PEDM Approval Commands

This page gives information of commands related to perform operations related to PEDM approval requests

Overview

This section covers all the Keeper Commander commands for managing PEDM privilege elevation approval requests. Approvals manage privilege elevation requests that require administrative approval before execution. These commands allow administrators to view pending requests and take action by approving, denying, or removing approval requests.

This section supports the following commands:

Usage

pedm approval command [--options]

Approval List Command

View all privilege elevation approval requests with their status, details, and expiration information. Administrators can filter by approval status to view pending, approved, denied, or expired requests.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm approval list

Aliases: pedm approval l

Flags:

Flag

Description

--type

Filter by approval status (choices: approved, denied, pending, expired)

--format

Output format - json, csv, or table

--output

Save output to specified file

Example:

My Vault> pedm approval list --type pending

Approval UID: approval_abc123
Approval Type: PrivilegeElevation
Status: Pending
Agent UID: agent_xyz789
Account Info: User=john.doe
Application Info: Process=powershell.exe
Justification: System maintenance
Expire In: 300
Created: 2024-11-05 10:30:00

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin

plugin = admin_plugin.PedmPlugin(enterprise_loader)
approval_list = plugin.approvals.get_all_entities()

Approval Action Command

Take action on privilege elevation approval requests by approving, denying, or removing them. This command supports bulk operations and special values like @approved, @denied, @expired, and @pending to target groups of requests.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm approval action

Aliases: pedm approval a

Flags:

Flag

Description

--approve

Request UIDs to approve - can be repeated

--deny

Request UIDs to deny - can be repeated

--remove

Request UIDs to remove, or special values: @approved, @denied, @expired, @pending - can be repeated

Examples:

My Vault> pedm approval action --approve approval_abc123

Approval request approved successfully

My Vault> pedm approval action --deny approval_def456

Approval request denied successfully

My Vault> pedm approval action --remove @expired

All expired approval requests removed successfully

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin

plugin = admin_plugin.PedmPlugin(enterprise_loader)

def verify_uid(uids: Any) -> Optional[List[bytes]]:
    if isinstance(uids, str):
        uids = [uids]
    if isinstance(uids, list):
        to_uid = []
        for uid in uids:
            approve_uid = utils.base64_url_decode(uid)
            if len(approve_uid) == 16:
                to_uid.append(approve_uid)
            else:
                logger.warning(f'Invalid UID: {uid}')
        if len(to_uid) > 0:
            return to_uid
    return None

list_approve = ['names or uids of approval requests to approve']
list_deny = ['names or uids of approval requests to deny']
list_remove = ['names or uids of approval requests to remove']
to_approve = verify_uid([list('')])
to_deny = verify_uid(kwargs.get('deny'))
to_remove = kwargs.get('remove')
if to_remove:
    if isinstance(to_remove, str):
        to_remove = [to_remove]
    to_remove_set: Set[bytes] = set()
    to_resolve = []
    for uid in to_remove:
        if uid == '@approved':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_APPROVED))
        elif uid == '@denied':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_DENIED))
        elif uid == '@pending':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_UNSPECIFIED))
        else:
            to_resolve.append(uid)
    if len(to_resolve) > 0:
        to_remove = verify_uid(to_resolve)
        if isinstance(to_remove, list):
            to_remove_set.update(to_remove)
    to_remove = list(to_remove_set)

status_rs = plugin.modify_approvals(to_approve=to_approve, to_deny=to_deny, to_remove=to_remove)

PreviousPEDM Collection Commands NextPEDM Report Commands

Last updated 1 month ago

Was this helpful?