# KEPM Approval Commands
### Overview
This section covers all the Keeper Commander commands for managing KEPM privilege elevation approval requests. Approvals manage privilege elevation requests that require administrative approval before execution. These commands allow administrators to view pending requests and take action by approving, denying, or removing approval requests.
This section supports the following commands:
* [**Approval List Command**](#approval-list-command)
* [**Approval Action Command**](#approval-action-command)
### Usage
`pedm approval command [--options]`
***
### Approval List Command
View all privilege elevation approval requests with their status, details, and expiration information. Administrators can filter by approval status to view pending, approved, denied, or expired requests.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm approval list`
**Aliases:** `pedm approval l`
**Flags:**
| Flag | Description |
| ---------- | ----------------------------------------------------------------------- |
| `--type` | Filter by approval status (choices: approved, denied, pending, expired) |
| `--format` | Output format - json, csv, or table |
| `--output` | Save output to specified file |
**Example:**
```
My Vault> pedm approval list --type pending
Approval UID: approval_abc123
Approval Type: PrivilegeElevation
Status: Pending
Agent UID: agent_xyz789
Account Info: User=john.doe
Application Info: Process=powershell.exe
Justification: System maintenance
Expire In: 300
Created: 2024-11-05 10:30:00
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin
plugin = admin_plugin.PedmPlugin(enterprise_loader)
approval_list = plugin.approvals.get_all_entities()
```
### Approval Action Command
Take action on privilege elevation approval requests by approving, denying, or removing them. This command supports bulk operations and special values like @approved, @denied, @expired, and @pending to target groups of requests.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm approval action`
**Aliases:** `pedm approval a`
**Flags:**
| Flag | Description |
| ----------- | --------------------------------------------------------------------------------------------------- |
| `--approve` | Request UIDs to approve - can be repeated |
| `--deny` | Request UIDs to deny - can be repeated |
| `--remove` | Request UIDs to remove, or special values: @approved, @denied, @expired, @pending - can be repeated |
**Examples:**
```
My Vault> pedm approval action --approve approval_abc123
Approval request approved successfully
```
```
My Vault> pedm approval action --deny approval_def456
Approval request denied successfully
```
```
My Vault> pedm approval action --remove @expired
All expired approval requests removed successfully
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin
plugin = admin_plugin.PedmPlugin(enterprise_loader)
def verify_uid(uids: Any) -> Optional[List[bytes]]:
if isinstance(uids, str):
uids = [uids]
if isinstance(uids, list):
to_uid = []
for uid in uids:
approve_uid = utils.base64_url_decode(uid)
if len(approve_uid) == 16:
to_uid.append(approve_uid)
else:
logger.warning(f'Invalid UID: {uid}')
if len(to_uid) > 0:
return to_uid
return None
list_approve = ['names or uids of approval requests to approve']
list_deny = ['names or uids of approval requests to deny']
list_remove = ['names or uids of approval requests to remove']
to_approve = verify_uid([list('')])
to_deny = verify_uid(kwargs.get('deny'))
to_remove = kwargs.get('remove')
if to_remove:
if isinstance(to_remove, str):
to_remove = [to_remove]
to_remove_set: Set[bytes] = set()
to_resolve = []
for uid in to_remove:
if uid == '@approved':
to_remove_set.update(
(utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_APPROVED))
elif uid == '@denied':
to_remove_set.update(
(utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_DENIED))
elif uid == '@pending':
to_remove_set.update(
(utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_UNSPECIFIED))
else:
to_resolve.append(uid)
if len(to_resolve) > 0:
to_remove = verify_uid(to_resolve)
if isinstance(to_remove, list):
to_remove_set.update(to_remove)
to_remove = list(to_remove_set)
status_rs = plugin.modify_approvals(to_approve=to_approve, to_deny=to_deny, to_remove=to_remove)
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/en/keeperpam/commander-sdk/keeper-commander-sdks/sdk-command-reference/pedm-commands/pedm-approval-commands.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.