Job: Run Guide KeeperAdminCLI

Job Run Guide: How to Run Each Job (KeeperAdminCLI and API)

This guide describes how each job is intended to run, which parameters are required or useful, and gives concrete examples you can use with KeeperAdminCLI or with the trigger API (curl) when parameters are needed.

Prerequisites:

• KeeperPrivilegeManager (KPM) must be running.

• Run KeeperAdminCLI as Administrator (the run/trigger API requires admin).

• Default KPM URL: https://localhost:6889 (override with --port 6889 or --url <url>).

Two ways to run a job:

1. No parameters: KeeperAdminCLI --port 6889 jobs run --id <jobId> (POST /api/Jobs/{jobId}/run, no body).

2. With parameters: POST to /api/Jobs/{jobId}/trigger with JSON body. KeeperAdminCLI does not support this yet; use curl (or similar) as shown below.

Quick reference: KeeperAdminCLI-only jobs (no parameters)

These can be run with only KeeperAdminCLI (no curl):

Jobs that need parameters require POST /api/Jobs/{jobId}/trigger (or /evaluate) with JSON body — use curl as in the examples above until KeeperAdminCLI supports passing context.

FileInventory (68112CE4-A2A8-4243-83C9-90BF8D2188A0)

Name: FileInventory How it should run: Scheduled (every 7200 min) or manually. Runs file inventory and reports to KeeperLogger/KeeperApi. Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

ExecutionGrantStartupCleanup

Name: Execution Grant Startup Cleanup How it should run: On startup (event) or manually. Cleans expired execution grants and orphaned expire-exec-grant job files. Required parameters: None. Optional parameters: KeeperApiBaseUrl (default: https://127.0.0.1:6889).

Example (KeeperAdminCLI):

privilege-elevation-policy-controls

Name: Privilege Elevation Policy Controls How it should run: Triggered by PolicyEvaluationPending event (from KeeperPolicy when a privilege-elevation request is PENDING). Not intended for manual run without full policy context. Required parameters: SessionId, RespondToTopic. Optional parameters: ControlList, CommandLine, UserName, RequestId, JobId, FileName, FilePath, EventType (PrivilegeElevation), KeeperApiBaseUrl.

Example (with parameters via API): Use only when simulating a policy pending flow (e.g. testing). Normally triggered by MQTT/event.

Note: Running manually without real MQTT response topic will not complete the flow; job may run but response has nowhere to go.

LaunchFileAccess

Name: Launch File Access Grant How it should run: Triggered by LaunchFileAccess custom event after file-access policy allows (and controls satisfied). Grants temporary file access and/or launches the executable. Required parameters: FilePath. Optional parameters: RequestId, FileName, UserIdentifier, UserName, PolicyUid, ControlList, Justification, ApprovalUid, GrantedAccess, DurationMinutes, KeeperApiBaseUrl, IsFromHook, CommandLine.

Example (with parameters via API):

StartKeeperClient

Name: Start Keeper Client for User Session How it should run: Triggered by UserLogin, SessionConnect, StartKeeperClient, or ExistingSession when desktop is available. Starts KeeperClient in the user session. Required parameters: SessionId, UserName (in schema; task does not pass them to exe). Optional parameters: Domain, EventType, IsInteractive.

Example (minimal – KeeperAdminCLI): May start client with no session context.

Example (with context via API):

locale-cache-cleanup

Name: Locale Cache Cleanup How it should run: Scheduled (every 30 min) or manually. Cleans locale cache for users no longer logged on. Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

composite-risk-evaluation

Name: Composite Risk Evaluation How it should run: Called synchronously via /api/Jobs/{jobId}/evaluate by policy/risk logic with file/user/machine context. Not typically run via “run” or “trigger”; use evaluate for a result. Required parameters: FilePath, UserName, MachineName, TargetRiskScore. Optional parameters: LocationRiskJobId, UserRiskJobId, ApplicationRiskJobId, MachineRiskJobId (defaults in job).

Example (evaluate API – synchronous, returns pass/fail): Include KeeperApiBaseUrl so the job can call sub-risk jobs; the executor may also fall back to config if missing.

file-access-policy-controls

Name: File Access Policy Controls How it should run: Triggered by PolicyEvaluationPending for FileAccess. Not intended for standalone manual run. Required parameters: SessionId, RespondToTopic. Optional parameters: ControlList, UserName, RequestId, FilePath, FileName, EventType (FileAccess), KeeperApiBaseUrl, DurationMinutes.

Example (with parameters via API – for testing only):

UserInventory (3A124C4D-2D41-4174-9A13-998D1683DADC)

Name: UserInventory How it should run: Scheduled (every 7200 min) or on AgentRegistered/Startup. Runs user inventory. Required parameters: None (httpport is injected by executor). Optional parameters: None.

