Variables
Audience: IT admins. Use this when configuring policies, jobs, or paths so they work across Windows, Linux, and macOS.
Overview
Path variables are placeholders like {userprofile} or {system32} that resolve to real paths on each machine. They let you write one policy or job that works on every supported OS and install location.
Format:
{variableName}— curly braces, no$prefix.Case: Resolved case-insensitively on Windows; case-sensitive on Linux and macOS.
When resolved: At evaluation time (when the policy or job runs), not when the file is saved.
Common Variables (all platforms)
{rootdir}
C:\
/
/
Drive or filesystem root
{documents}
C:\Users\<user>\Documents
/home/<user>/Documents
/Users/<user>/Documents
User documents folder
{userdocuments}
Same as {documents}
Same as {documents}
Same as {documents}
Alias for documents
{userdesktop}
C:\Users\<user>\Desktop
/home/<user>/Desktop
/Users/<user>/Desktop
User desktop
{hasdesktop}
"true" / "false"
"true" / "false"
"true" / "false"
Whether a desktop environment is present
Windows-Specific Variables
{systemroot}
C:\Windows
Windows directory
{windows}
C:\Windows
Alias for systemroot
{systemdrive}
C:
System drive (no trailing backslash)
{system32}
C:\Windows\System32
System32 directory
{syswow64}
C:\Windows\SysWOW64
32-bit system on 64-bit Windows
{programfiles}
C:\Program Files
Program Files
{programfilesx86}
C:\Program Files (x86)
Program Files (x86)
{userprofile}
C:\Users\<user>
User profile directory
{appdata}
C:\Users\<user>\AppData\Roaming
Roaming AppData
{localappdata}
C:\Users\<user>\AppData\Local
Local AppData
{programdata}
C:\ProgramData
ProgramData
{temp}
C:\Users\<user>\AppData\Local\Temp
User temp directory
Linux and macOS Variables
Common (Linux and macOS):
{bin}
/bin
/bin
Binaries
{etc}
/etc
/etc
Configuration
{tmp}
/tmp
/tmp
Temp
{usr}
/usr
/usr
User programs
{var}
/var
/var
Variable data
{home}
/home/<user>
/Users/<user>
User home
macOS-only:
{system}
/System
System root
{library}
/Library
Library
{applications}
/Applications
Applications folder
{volumes}
/Volumes
Volumes mount point
{downloads}
/Users/<user>/Downloads
User downloads
{launchdaemons}
/Library/LaunchDaemons
System launch daemons
{launchagents}
/Library/LaunchAgents
Launch agents
Application-Specific Variables
These resolve relative to the Keeper Privilege Manager install:
{approot}
Application root directory
C:\Program Files\KeeperPrivilegeManager
{pluginroot}
Plugins directory
C:\Program Files\KeeperPrivilegeManager\Plugins
{jobroot}
Jobs directory
C:\Program Files\KeeperPrivilegeManager\Jobs
Use them in plugin configs or job paths so paths stay correct regardless of install location.
User-Specific vs System Variables
User-specific:
{userprofile},{documents},{userdesktop},{appdata},{temp},{home},{downloads}— resolve to the requesting user’s paths (e.g., the user whose action triggered the policy).System:
{systemroot},{system32},{programfiles},{programdata},{bin},{etc}— resolve to the same path for all users on that machine.
Protected Paths (file access policies)
On Windows, certain paths are protected: executables in those locations are excluded from wildcard DENY file-access policies so critical system binaries are not blocked. Protected paths typically include:
{systemroot}(and key subdirs such as System32, WinSxS, Microsoft.NET, Boot, recovery){programfiles}and{programfilesx86}
Protected path lists can be extended by configuration or policy. Use this when designing file-access policies so you don’t accidentally deny system executables.
See Reference: Wildcards for how wildcards behave in application vs. folder filters and what to avoid.
Custom Variables
Some deployments support custom path variables (e.g., in application or path-resolution settings). If available, you can define names like {companyshare} or {deployroot} and reference them in policies or jobs the same way as built-in variables. Check your configuration or admin console for where to define them.
Return to Reference Index
Last updated
Was this helpful?