# PEDM Approval Commands

### Overview

This section covers all the Keeper Commander commands for managing PEDM privilege elevation approval requests. Approvals manage privilege elevation requests that require administrative approval before execution. These commands allow administrators to view pending requests and take action by approving, denying, or removing approval requests.

This section supports the following commands:

* [**Approval List Command**](#approval-list-command)
* [**Approval Action Command**](#approval-action-command)

### Usage

`pedm approval command [--options]`

***

### Approval List Command

View all privilege elevation approval requests with their status, details, and expiration information. Administrators can filter by approval status to view pending, approved, denied, or expired requests.

<details>

<summary>DotNet CLI</summary>

**Command:** Coming Soon

</details>

<details>

<summary>DotNet SDK</summary>

**Function:** Coming Soon

</details>

<details>

<summary>Power Commander</summary>

**Command:** Coming Soon

</details>

<details>

<summary>Python CLI</summary>

**Command:** `pedm approval list`

**Aliases:** `pedm approval l`

**Flags:**

| Flag       | Description                                                             |
| ---------- | ----------------------------------------------------------------------- |
| `--type`   | Filter by approval status (choices: approved, denied, pending, expired) |
| `--format` | Output format - json, csv, or table                                     |
| `--output` | Save output to specified file                                           |

**Example:**

```
My Vault> pedm approval list --type pending

Approval UID: approval_abc123
Approval Type: PrivilegeElevation
Status: Pending
Agent UID: agent_xyz789
Account Info: User=john.doe
Application Info: Process=powershell.exe
Justification: System maintenance
Expire In: 300
Created: 2024-11-05 10:30:00
```

</details>

<details>

<summary>Python SDK</summary>

**Function:**&#x20;

```python
from keepersdk.plugins.pedm import admin_plugin

plugin = admin_plugin.PedmPlugin(enterprise_loader)
approval_list = plugin.approvals.get_all_entities()
```

</details>

### Approval Action Command

Take action on privilege elevation approval requests by approving, denying, or removing them. This command supports bulk operations and special values like @approved, @denied, @expired, and @pending to target groups of requests.

<details>

<summary>DotNet CLI</summary>

**Command:** Coming Soon

</details>

<details>

<summary>DotNet SDK</summary>

**Function:** Coming Soon

</details>

<details>

<summary>Power Commander</summary>

**Command:** Coming Soon

</details>

<details>

<summary>Python CLI</summary>

**Command:** `pedm approval action`

**Aliases:** `pedm approval a`

**Flags:**

| Flag        | Description                                                                                         |
| ----------- | --------------------------------------------------------------------------------------------------- |
| `--approve` | Request UIDs to approve - can be repeated                                                           |
| `--deny`    | Request UIDs to deny - can be repeated                                                              |
| `--remove`  | Request UIDs to remove, or special values: @approved, @denied, @expired, @pending - can be repeated |

**Examples:**

```
My Vault> pedm approval action --approve approval_abc123

Approval request approved successfully
```

```
My Vault> pedm approval action --deny approval_def456

Approval request denied successfully
```

```
My Vault> pedm approval action --remove @expired

All expired approval requests removed successfully
```

</details>

<details>

<summary>Python SDK</summary>

**Function:**&#x20;

```python
from keepersdk.plugins.pedm import admin_plugin

plugin = admin_plugin.PedmPlugin(enterprise_loader)

def verify_uid(uids: Any) -> Optional[List[bytes]]:
    if isinstance(uids, str):
        uids = [uids]
    if isinstance(uids, list):
        to_uid = []
        for uid in uids:
            approve_uid = utils.base64_url_decode(uid)
            if len(approve_uid) == 16:
                to_uid.append(approve_uid)
            else:
                logger.warning(f'Invalid UID: {uid}')
        if len(to_uid) > 0:
            return to_uid
    return None

list_approve = ['names or uids of approval requests to approve']
list_deny = ['names or uids of approval requests to deny']
list_remove = ['names or uids of approval requests to remove']
to_approve = verify_uid([list('')])
to_deny = verify_uid(kwargs.get('deny'))
to_remove = kwargs.get('remove')
if to_remove:
    if isinstance(to_remove, str):
        to_remove = [to_remove]
    to_remove_set: Set[bytes] = set()
    to_resolve = []
    for uid in to_remove:
        if uid == '@approved':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_APPROVED))
        elif uid == '@denied':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_DENIED))
        elif uid == '@pending':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_UNSPECIFIED))
        else:
            to_resolve.append(uid)
    if len(to_resolve) > 0:
        to_remove = verify_uid(to_resolve)
        if isinstance(to_remove, list):
            to_remove_set.update(to_remove)
    to_remove = list(to_remove_set)

status_rs = plugin.modify_approvals(to_approve=to_approve, to_deny=to_deny, to_remove=to_remove)
```

</details>