Example (KeeperAdminCLI):

ephemeral-account-cleanup-if-unused

Name: Ephemeral Account Cleanup If Unused How it should run: Scheduled (every 30 sec) or manually. Deletes ephemeral account if no process is running as KeeperUserSession. Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

create-approved-request-from-policy-result

Name: Create Approved Request From Policy Result How it should run: Triggered by PolicyEvaluationResult when policy returns ALLOW. Creates approved request server-side. Required parameters: RequestId, Response. Optional parameters: FileName, FilePath, CommandLine, UserName, EventType, OriginalEventType, RespondToTopic, KeeperApiBaseUrl.

Example (with parameters via API): Only meaningful when Response is ALLOW.

ephemeral-orphan-profile-folders-cleanup

Name: Ephemeral Orphan Profile Folders Cleanup How it should run: Scheduled (every 5 min) or manually. Cleans orphaned KeeperUserSession profile folders (Windows). Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

user-risk-assessment

Name: User Risk Assessment How it should run: Called via evaluate by composite-risk-evaluation or policy. Required parameters: UserName. Optional parameters: RiskAssessmentExecutable, RiskAssessmentArguments, KeeperApiBaseUrl (from context).

Example (evaluate API):

custom-event-example

Name: Custom Event Handler Example How it should run: Triggered by custom event (e.g. MyCustomEvent). Job is disabled by default. Required parameters: None. Optional parameters: MachineName, UserName, Source.

Example (KeeperAdminCLI – job must be enabled first):

Or trigger by event with context:

LaunchApprovedRequest

Name: Launch Approved Request How it should run: Triggered by LaunchApprovedRequest event with either ApprovalUid (from keeperAgent) or RequestId/FilePath/CommandLine (from policy job). Launches elevated or non-elevated. Required parameters: Either ApprovalUid or (FilePath for launch path). Optional parameters: RequestId, CommandLine, EventType, UserName, KeeperApiBaseUrl.

Example (by ApprovalUid – from approval workflow):

Example (by path – e.g. from policy job):

LaunchNativeElevation

Name: Launch Native OS Elevation How it should run: Triggered by LaunchNativeElevation when EnforcementDisabled (no policies apply); launches with OS UAC/sudo. Required parameters: FilePath. Optional parameters: FileName, CommandLine, WorkingDirectory, RequestId, UserName, KeeperApiBaseUrl, RespondToTopic, SessionId.

Example (with parameters via API):

policy-evaluation-error-handler

Name: Policy Evaluation Error Handler How it should run: Triggered by HookErrorEvent when policy evaluation fails (desktop). Sends DENY and shows error. Required parameters: RequestId (recommended). Optional parameters: SessionId, RespondToTopic, EventType, ErrorReason, FileName, FilePath, CommandLine, UserName, KeeperApiBaseUrl.

Example (with parameters via API):

policy-evaluation-error-handler-headless

Name: Policy Evaluation Error Handler (Headless) How it should run: Same as above for headless (no desktop). Required parameters: RequestId (recommended). Optional parameters: Same as policy-evaluation-error-handler.

Example: Same as above, replace job id with policy-evaluation-error-handler-headless.

log-version-info

Name: Log Version Information How it should run: Triggered by LogVersionInfo or manually. Logs component versions. Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

monitor-and-notify-notification

Name: Monitor and Notify Notification How it should run: Triggered by MonitorAndNotifyNotification when a MonitorAndNotify policy fires. Required parameters: Message. Optional parameters: Username, RequestId, SessionId, RequiresAcknowledgement, KeeperApiBaseUrl.

Example (with parameters via API):

FileAccessStartupCleanup

Name: FileAccess Startup Cleanup How it should run: On startup or manually. Cleans expired file access grants and orphaned revert jobs. Required parameters: None. Optional parameters: KeeperApiBaseUrl.

Example (KeeperAdminCLI):

process-configuration-policies

Name: Process Configuration Policies How it should run: Triggered by PolicyPreprocessingCompleted. Applies SettingsUpdate and JobUpdate policies. Required parameters: None. Optional parameters: KeeperApiBaseUrl, JobsDirectory, PluginsDirectory, AppSettingsPath.

Example (KeeperAdminCLI):

file-risk-assessment

Name: File Risk Assessment How it should run: Called via evaluate by composite-risk or policy. Required parameters: FilePath. Optional parameters: FileRiskExecutable, SelectedVendor.

Example (evaluate API):

send-audit-event

Name: Send Audit Event How it should run: Triggered by SendAuditEvent with audit payload. Required parameters: None in job; payload uses placeholders. Optional parameters: RequestId, Timestamp, RequestUid, PolicyType, UserName, TargetInfo, EvaluationStatus, AuditEventType.

