PEDM Policy Commands

This page gives information of commands related to perform operations related to PEDM policies

Overview

This section covers all the Keeper Commander commands for managing PEDM privilege elevation policies. Policies define privilege elevation rules with filters and controls that determine when and how users can elevate privileges. These commands allow administrators to create, view, edit, assign, and delete policies with various filters including user, machine, application, date, time, and day restrictions.

This section supports the following commands:

Usage

pedm policy command [--options] OR pedm p command [--options]

Alias: p

Policy List Command

View all PEDM policies with their configuration including policy type, status, controls, and filter settings. Provides an overview of all privilege elevation policies configured in the system.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm policy list

Aliases: pedm p l, pedm p list

Flags:

Flag
Description

--format

Output format - json, csv, or table

--output

Save output to specified file

Example:

My Vault> pedm policy list

Policy UID: policy_xyz789
Policy Name: Elevation Policy
Policy Type: PrivilegeElevation
Status: enforce
Controls: ['AUDIT', 'MFA']
Python SDK

Function: 

from keepersdk.plugins.pedm import admin_plugin

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policies = plugin.policies.get_all_entities()

Policy Add Command

Create a new privilege elevation policy with specified filters and controls. Policies can include user, machine, and application filters, along with date, time, and day restrictions. Controls determine what actions are required or allowed during privilege elevation.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm policy add

Aliases: pedm p a, pedm p add

Flags:

Flag
Description

--policy-type

Policy type (choices: elevation, file_access, command, least_privilege)

--policy-name

Name for the policy

--control

Policy controls (choices: allow, deny, audit, notify, mfa, justify, approval) - can be repeated

--status

Policy status (choices: enforce, monitor, monitor_and_notify)

--enable

Enable or disable policy (choices: on, off)

--user-filter

User collection UID or * for all users - can be repeated

--machine-filter

Machine collection UID - can be repeated

--app-filter

Application collection UID - can be repeated

--date-filter

Date range in ISO format (YYYY-MM-DD:YYYY-MM-DD) - can be repeated

--time-filter

Time range in 24-hour format (HH:MM-HH:MM) - can be repeated

--day-filter

Day of week filter - can be repeated

--risk-level

Policy risk level (0-100)

Example:

My Vault> pedm policy add --policy-type elevation --policy-name "Admin Elevation" --control audit --control mfa --user-filter "*" --status enforce

Policy created successfully
Policy UID: policy_new123
Python SDK

Function: 

from keepersdk.plugins.pedm import admin_plugin, admin_types
from keepersdk import utils

plugin = admin_plugin.PedmPlugin(enterprise_loader)

controls = ['policy controls']
policy_name = 'policy name'
policy_type = 'LeastPrivilege' ## or 'FileAccess', 'PrivilegeElevation'
policy_uid = utils.generate_uid()
policy_data: Dict[str, Any] = {
    'PolicyName': policy_name,
    'PolicyType': policy_type,
    'PolicyId': policy_uid,
    'Status': 'off',
    'Actions': {
        'OnSuccess': {'Controls': controls or []},
        'OnFailure': {'Command': ''}
    },
    "NotificationMessage": "A policy has been set to monitor mode.  When this policy is enabled, [mfa, justification, request] will be required to run this process as an administrator.",
    "NotificationRequiresAcknowledge": False,
    "RiskLevel": 50,
    'Operator': 'And',
    'Rules': [
        {
            'RuleName': 'UserCheck',
            'ErrorMessage': 'This user is not included in this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckUser()'
        },
        {
            'RuleName': 'MachineCheck',
            'ErrorMessage': 'This Machine is not included in this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckMachine()'
        },
        {
            'RuleName': 'ApplicationCheck',
            'ErrorMessage': 'This application is not included in this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckFile(false)'
        },
        {
            "RuleName": "DateCheck",
            "ErrorMessage": "Current date is not covered by this policy",
            "RuleExpressionType": "BuiltInAction",
            "Expression": "CheckDate()"
        },
        {
            'RuleName': 'TimeCheck',
            'ErrorMessage': 'Current time is not covered by this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckTime()'
        },
        {
            'RuleName': 'DayCheck',
            'ErrorMessage': 'Today is not included in this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckDay()'
        }
    ]
}
disabled: bool = False
policy_key = utils.generate_aes_key()
add_policy = admin_types.PedmPolicy(
    policy_uid=policy_uid, policy_key=policy_key, data=policy_data, admin_data={}, disabled=disabled)
response = plugin.modify_policies(add_policies=[add_policy])

Policy Edit Command

Modify an existing policy's configuration including name, controls, filters, and status. This command allows administrators to update policy settings without recreating the policy.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm policy edit <policy>

Aliases: pedm p e, pedm p edit

Flags:

Flag
Description

policy

Policy UID (required)

