# PEDM Policy Commands
### Overview
This section covers all the Keeper Commander commands for managing PEDM privilege elevation policies. Policies define privilege elevation rules with filters and controls that determine when and how users can elevate privileges. These commands allow administrators to create, view, edit, assign, and delete policies with various filters including user, machine, application, date, time, and day restrictions.
This section supports the following commands:
* [**Policy List Command**](#policy-list-command)
* [**Policy Add Command**](#policy-add-command)
* [**Policy Edit Command**](#policy-edit-command)
* [**Policy View Command**](#policy-view-command)
* [**Policy Delete Command**](#policy-delete-command)
* [**Policy Agents Command**](#policy-agents-command)
* [**Policy Assign Command**](#policy-assign-command)
### Usage
`pedm policy command [--options]` OR `pedm p command [--options]`
**Alias:** `p`
***
### Policy List Command
View all PEDM policies with their configuration including policy type, status, controls, and filter settings. Provides an overview of all privilege elevation policies configured in the system.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm policy list`
**Aliases:** `pedm p l`, `pedm p list`
**Flags:**
| Flag | Description |
| ---------- | ----------------------------------- |
| `--format` | Output format - json, csv, or table |
| `--output` | Save output to specified file |
**Example:**
```
My Vault> pedm policy list
Policy UID: policy_xyz789
Policy Name: Elevation Policy
Policy Type: PrivilegeElevation
Status: enforce
Controls: ['AUDIT', 'MFA']
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin
plugin = admin_plugin.PedmPlugin(enterprise_loader)
policies = plugin.policies.get_all_entities()
```
### Policy Add Command
Create a new privilege elevation policy with specified filters and controls. Policies can include user, machine, and application filters, along with date, time, and day restrictions. Controls determine what actions are required or allowed during privilege elevation.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm policy add`
**Aliases:** `pedm p a`, `pedm p add`
**Flags:**
| Flag | Description |
| ------------------ | ----------------------------------------------------------------------------------------------- |
| `--policy-type` | Policy type (choices: elevation, file\_access, command, least\_privilege) |
| `--policy-name` | Name for the policy |
| `--control` | Policy controls (choices: allow, deny, audit, notify, mfa, justify, approval) - can be repeated |
| `--status` | Policy status (choices: enforce, monitor, monitor\_and\_notify) |
| `--enable` | Enable or disable policy (choices: on, off) |
| `--user-filter` | User collection UID or \* for all users - can be repeated |
| `--machine-filter` | Machine collection UID - can be repeated |
| `--app-filter` | Application collection UID - can be repeated |
| `--date-filter` | Date range in ISO format (YYYY-MM-DD:YYYY-MM-DD) - can be repeated |
| `--time-filter` | Time range in 24-hour format (HH:MM-HH:MM) - can be repeated |
| `--day-filter` | Day of week filter - can be repeated |
| `--risk-level` | Policy risk level (0-100) |
**Example:**
```
My Vault> pedm policy add --policy-type elevation --policy-name "Admin Elevation" --control audit --control mfa --user-filter "*" --status enforce
Policy created successfully
Policy UID: policy_new123
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin, admin_types
from keepersdk import utils
plugin = admin_plugin.PedmPlugin(enterprise_loader)
controls = ['policy controls']
policy_name = 'policy name'
policy_type = 'LeastPrivilege' ## or 'FileAccess', 'PrivilegeElevation'
policy_uid = utils.generate_uid()
policy_data: Dict[str, Any] = {
'PolicyName': policy_name,
'PolicyType': policy_type,
'PolicyId': policy_uid,
'Status': 'off',
'Actions': {
'OnSuccess': {'Controls': controls or []},
'OnFailure': {'Command': ''}
},
"NotificationMessage": "A policy has been set to monitor mode. When this policy is enabled, [mfa, justification, request] will be required to run this process as an administrator.",
"NotificationRequiresAcknowledge": False,
"RiskLevel": 50,
'Operator': 'And',
'Rules': [
{
'RuleName': 'UserCheck',
'ErrorMessage': 'This user is not included in this policy',
'RuleExpressionType': 'BuiltInAction',
'Expression': 'CheckUser()'
},
{
'RuleName': 'MachineCheck',
'ErrorMessage': 'This Machine is not included in this policy',
'RuleExpressionType': 'BuiltInAction',
'Expression': 'CheckMachine()'
},
{
'RuleName': 'ApplicationCheck',
'ErrorMessage': 'This application is not included in this policy',
'RuleExpressionType': 'BuiltInAction',
'Expression': 'CheckFile(false)'
},
{
"RuleName": "DateCheck",
"ErrorMessage": "Current date is not covered by this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckDate()"
},
{
'RuleName': 'TimeCheck',
'ErrorMessage': 'Current time is not covered by this policy',
'RuleExpressionType': 'BuiltInAction',
'Expression': 'CheckTime()'
},
{
'RuleName': 'DayCheck',
'ErrorMessage': 'Today is not included in this policy',
'RuleExpressionType': 'BuiltInAction',
'Expression': 'CheckDay()'
}
]
}
disabled: bool = False
policy_key = utils.generate_aes_key()
add_policy = admin_types.PedmPolicy(
policy_uid=policy_uid, policy_key=policy_key, data=policy_data, admin_data={}, disabled=disabled)
response = plugin.modify_policies(add_policies=[add_policy])
```
### Policy Edit Command
Modify an existing policy's configuration including name, controls, filters, and status. This command allows administrators to update policy settings without recreating the policy.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm policy edit `
**Aliases:** `pedm p e`, `pedm p edit`
**Flags:**
| Flag | Description |