Example (with parameters via API):

ApplyFileAccessPolicies

Name: Apply FileAccess Policies How it should run: Triggered by FileAccessPoliciesChanged or PolicySyncCompleted, or manually. Applies FileAccess DENY ACLs from pending enforcements. Required parameters: None. Optional parameters: KeeperApiBaseUrl.

Example (KeeperAdminCLI):

agent_registration

Name: Registration How it should run: On startup or manually. Registers the agent. Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

location-risk-assessment

Name: Location Risk Assessment How it should run: Called via evaluate by composite-risk or policy. Required parameters: FilePath. Optional parameters: RiskAssessmentExecutable, RiskAssessmentArguments.

Example (evaluate API):

send-toast

Name: Send Toast How it should run: Triggered by SendAuditEvent or other callers with message/severity. Required parameters: None (but message is empty without context). Optional parameters: title, message, severity, targetUser.

Example (with parameters via API):

expire-exec-grant-* (e.g. expire-exec-grant-4e85aed0bf2d4f38a4c25a80413aa7b8)

Name: Expire Execution Grant - <ExecutableName> How it should run: Scheduled at grant expiration time, or manually. Grant ID is in the job ID and in the task body. Required parameters: None (grantId is in job definition). Optional parameters: None.

Example (KeeperAdminCLI): Use the exact job ID created for that grant.

RevertFileAccess

Name: Revert File Access How it should run: On schedule, RevertFileAccess event, or startup. Reverts expired file access grants. Job is disabled by default. Required parameters: None. Optional parameters: GrantId (specific grant; if empty, reverts all expired), KeeperApiBaseUrl.

Example (KeeperAdminCLI – enable job first if needed):

GrantFileAccess

Name: Grant File Access How it should run: Triggered by GrantFileAccess event when approval/MFA/justify grants access. Required parameters: None in schema; meaningful grant needs at least one of RestrictionId or FilePath + UserName. Optional parameters: RestrictionId, FilePath, UserName, DurationMinutes, ApprovalUid, Justification, ControlMethod, KeeperApiBaseUrl.

Example (with parameters via API):

default-policy-controls-headless

Name: Default Policy Controls (Headless) How it should run: Triggered by PolicyEvaluationPending when hasdesktop=false (headless). Forwards or denies. Required parameters: SessionId, RespondToTopic. Optional parameters: Same as default-policy-controls.

Example: Use trigger API with SessionId and RespondToTopic; normally invoked by policy, not manually.

keeperagent-silent-expiration-check

Name: KeeperAgent Silent Expiration Check How it should run: Scheduled (every 1440 min) or manually. Runs keeperAgent in silent mode if conditions met. Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

default-policy-controls

Name: Default Policy Controls How it should run: Triggered by PolicyEvaluationPending for CommandLine/Custom (not PrivilegeElevation/FileAccess). Runs MFA/justify/approval. Required parameters: SessionId, RespondToTopic. Optional parameters: ControlList, CommandLine, UserName, RequestId, JobId, EventType, OriginalEventType, KeeperApiBaseUrl.

Example: Use trigger API with full context; normally invoked by policy.

LaunchPrivilegeElevation

Name: Launch Privilege Elevation How it should run: Triggered by LaunchPrivilegeElevation with either ApprovalUid or FilePath/CommandLine/UserName from policy. Required parameters: Either ApprovalUid or FilePath (for path-based launch). Optional parameters: RequestId, FileName, CommandLine, UserName, MachineName, WorkingDirectory, KeeperApiBaseUrl, RespondToTopic, SessionId, EventType, DurationMinutes.

Example (by ApprovalUid):

Example (by path):

machine-risk-assessment

Name: Machine Risk Assessment How it should run: Called via evaluate by composite-risk or policy. Required parameters: MachineName. Optional parameters: RiskAssessmentExecutable, RiskAssessmentArguments.

Example (evaluate API):

InventoryBasic (60260BA2-0713-4292-8A93-974E0E329BE1)

Name: InventoryBasic How it should run: Scheduled (every 7200 min) or on AgentRegistered/Startup. Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

ShowAgent

Name: Show Keeper Agent How it should run: Triggered by ShowAgent (e.g. from KeeperClient menu) or manually. Launches keeperAgent UI on user desktop. Required parameters: None. Optional parameters: None.

Example (KeeperAdminCLI):

least-privilege-check

Name: Least Privilege Enforcement How it should run: Triggered by LeastPrivilegeCheck or manually. Removes unprotected users from administrators group per policy. Required parameters: None. Optional parameters: MachineName, UserName.

Example (KeeperAdminCLI):