%s"', p)
aps = privilege.to_set()
if isinstance(remove_privileges, list):
privilege = enterprise_types.RolePrivileges(role_id=0, managed_node_id=0)
for p in remove_privileges:
if not privilege.set_by_name(p, False):
logger.info('Invalid privilege "%s"', p)
rps = privilege.to_set()
for node in nodes_to_add_admin:
mne = enterprise_management.ManagedNodeEdit(
role_id=role.role_id, managed_node_id=node.node_id, cascade_node_management=cascade)
if aps and len(aps) > 0:
if mne.privileges is None:
mne.privileges = {}
for p in aps:
mne.privileges[p] = True
if rps and len(rps) > 0:
if mne.privileges is None:
mne.privileges = {}
for p in rps:
mne.privileges[p] = False
if node.node_id in existing_nodes:
en = existing_nodes[node.node_id]
assert en
if (isinstance(cascade, bool) and en.cascade_node_management != cascade) or aps or rps:
batch.modify_managed_nodes(to_update=[mne])
else:
batch.modify_managed_nodes(to_add=[mne])
if nodes_to_remove_admin is not None:
for node in nodes_to_remove_admin:
if node.node_id in existing_nodes:
batch.modify_managed_nodes(to_remove=[enterprise_management.ManagedNodeEdit(
role_id=role.role_id, managed_node_id=node.node_id)])
batch.apply()Enterprise Role Membership
Manage enterprise role membership.
Dotnet CLI
Command: enterprise-role add-members "Role Name"
Aliases: er
Example:
My Vault> enterprise-role add-members "IT Admin" [email protected]
My Vault> enterprise-role remove-members "IT Admin" [email protected]DotNet SDK
Function:
AddUserToAdminRole - To add user as admin
RemoveUserFromRole - To remove admin role from user
Examples:
public async Task AddUserToAdminRole(EnterpriseRole role, EnterpriseUser user) public async Task RemoveUserFromRole(EnterpriseRole role, EnterpriseUser user)Python CLI
Command: enterprise-role membership
Parameter:
node- Node Name or ID (required)
Options:
-h, --help show this help message and exit
-au, --add-user EMAIL - add user to role. Can be repeated.
-ru, --remove-user EMAIL - remove user (Email, User ID, @all) from role. Can be repeated.
-at, --add-team TEAM - add team to role. Can be repeated.
-rt, --remove-team TEAM - remove team (Name, Team UID, @all) from role. Can be repeated.
Warning: This action cannot be undone and will remove all users, roles, teams, and subnodes.
Python SDK
Function:
from keepersdk.enterprise import batch_management, enterprise_management
if isinstance(role_name, int):
role = enterprise_data.roles.get_entity(role_name)
elif isinstance(role_name, str):
if role_name.isnumeric():
role = enterprise_data.roles.get_entity(int(role_name))
if not role:
role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()]
role_list = [role]
users_to_add: Optional[List[enterprise_types.User]] = None
teams_to_add: Optional[List[enterprise_types.Team]] = None
users_to_remove: Optional[List[enterprise_types.User]] = None
teams_to_remove: Optional[List[enterprise_types.Team]] = None
add_users = ['list of user to add']
add_teams = ['list of teams to add']
remove_users = ['list of user to remove']
has_remove_all_users: bool = False
remove_teams = ['list of teams to remove']
has_remove_all_teams: bool = False
if isinstance(add_users, list):
for add_user in add_users:
user = [user for user in enterprise_data.users.get_all_entities() if user.username.lower() == add_user.lower()]
users_to_add.append(user)
if isinstance(add_teams, list):
team_lookup: Dict[str, Union[enterprise_types.Team, List[enterprise_types.Team]]] = {}
for team in enterprise_data.teams.get_all_entities():
team_lookup[team.team_uid] = team
team_name = team.name.lower()
t = team_lookup.get(team_name)
if t is None:
team_lookup[team_name] = team
elif isinstance(t, list):
t.append(team)
elif isinstance(t, enterprise_types.Team):
team_lookup[team_name] = [t, team]
found_teams: Dict[str, enterprise_types.Team] = {}
t: Optional[enterprise_types.Team]
for team_name in add_teams:
t = None
if isinstance(team_name, str):
t = enterprise_data.teams.get_entity(team_name)
if t is None:
tt = team_lookup.get(team_name.lower())
if isinstance(tt, list):
if len(tt) == 1:
t = tt[0]
elif len(tt) >= 2:
continue
elif isinstance(tt, enterprise_types.Team):
t = tt
if t is None:
continue
found_teams[t.team_uid] = t
teams_to_add = list(found_teams.values())
if isinstance(remove_users, list):
has_remove_all_users = any((True for x in remove_users if x == '@all'))
