Collections

Managing groups of protected resources for Endpoint Privilege Manager

Collections Overview

When agents are deployed to endpoints, the agent begins to run discovery. During the discovery process, Keeper automatically builds out resource collections. Collections are categorized into the following types:

Applications
Machines
Users
Operating Systems

Collections provide flexible scoping across users, machines, applications, and directories. Enhanced filtering and path resolution capabilities enable administrators to define collections that align closely with organizational structure and operational requirements, supporting both broad policy application and highly targeted enforcement.

Custom Collections

Admins can also create their own custom collections within Applications, Machines and Users.

Creating a Collection

Click on New Collection to create a collection and assign attributes. For example, a custom collection "Developers" can be created which includes all software engineers. Or a custom collection of type "Machines" might be called "Web Servers" where only web servers are added to the collection. Or as another example, a custom collection of type "Applications" might be called "Developer Tools" where applications such as GitHub.exe or Visual Studio Code is included.

Newly provisioned environments may include baseline wildcard-based application entries to accelerate initial configuration. These entries provide immediate collection coverage for common user and system paths, allowing administrators to refine policy targeting without manually defining every directory structure during onboarding.

Collections can not contain different resource types. For example a User Group collection can not contain a Machine resource.

Application Collections

An application collection represents all of the available executables across the fleet of endpoints. Applications can be grouped into custom collections.

Application objects contain information such as:

Product Name
Product Version
File Version
File Hash
Publisher Certificate

Custom Application Resources

A custom application resource can be defined by the Admin, such as a specific executable. Click on "Add Item to Collection" and select "Manually define resource" to submit the information.

Wildcard & Path Variables

Collections support the use of wildcard path variables to simplify policy scoping across user and system environments. Path variables allow administrators to define application collections that dynamically resolve to user-specific or system-specific directories, reducing the need to create separate entries for each endpoint.

Supported path variables include:

{desktop} – Resolves to the current user’s desktop directory
{usr} – Resolves to user home directories
{system32} – Resolves to the Windows System32 directory

These variables allow application collections to scale efficiently across diverse endpoint configurations while maintaining consistent enforcement behavior.

// Wildcard Examples
C:\Users\john\Desktop\*
{usr}\*\Downloads\*
{system32}\*.exe
{usr}\*\AppData\Local\Programs\MyApp\MyApp.exe

Machine Collections

A machine collection represents the endpoint operating system. It includes the following attributes:

Machine Name / Identifier
Operating System Type
Operating System Version

Machines are automatically aggregated and grouped based on the agent discovery process.

Deployment Collections are also automatically added as an available sub-collection inside of Machines.

Operating System Collections

The operating system resources are automatically discovered by the Keeper agent, and made available as a collection for applying policies. The attributes collected include:

Operating System Name
Operating System Version

User Collections

The Keeper agent discovers all of the local users and groups across the fleet of endpoints. They are aggregated and built into "User" collections. Inside of the User collection are sub-collections including "User Groups" and "All Accounts" which are read-only.

Applying Policies

After collections have been established by the discovery process, policies can be applied to device collections and deployment collections to control privilege on all of the endpoints. Visit the Policies page to learn more.

Automation with Commander

Keeper Commander supports collection automation through our command-line interface, Service Mode REST API and Python SDK. Learn more about Endpoint Privilege Manager commands.

Collections

The pedm collection command provides management over collections.

My Vault> pedm collection -h
pedm command [--options]

Command     Description
----------  ----------------------------------
list        List PEDM collections
view        Show PEDM collection details
add         Creates PEDM collection
update      Update PEDM collections
delete      Delete PEDM collections
connect     Link agent, policy, resource to PEDM collections
disconnect  Unlink agent, policy, resource from PEDM collections

Next Steps

Once you have deployed the agent and set up collections, it's time to apply policies.

PreviousDeployment NextPolicies

Last updated 4 days ago

Was this helpful?

hashtagCollections Overview

hashtagCustom Collections

hashtagCreating a Collection

hashtagApplication Collections

hashtagCustom Application Resources

hashtagWildcard & Path Variables

hashtagMachine Collections

hashtagOperating System Collections

hashtagUser Collections

hashtagApplying Policies

hashtagAutomation with Commander

hashtagCollections

hashtagNext Steps

Collections Overview

Custom Collections

Creating a Collection

Application Collections

Custom Application Resources

Wildcard & Path Variables

Machine Collections

Operating System Collections

User Collections

Applying Policies

Automation with Commander

Collections

Next Steps