# Enterprise Management Commands ## Commands #### Keeper Command Reference Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options. To get help on a particular command, run: `help ` **Enterprise Management Commands** | Command | Explanation | | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------- | | [`enterprise-info`](#enterprise-info-command) or `ei` | Display enterprise information | | [`enterprise-user`](#enterprise-user-command) or `eu` | Manage enterprise users | | [`enterprise-role`](#enterprise-role-command) or `er` | Manage enterprise roles and policies | | [`enterprise-team`](#enterprise-team-command) or `et` | Manage enterprise teams | | [`enterprise-node`](#enterprise-node-command) or `en` | Manage enterprise nodes | | [`enterprise-push`](#enterprise-push-command) | Populate user and team vaults with predetermined records | | [`enterprise-down`](#enterprise-down-command) or `ed` | Download & decrypt enterprise data | | [`team-approve`](#team-approve-command) | Approve queued teams and users provisioned by SCIM or Active Directory Bridge | | [`device-approve`](#device-approve-command) | Approve SSO Cloud devices that are pending from end-users | | [`create-user`](#create-user-command) | Create a new user and vault, and add a record to the current vault with that user's credentials | | [`transfer-user`](#transfer-user-command) | Transfer an account to another user | | [`automator`](#automator-command) | Manage SSO Cloud Automator for Device Approvals | | [`scim`](#scim-command) | Manage SCIM endpoints | | [`audit-alert`](#audit-alert-command) | Manage Audit Alerts | | [mc-transfer](#mc-transfer-command) | Performs transfer of managed companies between MSPs | ### enterprise-info command **Command:** `enterprise-info`or `ei` **Detail:** Display information about your enterprise in a tree structure **Parameters:** Text to search for. Can apply to users, teams, and roles **Switches:** `-n`, --nodes display nodes `--node` \ show tree structure from a specified node `-u`, --users display user list `-t`, --teams display team list `-r`, --roles display role list `-v`, --verbose show ids with output `--format` <{*table, csv, json*}> format to show output * table - show information in a table layout * csv - output information in CSV format * json - output information in JSON format `--output` \ a file to write the output to `--columns` \ columns to include in the output. Given as comma separated list. Available columns depends on type of data being viewed * Users * name * status * transfer\_status * node * team\_count * teams * role\_count * roles * alias * 2fa\_enabled * job\_title * Teams * restricts * node * user\_count * users * queued\_user\_count * queued\_users * role\_count * roles * Roles * visible\_below * default\_role * admin * node * user\_count * users * team\_count * teams * enforcement\_count * enforcements * managed\_node\_count * managed\_nodes * managed\_nodes\_permissions * Nodes * parent\_node * parent\_id * user\_count * team\_count * teams * users * role\_count * roles * provisioning * isolated **Examples:** {% code lineNumbers="true" %} ``` enterprise-info ei "John Doe" --users ei --teams --format csv --output teams.csv ei --roles --columns is_admin,user_count ei --node "Keeper Security" ``` {% endcode %} 1. Display the enterprise name and node structure 2. Search the enterprise for users named "John Doe" 3. Output a list of teams in the enterprise to a CSV file 4. Display a list of roles, and only show if they are an admin role and how many users are in the role 5. See the node tree structure starting from the Node named "Keeper Security" Give this the root node to see the entire organization's node tree ### enterprise-user command **Command:** `enterprise-user`or `eu` **Detail:** Manage an enterprise user **Parameters:** User's UID or email address. Note: you can use the following command to see a list of users in the enterprise: `ei --users` **Switches:** `--expire` expire the user's master password `--extend` extend vault transfer consent for 7 days. Supports the following pseudo users: @all `--lock` lock the user's account `--unlock` unlock the user's account. Supports the following pseudo users: @all `--disable-2fa` disable 2fa for the user `--add` invite the given email address to create a vault in the enterprise (only works with email as parameter) `--invite` send an invite to the given email address. Can be sent to previously invited users `--delete` delete the user from the enterprise. Be careful as this will also delete all of their records,\ however, any **shared records** will remain accessible to other users in their vault. `--name` \ set a name to be used as the user's display name `--node` \ move the user to a node with the specified name or UID. To view a list of your nodes, use `enterprise-info --nodes` `--add-role` \ add the user to a role with the specified name or UID. To view a list of roles, use `enterprise-info --roles`. Supports the following pseudo users: @all `--remove-role` \ remove the user from the role with the specified name or UID `--add-team` \ add the user to the team with the specified name or UID. To view a list of teams, use `enterprise-info --teams` `--remove-team` \ remove the user from the team with the specified name or UID. To view a list of teams, use `enterprise-info --teams` `--add-alias` \ Add an alias, in the form of an email address, to a user. The alias added will become the "primary" email for the user. Applying the command to an existing alias will set it as primary. Note that this command is only permitted on [reserved domains](https://docs.keeper.io/enterprise-guide/domain-reservation). `--delete-alias` \ delete an email alias for a user `-f`, --force do not prompt for confirmation `-v`, --verbose debug output which includes IDs and other data **Examples:** {% code lineNumbers="true" %} ``` enterprise-user John.Doe@gmail.com eu 20379619819523 --node Chicago --add-team "Chicago Engineering" eu add Jane.Doe@gmail.com eu 19819523203796 --lock eu --add-alias new.name@company.com old.name@company.com eu --add-role Employee @all ``` {% endcode %} 1. Show details of user "" 2. For the user with the given UID, add them to the Chicago node and the "Chicago Engineering" team 3. Send an invite to "" to open a vault in the enterprise 4. Lock the account with the given UID 5. Add an alias for a user who changed their name and set as primary 6. Add all enterprise users to the "Employee" role ### enterprise-role command **Command:** `enterprise-role`or `er` **Detail:** Manage an enterprise role or enforcement policy {% hint style="info" %} Note: you can use the following command to see a list of roles in the enterprise: `ei --roles` {% endhint %} **Usage:** `er ` **Parameters:** \ Name or UID of role(s). Separate with space to use multiple **Switches:** `--add` add a new role to the enterprise `--delete` delete the role `--add-user` \ add a user to the role. Use with --add `--remove-user` \ remove a user from the role `--visible-below` <{*on,off*}> make a role visible or invisible to roles beneath it `--new-user` <{*on,off*}> make new users assigned to this role `--node` \ the node to add the role to `--name` \ name the role `--add-admin` \ set node to be administered by the specified role(s) `--remove-admin` \ unset node administered by the specified role(s) `--cascade` <{*on,off*}> use with `--add-admin` to extend admin-privileges for the specified role(s) to child nodes as well (if 'on') `--enforcement :, --enforcement :$FILE=` set the enforcement policy for the given role (using either the literal policy value -- e.g., "True", "e", 10 -- or a reference to a file containing that value). See the list of available enforcement policies in the 2nd tab of the table below. `--copy` make a duplicate role with no users `--clone` make a duplicate role with the same users as the original `--add-team`, -at \ add a team to the given role `--add-privilege`, -ap \ add an admin privilege to the role `--remove-privilege`, -rp \ remove an admin privilege to the role `-v`, --verbose show ids with output, including all available enforcement policies `-f`, `--force` do not prompt for confirmation (non-interactive mode) **Examples:** {% code lineNumbers="true" %} ``` enterprise-role -v "Keeper Administrator" er 20379621916672 "Engineer Team Lead" er --add Onboarding --new-users er 20379621916672 --add-admin "John.Doe@gmail.com" --cascade yes er PM --name "Product Manager" er 20379619819524 20379619819525 20379621916672 --Node Chicago er 20379619819524 --copy --Node Chicago ``` {% endcode %} 1. Show details about the "Keeper Administrator" role including all enforcements 2. Show details about the role with the given UID and the "Engineer Team Lead" role 3. Add a new role named "Onboarding" and make new users automatically assigned to this role 4. Make user John Dow admin of the role with the given UID and all child roles 5. Rename the "PM" role to "Product Manager" 6. Add the three nodes with given UIDs to the "Chicago" node 7. Create a copy of the role in the "Chicago" node #### Changing Role Enforcements and Privileges {% tabs %} {% tab title="Command" %} Use the `--enforcement` switch to edit enforcement policies on the given role. Pass a policy key and corresponding value to the switch in order to change the enforcement. ```bash enterprise-role ROLE --enforcement ":" ``` Alternatively, set a role enforcement policy to the value specified in an external file. ```bash enterprise-role ROLE --enforcement ":$FILE=" ``` Example restricting the "Engineering" role to access[ ](https://docs.keeper.io/en/keeperpam/secrets-manager/overview)import records. ```bash enterprise-role Engineering --enforcement "RESTRICT_IMPORT:True" ``` {% endtab %} {% tab title="Enforcement Policies" %} The available enforcement policies are listed below. | Enforcement Policy Key | Type | | --------------------------------------------------- | --------------------- | | MASTER\_PASSWORD\_MINIMUM\_LENGTH | `LONG` | | MASTER\_PASSWORD\_MINIMUM\_SPECIAL | `LONG` | | MASTER\_PASSWORD\_MINIMUM\_UPPER | `LONG` | | MASTER\_PASSWORD\_MINIMUM\_LOWER | `LONG` | | MASTER\_PASSWORD\_MINIMUM\_DIGITS | `LONG` | | MASTER\_PASSWORD\_RESTRICT\_DAYS\_BEFORE\_REUSE | `LONG` | | REQUIRE\_TWO\_FACTOR | `BOOLEAN` | | MASTER\_PASSWORD\_MAXIMUM\_DAYS\_BEFORE\_CHANGE | `LONG` | | MASTER\_PASSWORD\_EXPIRED\_AS\_OF | `LONG` | | MINIMUM\_PBKDF2\_ITERATIONS | `LONG` | | MAX\_SESSION\_LOGIN\_TIME | `LONG` | | RESTRICT\_PERSISTENT\_LOGIN | `BOOLEAN` | | STAY\_LOGGED\_IN\_DEFAULT | `BOOLEAN` | | RESTRICT\_SHARING\_ALL | `BOOLEAN` | | RESTRICT\_SHARING\_ENTERPRISE | `BOOLEAN` | | RESTRICT\_SHARING\_ALL\_OUTGOING | `BOOLEAN` | | RESTRICT\_SHARING\_ENTERPRISE\_OUTGOING | `BOOLEAN` | | RESTRICT\_EXPORT | `BOOLEAN` | | RESTRICT\_FILE\_UPLOAD | `BOOLEAN` | | REQUIRE\_ACCOUNT\_SHARE | `ACCOUNT_SHARE` | | RESTRICT\_SHARING\_ALL\_INCOMING | `BOOLEAN` | | RESTRICT\_SHARING\_ENTERPRISE\_INCOMING | `BOOLEAN` | | RESTRICT\_SHARING\_RECORD\_WITH\_ATTACHMENTS | `BOOLEAN` | | RESTRICT\_IP\_ADDRESSES | `IP_WHITELIST` | | REQUIRE\_DEVICE\_APPROVAL | `BOOLEAN` | | REQUIRE\_ACCOUNT\_RECOVERY\_APPROVAL | `BOOLEAN` | | RESTRICT\_VAULT\_IP\_ADDRESSES | `IP_WHITELIST` | | TIP\_ZONE\_RESTRICT\_ALLOWED\_IP\_RANGES | `IP_WHITELIST` | | AUTOMATIC\_BACKUP\_EVERY\_X\_DAYS | `LONG` | | RESTRICT\_OFFLINE\_ACCESS | `BOOLEAN` | | SEND\_INVITE\_AT\_REGISTRATION | `BOOLEAN` | | RESTRICT\_EMAIL\_CHANGE | `BOOLEAN` | | RESTRICT\_IOS\_FINGERPRINT | `BOOLEAN` | | RESTRICT\_MAC\_FINGERPRINT | `BOOLEAN` | | RESTRICT\_ANDROID\_FINGERPRINT | `BOOLEAN` | | RESTRICT\_WINDOWS\_FINGERPRINT | `BOOLEAN` | | LOGOUT\_TIMER\_WEB | `LONG` | | LOGOUT\_TIMER\_MOBILE | `LONG` | | LOGOUT\_TIMER\_DESKTOP | `LONG` | | RESTRICT\_WEB\_VAULT\_ACCESS | `BOOLEAN` | | RESTRICT\_EXTENSIONS\_ACCESS | `BOOLEAN` | | RESTRICT\_MOBILE\_ACCESS | `BOOLEAN` | | RESTRICT\_DESKTOP\_ACCESS | `BOOLEAN` | | RESTRICT\_MOBILE\_IOS\_ACCESS | `BOOLEAN` | | RESTRICT\_MOBILE\_ANDROID\_ACCESS | `BOOLEAN` | | RESTRICT\_MOBILE\_WINDOWS\_PHONE\_ACCESS | `BOOLEAN` | | RESTRICT\_DESKTOP\_WIN\_ACCESS | `BOOLEAN` | | RESTRICT\_DESKTOP\_MAC\_ACCESS | `BOOLEAN` | | RESTRICT\_CHAT\_DESKTOP\_ACCESS | `BOOLEAN` | | RESTRICT\_CHAT\_MOBILE\_ACCESS | `BOOLEAN` | | RESTRICT\_COMMANDER\_ACCESS | `BOOLEAN` | | RESTRICT\_TWO\_FACTOR\_CHANNEL\_TEXT | `BOOLEAN` | | RESTRICT\_TWO\_FACTOR\_CHANNEL\_GOOGLE | `BOOLEAN` | | RESTRICT\_TWO\_FACTOR\_CHANNEL\_DNA | `BOOLEAN` | | RESTRICT\_TWO\_FACTOR\_CHANNEL\_DUO | `BOOLEAN` | | RESTRICT\_TWO\_FACTOR\_CHANNEL\_RSA | `BOOLEAN` | | TWO\_FACTOR\_DURATION\_WEB | `TWO_FACTOR_DURATION` | | TWO\_FACTOR\_DURATION\_MOBILE | `TWO_FACTOR_DURATION` | | TWO\_FACTOR\_DURATION\_DESKTOP | `TWO_FACTOR_DURATION` | | RESTRICT\_TWO\_FACTOR\_CHANNEL\_SECURITY\_KEYS | `BOOLEAN` | | TWO\_FACTOR\_BY\_IP | `JSONARRAY` | | RESTRICT\_DOMAIN\_ACCESS | `STRING` | | RESTRICT\_DOMAIN\_CREATE | `STRING` | | RESTRICT\_HOVER\_LOCKS | `BOOLEAN` | | RESTRICT\_PROMPT\_TO\_LOGIN | `BOOLEAN` | | RESTRICT\_PROMPT\_TO\_FILL | `BOOLEAN` | | RESTRICT\_AUTO\_SUBMIT | `BOOLEAN` | | RESTRICT\_PROMPT\_TO\_SAVE | `BOOLEAN` | | RESTRICT\_PROMPT\_TO\_CHANGE | `BOOLEAN` | | RESTRICT\_AUTO\_FILL | `BOOLEAN` | | RESTRICT\_CREATE\_FOLDER | `BOOLEAN` | | RESTRICT\_CREATE\_FOLDER\_TO\_ONLY\_SHARED\_FOLDERS | `BOOLEAN` | | RESTRICT\_CREATE\_IDENTITY\_PAYMENT\_RECORDS | `BOOLEAN` | | MASK\_CUSTOM\_FIELDS | `BOOLEAN` | | MASK\_NOTES | `BOOLEAN` | | MASK\_PASSWORDS\_WHILE\_EDITING | `BOOLEAN` | | GENERATED\_PASSWORD\_COMPLEXITY | `STRING` | | GENERATED\_SECURITY\_QUESTION\_COMPLEXITY | `STRING` | | RESTRICT\_IMPORT | `BOOLEAN` | | DAYS\_BEFORE\_DELETED\_RECORDS\_CLEARED\_PERM | `LONG` | | DAYS\_BEFORE\_DELETED\_RECORDS\_AUTO\_CLEARED | `LONG` | | ALLOW\_ALTERNATE\_PASSWORDS | `BOOLEAN` | | RESTRICT\_CREATE\_RECORD | `BOOLEAN` | | RESTRICT\_CREATE\_RECORD\_TO\_SHARED\_FOLDERS | `BOOLEAN` | | RESTRICT\_CREATE\_SHARED\_FOLDER | `BOOLEAN` | | RESTRICT\_LINK\_SHARING | `BOOLEAN` | | RESTRICT\_SHARING\_OUTSIDE\_OF\_ISOLATED\_NODES | `BOOLEAN` | | RESTRICT\_SHARING\_RECORD\_TO\_SHARED\_FOLDERS | `BOOLEAN` | | DISABLE\_SETUP\_TOUR | `BOOLEAN` | | RESTRICT\_PERSONAL\_LICENSE | `BOOLEAN` | | DISABLE\_ONBOARDING | `BOOLEAN` | | DISALLOW\_V2\_CLIENTS | `BOOLEAN` | | RESTRICT\_IP\_AUTOAPPROVAL | `BOOLEAN` | | SEND\_BREACH\_WATCH\_EVENTS | `BOOLEAN` | | RESTRICT\_BREACH\_WATCH | `BOOLEAN` | | RESEND\_ENTERPRISE\_INVITE\_IN\_X\_DAYS | `LONG` | | MASTER\_PASSWORD\_REENTRY | `JSON` | | RESTRICT\_ACCOUNT\_RECOVERY | `BOOLEAN` | | KEEPER\_FILL\_HOVER\_LOCKS | `TERNARY_DEN` | | KEEPER\_FILL\_AUTO\_FILL | `TERNARY_DEN` | | KEEPER\_FILL\_AUTO\_SUBMIT | `TERNARY_DEN` | | KEEPER\_FILL\_MATCH\_ON\_SUBDOMAIN | `TERNARY_DEN` | | KEEPER\_FILL\_AUTO\_SUGGEST | `TERNARY_DEN` | | RESTRICT\_PROMPT\_TO\_DISABLE | `BOOLEAN` | | RESTRICT\_HTTP\_FILL\_WARNING | `BOOLEAN` | | RESTRICT\_RECORD\_TYPES | `RECORD_TYPES` | | ALLOW\_SECRETS\_MANAGER | `BOOLEAN` | | REQUIRE\_SELF\_DESTRUCT | `BOOLEAN` | | MAXIMUM\_RECORD\_SIZE | `LONG` | | ALLOW\_PAM\_ROTATION | `BOOLEAN` | | ALLOW\_PAM\_DISCOVERY | `BOOLEAN` | | RESTRICT\_IMPORT\_SHARED\_FOLDERS | `BOOLEAN` | | REQUIRE\_SECURITY\_KEY\_PIN | `BOOLEAN` | | DISABLE\_CREATE\_DUPLICATE | `BOOLEAN` | | ALLOW\_PAM\_GATEWAY | `BOOLEAN` | | ALLOW\_CONFIGURE\_ROTATION\_SETTINGS | `BOOLEAN` | | ALLOW\_ROTATE\_CREDENTIALS | `BOOLEAN` | | ALLOW\_CONFIGURE\_PAM\_CLOUD\_CONNECTION\_SETTINGS | `BOOLEAN` | | ALLOW\_LAUNCH\_PAM\_ON\_CLOUD\_CONNECTION | `BOOLEAN` | | ALLOW\_CONFIGURE\_PAM\_TUNNELING\_SETTINGS | `BOOLEAN` | | ALLOW\_LAUNCH\_PAM\_TUNNELS | `BOOLEAN` | | ALLOW\_LAUNCH\_RBI | `BOOLEAN` | | ALLOW\_CONFIGURE\_RBI | `BOOLEAN` | | ALLOW\_VIEW\_KCM\_RECORDINGS | `BOOLEAN` | | ALLOW\_VIEW\_RBI\_RECORDINGS | `BOOLEAN` | | RESTRICT\_MANAGE\_TLA | `BOOLEAN` | | RESTRICT\_SELF\_DESTRUCT\_RECORDS | `BOOLEAN` | | RESTRICT\_ACCOUNT\_SWITCHING | `BOOLEAN` | | RESTRICT\_PASSKEY\_LOGIN | `BOOLEAN` | | ALLOW\_CAN\_EDIT\_EXTERNAL\_SHARES | `BOOLEAN` | | RESTRICT\_SNAPSHOT\_TOOL | `BOOLEAN` | | RESTRICT\_FORCEFIELD | `BOOLEAN` | | RESTRICT\_CLIPBOARD\_EXPIRE\_IN\_X\_SECS | `LONG` | | RESTRICT\_SF\_RECORD\_REMOVAL | `BOOLEAN` | | RESTRICT\_SF\_FOLDER\_DELETION | `BOOLEAN` | | {% endtab %} | | {% tab title="Administrative Privileges" %} You can assign an Administrative Node to a user with this command: ``` er 'Node Admin' -aa 'Node Name' --cascade on ``` You can then assign Administrative privileges with the `-ap` flag, and remove them with the `-rp` flag: ``` er 'Admin' --node 'Node Name' -ap manage_nodes -ap manage_roles ``` Find bellow all supported privilege codes: | Administrative Privilege Name | Administrative Privilege Code | | ----------------------------- | ----------------------------- | | Manage Nodes | `manage_nodes` | | Manage Users | `manage_user` | | Manage Roles | `manage_roles` | | Manage Teams | `manage_teams` | | Run Security Reports | `run_reports` | | Manage Bridge/SSO | `manage_bridge` | | Perform Device Approvals | `approve_device` | | Manage Record Types in Vault | `manage_record_types` | | Run Compliance Reports | `run_compliance_reports` | | Transfer Account | `transfer_account` | | Sharing