--policy-name

New policy name

--control

Policy controls (choices: allow, deny, audit, notify, mfa, justify, approval) - can be repeated

--status

Policy status (choices: enforce, monitor, monitor_and_notify)

--enable

Enable or disable policy (choices: on, off)

--user-filter

User collection UID or * - can be repeated

--machine-filter

Machine collection UID - can be repeated

--app-filter

Application collection UID - can be repeated

--date-filter

Date range (YYYY-MM-DD:YYYY-MM-DD) - can be repeated

--time-filter

Time range (HH:MM-HH:MM) - can be repeated

--day-filter

Day of week - can be repeated

--risk-level

Risk level (0-100)

Example:

My Vault> pedm policy edit policy_xyz789 --policy-name "Updated Admin Policy" --control justify --enable on

Policy updated successfully
Python SDK

Function: 

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_data = copy.deepcopy(policy.data or {})
policy_type = policy_data.get('PolicyType') or 'Unknown'
controls = ['policy controls']
if isinstance(controls, list):
    actions = policy_data.get('Actions')
    if not isinstance(actions, dict):
        actions = {}
        policy_data['Actions'] = actions
    on_success = actions.get('OnSuccess')
    if not isinstance(on_success, dict):
        on_success = {}
    on_success['Controls'] = controls
    policy_data['OnSuccess'] = on_success

policy_name = 'policy name'
if policy_name:
    policy_data['PolicyName'] = policy_name

disabled = True #or False
pu = admin_types.PedmUpdatePolicy(policy_uid=policy.policy_uid, data=policy_data, disabled=disabled)

rs = plugin.modify_policies(update_policies=[pu])

Policy View Command

Display the complete JSON configuration of a policy. This command shows all policy details including filters, controls, rules, and metadata in JSON format.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm policy view <policy>

Aliases: pedm p v, pedm p view

Flags:

Flag
Description

policy

Policy UID or name (required)

--format

Output format - json

--output

Save to file

Example:

My Vault> pedm policy view policy_xyz789

{
    "PolicyName": "Admin Elevation",
    "PolicyType": "PrivilegeElevation",
    "Status": "enforce",
    "Actions": {
        "OnSuccess": {
            "Controls": ["AUDIT", "MFA"]
        }
    }
}
Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)

Policy Delete Command

Remove one or more policies from the system. This command permanently deletes policy configurations and removes them from all collection assignments.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm policy delete <policy> [policy...]

Aliases: pedm p delete

Flags:

Flag
Description

policy

Policy UID or name (required, can specify multiple)

Example:

My Vault> pedm policy delete policy_old123

Policy deleted successfully
Python SDK

Function: 

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
to_delete = [policy.policy_uid]

response = plugin.modify_policies(remove_policies=to_delete)

Policy Agents Command

View which agents are affected by specific policies. This command shows all agents that are assigned to the specified policies through collection assignments.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm policy agents <policy> [policy...]

Aliases: pedm p agents

Flags:

Flag
Description

policy

Policy UID or name (required, can specify multiple)

Example:

My Vault> pedm policy agents policy_xyz789

Policy: policy_xyz789
Name: Admin Elevation
Status: enforce

Agent: agent_abc123
Machine: SERVER-001
Status: on
Python SDK

Function: 

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_uids = [policy.policy_uid]

rq = pedm_pb2.PolicyAgentRequest()
rq.policyUid.extend(policy_uids)
rq.summaryOnly = False
rs = KeeperAuth.execute_router("pedm/get_policy_agents", rq, response_type=pedm_pb2.PolicyAgentResponse)

Policy Assign Command

Assign collections to policies to determine which resources the policy applies to. Collections can include agents, users, machines, or applications. Use "*" to assign to all agents.

DotNet CLI

Command: Coming Soon

DotNet SDK

Function: Coming Soon

Power Commander

Command: Coming Soon

Python CLI

Command: pedm policy assign <policy> [policy...]

Aliases: pedm p assign

Flags:

Flag
Description

-c, --collection

Collection UID to assign (use * for all agents) - can be repeated

policy

Policy UID or name (required, can specify multiple)

Example:

My Vault> pedm policy assign policy_xyz789 -c collection_abc -c collection_def

Collections assigned to policy successfully
Python SDK

Function: 

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_uids = [policy.policy_uid]
collections = ['Collection UIDs']
collection_uids: List[bytes] = []
if isinstance(collections, list):
    for c in collections:
        if c in ['*', 'all']:
            collection_uids.append(plugin.all_agents)
        elif c:
            collection_uid = utils.base64_url_decode(c)
            if len(collection_uid) == 16:
                collection_uids.append(collection_uid)


statuses = plugin.assign_policy_collections(policy_uids, collection_uids)
PreviousPEDM Agent CommandsNextPEDM Collection Commands

Last updated

Was this helpful?