# Collections ### Collections Overview When agents are deployed to endpoints, the agent begins to run discovery. During the discovery process, Keeper automatically builds out resource collections. Collections are categorized into the following types: * **Applications** * **Machines** * **Users** * **Operating Systems** Collections provide flexible scoping across users, machines, applications, and directories. Enhanced filtering and path resolution capabilities enable administrators to define collections that align closely with organizational structure and operational requirements, supporting both broad policy application and highly targeted enforcement.

Collections

### Custom Collections Admins can also create their own custom collections within **Applications**, **Machines** and **Users**. ### Creating a Collection Click on **New Collection** to create a collection and assign attributes. For example, a custom collection "Developers" can be created which includes all software engineers. Or a custom collection of type "Machines" might be called "Web Servers" where only web servers are added to the collection. Or as another example, a custom collection of type "Applications" might be called "Developer Tools" where applications such as GitHub.exe or Visual Studio Code is included.

Creating a New Collection

Custom Collections

Newly provisioned environments may include baseline wildcard-based application entries to accelerate initial configuration. These entries provide immediate collection coverage for common user and system paths, allowing administrators to refine policy targeting without manually defining every directory structure during onboarding. {% hint style="info" %} Collections can not contain different resource types. For example a User Group collection can not contain a Machine resource. {% endhint %} ### Application Collections An application collection represents all of the available executables across the fleet of endpoints. Applications can be grouped into custom collections. Application objects contain information such as: * Product Name * Product Version * File Version * File Hash * Publisher Certificate
#### Custom Application Resources A custom application resource can be defined by the Admin, such as a specific executable. Click on "Add Item to Collection" and select "Manually define resource" to submit the information.

Custom Application Resource

#### Wildcard & Path Variables Collections support the use of wildcard path variables to simplify policy scoping across user and system environments. Path variables allow administrators to define application collections that dynamically resolve to user-specific or system-specific directories, reducing the need to create separate entries for each endpoint.
Supported path variables include: * `{desktop}` – Resolves to the current user’s desktop directory * `{usr}` – Resolves to user home directories * `{system32}` – Resolves to the Windows System32 directory These variables allow application collections to scale efficiently across diverse endpoint configurations while maintaining consistent enforcement behavior. ``` // Wildcard Examples C:\Users\john\Desktop\* {usr}\*\Downloads\* {system32}\*.exe {usr}\*\AppData\Local\Programs\MyApp\MyApp.exe ``` ### Machine Collections A machine collection represents the endpoint operating system. It includes the following attributes: * Machine Name / Identifier * Operating System Type * Operating System Version Machines are automatically aggregated and grouped based on the agent discovery process. {% hint style="info" %} Deployment Collections are also automatically added as an available sub-collection inside of Machines. {% endhint %}

Machine and Deployment Collections

Individual Machine Resources

### Operating System Collections The operating system resources are automatically discovered by the Keeper agent, and made available as a collection for applying policies. The attributes collected include: * Operating System Name * Operating System Version ### User Collections The Keeper agent discovers all of the local users and groups across the fleet of endpoints. They are aggregated and built into "User" collections. Inside of the User collection are sub-collections including "User Groups" and "All Accounts" which are read-only.

User Collection

User Resources

User Group resources

### Applying Policies After collections have been established by the discovery process, policies can be applied to device collections and deployment collections to control privilege on all of the endpoints. Visit the [Policies](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/policies) page to learn more. ### Automation with Commander Keeper Commander supports collection automation through our command-line interface, Service Mode [REST API](https://docs.keeper.io/en/keeperpam/commander-cli/service-mode-rest-api) and Python SDK. [Learn more](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/endpoint-privilege-manager-commands) about Endpoint Privilege Manager commands. #### Collections The `pedm collection` command provides management over collections. ``` My Vault> pedm collection -h pedm command [--options] Command Description ---------- ---------------------------------- list List PEDM collections view Show PEDM collection details add Creates PEDM collection update Update PEDM collections delete Delete PEDM collections connect Link agent, policy, resource to PEDM collections disconnect Unlink agent, policy, resource from PEDM collections ```