Administrator | `sharing_administrator` | | {% endtab %} | | {% tab title="Examples" %} Examples for each value type ```css # command format enterprise-role ROLE --enforcement "POLICY:VALUE" # boolean (allow secrets manager) enterprise-role Engineering --enforcement "ALLOW_SECRETS_MANAGER:True" # string (restrict access to a domain) er "Support Admin" --enforcement "RESTRICT_DOMAIN_ACCESS:https://www.baddomain.com" # long (set minimum password length) er users --enforcement "MASTER_PASSWORD_MINIMUM_LENGTH:10" # ternary DEN (set auto fill to off) er DB_Admin --enforcement "KEEPER_FILL_AUTO_FILL:d" # ternary values: d:disable e:enable n:null # Note - n:null removes the enforcement # RESTRICT_RECORD_TYPES accepts a list of record types separated by comma # to get a list of all available record types My Vault> rti Record Type ID Record Type Name ---------------- ----------------------- 1 login 11 bankAccount 14 address ... 34 sshKeys # to restrict sshKeys and address record types My Vault> er Finance --enforcement "RESTRICT_RECORD_TYPES:sshKeys, address" # restrict all record types (other than legacy general type) My Vault> er Finance --enforcement "RESTRICT_RECORD_TYPES:all" # ip-whitelist (allow logins only from specified IPs) My Vault> er --enforcement "RESTRICT_IP_ADDRESSES:1.0.0.1-1.0.0.10,172.15.0.1,192.0.0.2" IP-Restricted_Role ``` {% endtab %} {% endtabs %} ### enterprise-team command **Command:** `enterprise-team`or `et` **Detail:** Manage enterprise teams **Parameters:** Team name or id Note: you can use the following command to see a list of teams in the enterprise: `ei --teams` **Switches:** `--add` add a new team to the enterprise `--delete` delete the team `--add-user` \ add a user to the team `--remove-user` \ remove a user from the team `--node` \ the node to add the team to `--name` \ name the team `--approve` approve a queued team. Queued teams are typically created by SCIM requests which still need encryption keys to be created. Therefore they remain in a queued state until the admin logs into the Admin Console or this command is executed. `--restrict-edit` <{*on,off*}> decide if users in this team can edit records `--restrict-share` <{*on,off*}> decide if users in this team can share records `--restrict-view` <{*on,off*}> decide if users in this team can view record passwords `--hide-shared-folder`, -hsf <{*on,off*}> flag to determine if users in this team can see shared folders \--add-role, -ar \ add a role to the given team -v, --verbose show ids with output **Examples:** ``` enterprise-team "Chicago Engineering" et "Chicago Engineering" Legal et --add "Chicago Product" --node Chicago --restrict-edit on et 20379619819524 --name "El Dorado Hills Engineering" ``` 1. Show details of "Chicago Engineering" team 2. Show details for "Chicago Engineering" and "Legal" teams 3. Add a new team named "Chicago Product" in the "Chicago" node, and restrict users in the team from editing records 4. Change the name of the team with the given UID to "El Dorado Hills Engineering" ### enterprise-node command **Command:** `enterprise-node`or `en` **Detail:** Manage enterprise nodes **Parameters:** Node name or UID Note: you can use the following command to see a list of nodes in the enterprise: `ei --nodes` **Switches:** `--add` add a new node to the enterprise `-f, --force` Force deletion without confirmation prompt `--delete` delete the node. Note this won't be allowed until all objects from the node are deleted. `--parent` \ make given node the parent of this node `--name` \ set node's display name `--wipe-out` delete all nodes, roles, users, and teams under the node. Does not delete the node itself. Be careful with this command. `--toggle-isolated` make node visible or invisible to people in other nodes `--invite-email` \ Sets invite email template from file. Saves current template if file does not exist. dash (-) use stdout. See [Custom Emails](#custom-emails) section below. `--logo-file` \ Sets company / node logo using local image file (max size: 500 kB, min dimensions: 10x10, max dimensions: 320x320)\
**Examples:** {% code lineNumbers="true" %} ``` enterprise-node Chicago en Chicago "El Dorado Hills" 20379619819524 --parent NA en --add Cork --parent EMEA en APAC --wipe-out en Chicago --toggle-isolated en --logo-file ~/chicago_logo.jpg Chicago ``` {% endcode %} 1. Show details for the "Chicago" node 2. For the three nodes: "Chicago", "El Dorado Hills" and node with the given UID, change the parent node to node "NA" 3. Add a new node named "Cork" under the "EMEA" node 4. Delete all nodes, roles, users, and teams from under the "APAC" node 5. Make the "Chicago" node invisible (if currently visible) or visible (if currently invisible) to people in other nodes 6. Customize the appearance of invite emails and vault UI by using the "chicago\_logo.jpg" file in the current user's $HOME directory as the logo image for the "Chicago" node. #### **Custom Emails** The `--invite-email` switch allows you to set the custom email template per node. Similar to how email templates can be customized on the web admin console, custom email templates on the CLI supports customization of the following four attributes: * Subject * Message Heading * Message Body * Download Button Text Custom email templates can be defined in a `.txt` file in the following format: ``` [Subject] // Insert E-mail Subject line text [Heading] // Insert E-mail Message heading text here [Message] // Insert E-mail Message body text here [Button Text] // Insert the download button text here ``` {% hint style="info" %} Custom Emails can also be formatted using markdown syntax. [See this page](https://app.gitbook.com/s/-LO5CAzpxoaEquZJBpYz/user-and-team-provisioning/custom-invite-and-logo) for