if not has_remove_all_users:
for remove_user in remove_users:
user = [user for user in enterprise_data.users.get_all_entities() if user.username.lower() == remove_user.lower()]
users_to_remove.append(user)
if isinstance(remove_teams, list):
has_remove_all_teams = any((True for x in remove_teams if x == '@all'))
if not has_remove_all_teams:
team_lookup: Dict[str, Union[enterprise_types.Team, List[enterprise_types.Team]]] = {}
for team in enterprise_data.teams.get_all_entities():
team_lookup[team.team_uid] = team
team_name = team.name.lower()
t = team_lookup.get(team_name)
if t is None:
team_lookup[team_name] = team
elif isinstance(t, list):
t.append(team)
elif isinstance(t, enterprise_types.Team):
team_lookup[team_name] = [t, team]
found_teams: Dict[str, enterprise_types.Team] = {}
t: Optional[enterprise_types.Team]
for team_name in remove_teams:
t = None
if isinstance(team_name, str):
t = enterprise_data.teams.get_entity(team_name)
if t is None:
tt = team_lookup.get(team_name.lower())
if isinstance(tt, list):
if len(tt) == 1:
t = tt[0]
elif len(tt) >= 2:
continue
elif isinstance(tt, enterprise_types.Team):
t = tt
if t is None:
continue
found_teams[t.team_uid] = t
teams_to_remove = list(found_teams.values())
batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger)
for role in role_list:
existing_users = {x.enterprise_user_id for x in enterprise_data.role_users.get_links_by_subject(role.role_id)}
existing_teams = {x.team_uid for x in enterprise_data.role_teams.get_links_by_subject(role.role_id)}
if users_to_add:
users_to_add = [x for x in users_to_add if x.enterprise_user_id not in existing_users]
if users_to_add:
batch.modify_role_users(to_add=[enterprise_management.RoleUserEdit(
role_id=role.role_id, enterprise_user_id=x.enterprise_user_id) for x in users_to_add])
if teams_to_add:
teams_to_add = [x for x in teams_to_add if x.team_uid not in existing_teams]
if teams_to_add:
batch.modify_role_teams(to_add=[enterprise_management.RoleTeamEdit(
role_id=role.role_id, team_uid=x.team_uid) for x in teams_to_add])
if has_remove_all_users:
batch.modify_role_users(to_remove=[enterprise_management.RoleUserEdit(
role_id=role.role_id, enterprise_user_id=x) for x in existing_users])
elif users_to_remove:
batch.modify_role_users(to_remove=[enterprise_management.RoleUserEdit(
role_id=role.role_id, enterprise_user_id=x.enterprise_user_id) for x in users_to_remove])
if has_remove_all_teams:
batch.modify_role_teams(to_remove=[enterprise_management.RoleTeamEdit(
role_id=role.role_id, team_uid=x) for x in existing_teams])
elif teams_to_remove:
batch.modify_role_teams(to_remove=[enterprise_management.RoleTeamEdit(
role_id=role.role_id, team_uid=x.team_uid) for x in teams_to_remove])
batch.apply()Enterprise Role Copy
Copy role with enforcement.
Python CLI
Command: enterprise-role copy
Parameter:
role - Role Name or ID (required)
Flag:
--node- New role node name or ID (required)--name,--displayname- New role name (required)
Python SDK
Function:
from keepersdk.enterprise import batch_management, enterprise_management
if isinstance(role_name, int):
role = enterprise_data.roles.get_entity(role_name)
elif isinstance(role_name, str):
if role_name.isnumeric():
role = enterprise_data.roles.get_entity(int(role_name))
if not role:
role = [x for x in enterprise_data.roles.get_all_entities() if x.name.lower() == role_name.lower()]
node_id = 'node uid or name'
if isintance(node_id, int):
node = enterprise_data.nodes.get_entity(node_id)
elif isintance(node_id, str):
node = [node for node in enterprise_data.nodes.get_all_entities() if node.name.lower() == node_id]
role_name = 'name for role copy'
batch = batch_management.BatchManagement(loader=enterprise_loader, logger=enterprise_manager_logger)
role_id = enterprise_loader.get_enterprise_id()
role_to_add = enterprise_management.RoleEdit(role_id=role_id, node_id=node.node_id, name=role_name, visible_below=role.visible_below,
new_user_inherit=role.new_user_inherit)
batch.modify_roles(to_add=[role_to_add])
enforcements = [enterprise_management.RoleEnforcementEdit(role_id=role_id, name=x.enforcement_type, value=x.value)
for x in enterprise_data.role_enforcements.get_links_by_subject(role.role_id)]
batch.modify_role_enforcements(enforcements=enforcements)
batch.apply()Last updated
Was this helpful?