| ------------------ | ----------------------------------------------------------------------------------------------- |
| `policy` | Policy UID (required) |
| `--policy-name` | New policy name |
| `--control` | Policy controls (choices: allow, deny, audit, notify, mfa, justify, approval) - can be repeated |
| `--status` | Policy status (choices: enforce, monitor, monitor\_and\_notify) |
| `--enable` | Enable or disable policy (choices: on, off) |
| `--user-filter` | User collection UID or \* - can be repeated |
| `--machine-filter` | Machine collection UID - can be repeated |
| `--app-filter` | Application collection UID - can be repeated |
| `--date-filter` | Date range (YYYY-MM-DD:YYYY-MM-DD) - can be repeated |
| `--time-filter` | Time range (HH:MM-HH:MM) - can be repeated |
| `--day-filter` | Day of week - can be repeated |
| `--risk-level` | Risk level (0-100) |
**Example:**
```
My Vault> pedm policy edit policy_xyz789 --policy-name "Updated Admin Policy" --control justify --enable on
Policy updated successfully
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin, admin_types
plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_data = copy.deepcopy(policy.data or {})
policy_type = policy_data.get('PolicyType') or 'Unknown'
controls = ['policy controls']
if isinstance(controls, list):
actions = policy_data.get('Actions')
if not isinstance(actions, dict):
actions = {}
policy_data['Actions'] = actions
on_success = actions.get('OnSuccess')
if not isinstance(on_success, dict):
on_success = {}
on_success['Controls'] = controls
policy_data['OnSuccess'] = on_success
policy_name = 'policy name'
if policy_name:
policy_data['PolicyName'] = policy_name
disabled = True #or False
pu = admin_types.PedmUpdatePolicy(policy_uid=policy.policy_uid, data=policy_data, disabled=disabled)
rs = plugin.modify_policies(update_policies=[pu])
```
### Policy View Command
Display the complete JSON configuration of a policy. This command shows all policy details including filters, controls, rules, and metadata in JSON format.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm policy view `
**Aliases:** `pedm p v`, `pedm p view`
**Flags:**
| Flag | Description |
| ---------- | ----------------------------- |
| `policy` | Policy UID or name (required) |
| `--format` | Output format - json |
| `--output` | Save to file |
**Example:**
```
My Vault> pedm policy view policy_xyz789
{
"PolicyName": "Admin Elevation",
"PolicyType": "PrivilegeElevation",
"Status": "enforce",
"Actions": {
"OnSuccess": {
"Controls": ["AUDIT", "MFA"]
}
}
}
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin, admin_types
plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
```
### Policy Delete Command
Remove one or more policies from the system. This command permanently deletes policy configurations and removes them from all collection assignments.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm policy delete [policy...]`
**Aliases:** `pedm p delete`
**Flags:**
| Flag | Description |
| -------- | --------------------------------------------------- |
| `policy` | Policy UID or name (required, can specify multiple) |
**Example:**
```
My Vault> pedm policy delete policy_old123
Policy deleted successfully
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin, admin_types
plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
to_delete = [policy.policy_uid]
response = plugin.modify_policies(remove_policies=to_delete)
```
### Policy Agents Command
View which agents are affected by specific policies. This command shows all agents that are assigned to the specified policies through collection assignments.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm policy agents [policy...]`
**Aliases:** `pedm p agents`
**Flags:**
| Flag | Description |
| -------- | --------------------------------------------------- |
| `policy` | Policy UID or name (required, can specify multiple) |
**Example:**
```
My Vault> pedm policy agents policy_xyz789
Policy: policy_xyz789
Name: Admin Elevation
Status: enforce
Agent: agent_abc123
Machine: SERVER-001
Status: on
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin, admin_types
plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_uids = [policy.policy_uid]
rq = pedm_pb2.PolicyAgentRequest()
rq.policyUid.extend(policy_uids)
rq.summaryOnly = False
rs = KeeperAuth.execute_router("pedm/get_policy_agents", rq, response_type=pedm_pb2.PolicyAgentResponse)
```
### Policy Assign Command
Assign collections to policies to determine which resources the policy applies to. Collections can include agents, users, machines, or applications. Use "\*" to assign to all agents.
DotNet CLI
**Command:** Coming Soon
DotNet SDK
**Function:** Coming Soon
Power Commander
**Command:** Coming Soon
Python CLI
**Command:** `pedm policy assign [policy...]`
**Aliases:** `pedm p assign`
**Flags:**
| Flag | Description |
| ------------------ | ------------------------------------------------------------------ |
| `-c, --collection` | Collection UID to assign (use \* for all agents) - can be repeated |
| `policy` | Policy UID or name (required, can specify multiple) |
**Example:**
```
My Vault> pedm policy assign policy_xyz789 -c collection_abc -c collection_def
Collections assigned to policy successfully
```
Python SDK
**Function:**
```python
from keepersdk.plugins.pedm import admin_plugin, admin_types
plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_uids = [policy.policy_uid]
collections = ['Collection UIDs']
collection_uids: List[bytes] = []
if isinstance(collections, list):
for c in collections:
if c in ['*', 'all']:
collection_uids.append(plugin.all_agents)
elif c:
collection_uid = utils.base64_url_decode(c)
if len(collection_uid) == 16:
collection_uids.append(collection_uid)
statuses = plugin.assign_policy_collections(policy_uids, collection_uids)
```