additional details. {% endhint %} #### **Custom Email Use Case** Suppose there are company branches in Chicago and Tokyo with its respective nodes `Chicago` and `Tokyo`. Ideally, you want the invitation emails to be in its native language: * Invitation emails sent to the Chicago Branch should be in its native language English * Invitation emails sent to the Tokyo Branch should be in its native language Japanese The `--invite-email` switch makes this possible by enabling you to set the desired email template per node. First, I define the custom email templates for both of my branches: `Chicago` and `Tokyo` {% file src="" %} Email Template File for Chicago {% endfile %} {% file src="" %} Email Template File for Tokyo {% endfile %} Next, I set the appropriate email template for each node: ``` en Chicago --invite-email="C:\user\emailTemplates\emailChicago.txt" en Tokyo --invite-email="C:\user\emailTemplates\emailTokyo.txt" ``` {% hint style="info" %} On windows, file paths can be specified either in quotations or double backslash. Either of the following file paths are valid: `"C:\users\file.txt"` or `c:\\users\\file.txt` {% endhint %} When sending invitation emails, users will receive the following emails based on their branch location:
Invitation email received by users in the Chicago Branch

Invitation Email for Chicago Branch

Invitation email received by users in the Tokyo Branch

Invitation Email for Tokyo Branch

### enterprise-push command **Command:** `enterprise-push` **Detail:** Populate a vault with a set of default records **Parameters:** File name of file with template records. File must be JSON format. **Switches:** `--syntax-help` show example file format and template parameters `--team` \ team to assign records to `--email` \ user to assign records to **Examples:** {% code lineNumbers="true" %} ``` enterprise-push office-codes.json --team "Chicago Office" enterprise-push default.json --email Jane.Doe@gmail.com enterprise=push --syntax-help ``` {% endcode %} 1. Send records templated in the "office-codes.json" file to every user in the "Chicago Office" team 2. Send records templated in the "default.json" file to user "" 3. See the syntax help **File Format** The "enterprise-push" command uses Keeper JSON record import format. Example JSON file: ``` [ { "title": "Google", "login": "${user_email}", "password": "${generate_password}", "login_url": "https://google.com", "notes": "", "custom_fields": { "Name 1": "Value 1", "Name 2": "Value 2" } }, { "title": "Admin Tool", "login": "${user_email}", "password": "", "login_url": "https://192.168.1.1", "notes": "", "custom_fields": { } } ] ``` Supported template parameters: ``` ${user_email} User email address ${generate_password} Generate random password ${user_name} User full name ``` {% hint style="info" %} An easy way to find the proper JSON structure is to export some data from your Keeper vault in JSON format. Then, modify the file as required for creating an import file. {% endhint %} To export JSON data for creating a template: * Create an empty folder for storing templates. e.g. "Templates" * Create records in that folder * `export` the folder as JSON using the below command ``` export --format=json --folder=Templates templates.json ``` * Optional: edit the JSON file to delete the following properties: "uid", "schema", "folders" not used by `enterprise-push` command The template JSON file should be either array of records or an object that contains a property "records" containing an array of records. ### enterprise-down command **Command:** `enterprise-down` or `ed` **Detail:** Download & decrypt enterprise data locally. When there is an active instance of Commander running and a change is made on the admin console or another instance of commander, the enterprise-down command can be used to download & decrypt the latest enterprise data locally. **Example:** Suppose a new user is added on the Admin Console while an active commander session is running, executing the following command on the running commander session will download and decrypt the latest changes locally: ``` enterprise-down ``` ### team-approve command **Command:** `team-approve` **Detail:** Enable or disable automatic team approval or user approval to teams When using a provisioning method such as Keeper Bridge or SCIM, new teams and users that have not yet activated their vault are queued for approval. Use this command to enable or disable automatic approval of provisioned teams or users. **Switches:** `--team` approve teams `--email` approve team users `--restrict-edit` <{*on*, *off*}> restrict or allow editing records in approved teams `--restrict-share` <{*on*, *off*}> restrict or allow sharing records in approved teams `--restrict-view` <{*on*, *off*}>restrict or allow viewing record passwords in approved teams **Examples:** {% code lineNumbers="true" %} ``` enterprise-down team-approve --team team-approve --email team-approve --team --restrict-edit on ``` {% endcode %} 1. Sync down any pending Enterprise Team approvals 2. Automatically approve queued provisioned teams 3. Automatically approve queued provisioned users 4. Automatically approve queued provisioned teams and don't allow users in those teams to edit records ### device-approve command **Command:** `device-approve` **Detail:** Approve cloud SSO devices **Parameters:** User's email or device ID to approve or blank to see a list of pending devices **Switches:** `-r`, --reload load current list of pending approvals `-a`, --approve approve the device for the given user email or device id `-d`, --deny deny the device for the given user email or device id `--trusted-ip` approve devices from a trusted ip address `--format` <{*table*, *csv*, *json*}> format to show output in `--output` \ file to send output to (must use json or csv format) **Examples:** {% code lineNumbers="true" %} ``` device-approve device-approve John.Doe@gmail.com --approve device-approve --reload device-approve --output device_approvals.csv --format csv ``` {% endcode %} 1. Show list of pending device approvals 2. Approve user "" 3. Refresh list of pending device approvals 4. Write list of pending device approvals to a file in csv format ### **create-user command:** **Command:** `create-user` **Detail** Create a new account and vault for the given email address and create a record for the new user's credentials in the current Keeper vault. {% hint style="info" %} To invite new users to an enterprise see the [enterprise-user command](#enterprise-user-command) {% endhint %} **Parameters:** User's email address **Switches:** `--name ` user's name `--node ` name or ID of node to add user to `--folder ` folder to store created user credentials in **Examples:** ``` create-user John.Doe@gmail.com create-user John.Doe@workplace.com --name "John Doe" --node Chicago ``` 1. Create a new user account and vault for
2. Send an invitation to John Doe to join Keeper, name the new user "John Doe" and add him to the "Chicago" node #### Onboarding with create-user Command When the create-user command is used to create a new user in the Keeper account, a record is created in the current logged in account with the new user's username and temporary password. Once the new record is created, it can be shared with the new user with a one-time share URL. ``` My Vault> create-user John.Doe@gmail.com User "John.Doe@gmail.com" credentials are stored to record "Keeper Account: John.Doe@gmail.com" My Vault> share create "Keeper Account: John.Doe@gmail.com" --expire 7d https://keepersecurity.com/vault/share#-Rkzr6w[...]wMw3fQ3kM ``` The new user will follow this url to receive their temporary credentials and perform the first login.
### transfer-user command: **Command:** `transfer-user` **Detail:** Lock account, then transfer a vault from one user to another. **Parameter:** Email or user ID of the vault to be transferred. More than one can be provided, separated by spaces. **Switches:** `--target-user ` email address of user account to transfer the vault(s) to `--force, -f` do not prompt for confirmation Account Transfer must be enabled for the account or role the account is in. The contents of the transferred vault are placed in a folder in the recipient's vault. **Example:** ``` transfer-user keeperuser1@keepersecurity.com --target-user recipient@keepersecurity.com ``` 1. Transfer the vault of to . To perform a bulk transfer of user accounts, use the command:\ `transfer-user @filename`\ This will look for the file named filename that contains a FROM and TO mapping. For example: ``` user1@company.com -> user2@company.com user3@company.com -> user4@company.com ``` ### automator command: **Command**: `automator` **Detail**: Configures SSO Cloud device automators. An Automator is a program running at a customer site that can perform some Keeper administrative actions such as performing device approvals or team approvals. More information about the Keeper Automator service is [found at this link](https://docs.keeper.io/sso-connect-cloud/device-approvals/automator). {% hint style="info" %} Only the root-level Keeper Administrator role can manage the Automator configuration {% endhint %} When the `automator` command is executed without parameters it displays the list of available automators as well as a command help. ```bash automator command [target] [--options] Command Description ================================================================= list Displays the list of the available automators create Creates automator init Initializes automator view Prints automator details edit Changes automator configuration delete Deletes automator reset Resets automator configuration to the default enable Enables automator disable Disables automator log Retrieves automator logs clear Clears automator logs certificate Display certificate information. list, create: 'target' parameter is ignored init, view, edit, delete, reset, start, stop, log, clear: these commands require 'target' parameter: Automator Name or ID Option Commands ================================================================== --node create --name create, edit --url edit : Webhook URL --skill edit : "device" and/or "team" --set edit : KEY=VALUE ``` **Examples:** Create automator with name "Cloud SSO Device Approval". ```bash My Vault> automator create --name="Cloud SSO Device Approval" Automator ID: 888888888888 Name: Cloud SSO Device Approval URL: Enabled: No Initialized: No Skills: Device Approval ``` Edit automator to set the Webhook URL. The Webhook URL is provided by the Automator application. ```bash My Vault> automator edit --url="https://automator.company.com:8089" 888888888888 Automator ID: 888888888888 Name: Cloud SSO Device Approval URL: https://automator.company.com:8089 Enabled: No Initialized: No Skills: Device Approval ``` Skills (Team Approvals, Team-User Approvals, Device Approvals) can be set with the "skill" argument. For example: {% code overflow="wrap" %} ``` My Vault> automator edit --url https:// --skill=team --skill=team_for_user --skill=device "My Automator" ``` {% endcode %} Initialize the automator instance using "setup", "init" and "enable" commands. The backend verifies that the Automator is configured and ready to process requests. ```bash My Vault> automator setup 888888888888 My Vault> automator init 888888888888 My Vault> automator enable 888888888888 ``` For more information about the Keeper Automator for SSO device approvals, see the [Automator Service](https://docs.keeper.io/sso-connect-cloud/device-approvals/automator) documentation. ### scim command **Command:** `scim` **Detail:** Configures SCIM endpoints When `scim` command is executed without parameters it displays the list of available SCIM endpoints as well as a command help. ```bash scim command [target] [--options] Command Description ================================================================= list Displays the list of SCIM endpoints create Creates SCIM endpoint view Prints SCIM endpoint details edit Changes SCIM endpoint configuration delete Deletes SCIM endpoint push Pushes data to SCIM endpoint list, create 'target' parameter is ignored view, edit, delete these commands require 'target' parameter: SCIM endpoint ID Option Commands ================================================================= --reload all : Reloads SCIM configuration --node create : Node ID or Name --prefix create, edit : Role prefix --unique-groups create, edit : Unique groups --force delete : Do not ask for delete confirmation ``` **Examples:** Create SCIM endpoint for node `SCIM Node` ```bash My Vault> scim create --node="SCIM Node" SCIM ID: 888888888888 SCIM URL: https://keepersecurity.com/api/rest/scim/v2/7777777777777 Provisioning Token: yIiq6Y4FnWtOPtqatUzZH7BI4FaUNhIbwEtDT5esL-g ``` Edit SCIM endpoint configuration. Editing SCIM endpoint generates a new provisioning token ```bash My Vault> scim edit 888888888888 --prefix="Group_" SCIM ID: 888888888888 SCIM URL: https://keepersecurity.com/api/rest/scim/v2/7777777777777 Provisioning Token: 6oykLqC2-d20Sy3N2d-HKZtGzOt63U60rJz8CLagszY ``` Delete SCIM endpoint ```bash My Vault> scim delete 820338837203 ALERT! You are about to delete SCIM endpoint 888888888888 Do you want to proceed with deletion? [y/n]: y SCIM endpoint "888888888888" at node "7777777777777" deleted ``` Push group and user data to SCIM endpoint ``` My Vault> scim push 820338837203 --source=google --record=AW6XZoJr8VM3rlFoxW_6rg ``` **Switches** `--source` Source of SCIM data. Available values: `google, ad` `--record` Record UID with SCIM configuration #### Configuring SCIM source for push * [Common configuration steps](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/scim-push-configuration#common-for-all-sources) * [Google Workspace](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/scim-push-configuration#google-workspace) * [Active Directory](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/scim-push-configuration#active-directory-configuration) ### audit-alert command **Command:** `audit-alert` **Detail:** Manages Audit Alerts When `audit-alert` is executed without parameters it displays the list of available alerts as well as a command help ``` audit-alert command [--options] Command Description ------------ --------------------------------------------- list Display alert list view View alert configuration history View alert history delete Delete audit alert(s) - single, range, or all add Add audit alert edit Edit audit alert reset-counts Reset alert counts enable Enable audit alert disable Disable audit alert recipient Modify alert recipients ``` To get help on command run ``` My Vault> audit-alert -h ``` `list` options ``` --format {table,csv,json} format of output --output OUTPUT path to resulting output file (ignored for "table" format) --reload reload alert information ``` 
My Vault> audit-alert list --reload
My Vault> aa l
`view` options ```bash positional arguments: ALERT Alert ID or Name options: --all View all alerts --format {table,csv,json,pdf} format of output --output OUTPUT path to resulting output file (ignored for "table" format) ``` ```bash My Vault> audit-alert view "Failed Login" My Vault> aa v 1 Alert ID 1 Alert name Failed Login Status Enabled Frequency Every Occurrence Recipients: Send To Originator (*) False Recipient ID 1 Name Administrator Status Enabled Email To admin@company.com ``` View all alert configurations ``` My Vault> audit-alert view --all ``` Export all alert configurations ``` My Vault> audit-alert view --all --format --output ``` Example ``` My Vault> audit-alert view --all --format csv --output /Users/Commander/output.csv Report path: /Users/Commander/output.csv ``` Export a specific alert configuration ``` My Vault> audit-alert view --format --output ``` Replace `` with the desired export format (`table`, `json`, `csv` or `pdf`,) and `` with the full file path and name where the output should be saved. `history` options ``` ALERT Alert ID or Name. ``` ``` My Vault> aa h 1 Alert Sent At Occurrences --------------- ------------- 2023-02-10 18:55:00 1 ``` `delete` options ``` positional arguments: ALERT Alert ID or Name. options: -h, --help show this help message and exit --all Delete all alerts --from ALERT ID Starting alert ID for range deletion --to ALERT ID Ending alert ID for range deletion --force Force deletion without confirmation prompt ``` Delete a specific Audit Alert using Alert Name ``` My Vault> audit-alert delete "Failed Login" ``` Delete a specific Audit Alert using Alert ID ``` My Vault> audit-alert delete [ALERT ID] ``` Example ``` My Vault> audit-alert delete 1 The following 1 alert(s) will be deleted: ------------------------------------------------------------ ID: 1 | Name: alert_test_1 ------------------------------------------------------------ Are you sure you want to delete 1 alert(s)? (y/n): y ID Name Events Frequency Occurrences Alerts Sent Last Sent Active ---- ---------------------- ---------------------- ------------------------------- ------------- ------------- ------------------------- -------- 2 Failed Login login_failure Every Occurrence 0 True 3 alert_test_2 Every Occurrence 8 3 True 4 alert_test_3 Every Occurrence 8 3 True 5 alert_test_4 Every Occurrence 6 2 True ``` Delete Audit Alerts in a Range ``` My Vault> audit-alert delete --from [ALERT ID] --to [ALERT ID] ``` Delete All Audit Alerts ``` My Vault> audit-alert delete --all ``` Delete Audit Alert without confirmation prompt ``` My Vault> audit-alert delete [ALERT ID] --force My Vault> audit-alert delete --all --force My Vault> audit-alert delete --from [ALERT ID] --to [ALERT ID] --force ``` `add` options ``` --name NAME Alert Name. --frequency FREQUENCY Alert Frequency. "[N:]event|minute|hour|day" --audit-event EVENT Audit Event. Can be repeated. --user USER Username. Can be repeated. --record-uid RECORD_UID Record UID. Can be repeated. --shared-folder-uid SHARED_FOLDER_UID Shared Folder UID. Can be repeated. ``` ``` My Vault> audit-alert add --name="Failed Login" --frequency=event --audit-event=login_failure ``` `edit` options ``` ALERT Alert ID or Name. --name NAME Alert Name. --frequency FREQUENCY Alert Frequency. "[N:]event|minute|hour|day" --audit-event EVENT Audit Event. Can be repeated. --user USER Username. Can be repeated. --record-uid RECORD_UID Record UID. Can be repeated. --shared-folder-uid SHARED_FOLDER_UID Shared Folder UID. Can be repeated. ``` ``` My Vault> audit-alert edit --frequency=2:hour ``` `reset-counts` options ``` ALERT Alert ID or Name. ``` ``` My Vault> audit-alert reset-counts 1 ``` `recipient` options ``` ALERT Alert ID or Name. recipient actions: {enable,disable,delete,add,edit} enable enables recipient disable disables recipient delete deletes recipient add adds recipient edit edit recipient ``` `recipient enable,` `disable. or delete` options ``` RECIPIENT Recipient ID or Name. Use "*" for "User who generated event" ``` ``` My Vault> audit-alert recipient 1 enable * # enables "User who generated event" My Vault> audit-alert recipient 1 disable Administrator # disables recipient by name My Vault> audit-alert recipient 1 delete 1 ``` `recipient add or edit` options ``` RECIPIENT Recipient ID or Name. # edit only --name NAME recipient name --email EMAIL email address --phone PHONE phone number. +1 (555) 555-1234 --webhook URL Webhook URL. See https://docs.keeper.io/enterprise-guide/webhooks --http-body BODY Webhook HTTP Body. @filename to load body from a file --cert-errors {ignore,enforce} Webhook SSL Certificate errors --generate-token Generate new access token ``` ``` My Vault> audit-alert recipient "Failed Login" add --name="Administrator" --email=admin@company.com # add email recipient and assign name "Administrator" My Vault> aa r 1 edit 1 --name="Admin" # change recipient #1 name on alert #1 My Vault> aa r 1 edit 1 --email= --phone="+1(555)555-1234" # change recipient #1 on alert # 1 from email to Text Message ``` `enable` options ``` ALERT Alert ID or Name options: -h, --help show this help message and exit --all Apply action to all alerts ``` `disable` options ``` ALERT Alert ID or Name options: -h, --help show this help message and exit --all Apply action to all alerts ``` #### mc-transfer command **Command:** `mc-transfer` **Detail:** Performs transfer of managed companies between MSPs When `mc-transfer` is executed without parameters it displays the list of available alerts as well as a command help ``` My Vault> help mc-transfer Command Description --------- ------------------------------------------ join-msp Initializes Regular/MC/MSP transfer to MSP leave-msp Initializes MC leaving MSP accept-mc MSP accepts Regular/MC/MSP transfer cancel Cancels MC transfer status Checks MC transfer status perform Completes MC transfer ``` `join-msp` Initializes Regular/MC/MSP transfer to MSP ``` /My Vault> mc-transfer join-msp -h usage: mc-transfer join-msp [-h] [--target-name TARGET_NAME] [--target-email TARGET_EMAIL] Initializes Regular/MC/MSP transfer to MSP options: -h, --help show this help message and exit --target-name TARGET_NAME Target enterprise name --target-email TARGET_EMAIL Target administrator email ``` `leave-msp` Initializes MC leaving MSP ``` My Vault> mc-transfer leave-msp -h usage: mc-transfer leave-msp [-h] [--target-name TARGET_NAME] [--target-email TARGET_EMAIL] Initializes MC leaving MSP options: -h, --help show this help message and exit --target-name TARGET_NAME Target enterprise name --target-email TARGET_EMAIL Target administrator email ``` `accept-mc` MSP accepts Regular/MC/MSP transfer ``` My Vault> mc-transfer accept-mc -h usage: mc-transfer accept-mc [-h] [--target-name TARGET_NAME] [--target-email TARGET_EMAIL] MSP accepts Regular/MC/MSP transfer options: -h, --help show this help message and exit --target-name TARGET_NAME Target enterprise name --target-email TARGET_EMAIL Target administrator email ``` `cancel` Cancels MC transfer ``` My Vault> mc-transfer cancel -h usage: mc-transfer cancel [-h] [--target-name TARGET_NAME] [--target-email TARGET_EMAIL] Cancels MC transfer options: -h, --help show this help message and exit --target-name TARGET_NAME Target enterprise name --target-email TARGET_EMAIL Target administrator email ``` `status` Checks MC transfer status ``` My Vault> mc-transfer status -h usage: mc-transfer status [-h] [--target-name TARGET_NAME] [--target-email TARGET_EMAIL] Checks MC transfer status options: -h, --help show this help message and exit --target-name TARGET_NAME Target enterprise name --target-email TARGET_EMAIL Target administrator email ``` `perform` Completes MC transfer ``` My Vault> mc-transfer perform -h usage: mc-transfer perform [-h] [--target-name TARGET_NAME] [--target-email TARGET_EMAIL] Completes MC transfer options: -h, --help show this help message and exit --target-name TARGET_NAME Target enterprise name --target-email TARGET_EMAIL Target administrator email ```