Commands related to Admin Console and Enterprise Management functions
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Enterprise Management Commands
Command
Explanation
enterprise-info
or ei
Display enterprise information
enterprise-user
or eu
Manage enterprise users
enterprise-role
or er
Manage enterprise roles and policies
enterprise-team
or et
Manage enterprise teams
enterprise-node
or en
Manage enterprise nodes
Populate user and team vaults with predetermined records
enterprise-down
or ed
Download & decrypt enterprise data
Approve queued teams and users provisioned by SCIM or Active Directory Bridge
Approve SSO Cloud devices that are pending from end-users
Create a new user and vault, and add a record to the current vault with that user's credentials
Transfer an account to another user
Manage SSO Cloud Automator for Device Approvals
Manage SCIM endpoints
Manage Audit Alerts
Command: enterprise-info
or ei
Detail: Display information about your enterprise in a tree structure
Parameters:
Text to search for. Can apply to users, teams, and roles
Switches:
-n
, --nodes display nodes
--node
<NODE> show tree structure from a specified node
-u
, --users display user list
-t
, --teams display team list
-r
, --roles display role list
-v
, --verbose show ids with output
--format
<{table, csv, json}> format to show output
table - show information in a table layout
csv - output information in CSV format
json - output information in JSON format
--output
<OUTPUT FILE> a file to write the output to
--columns
<COLUMNS> columns to include in the output. Given as comma separated list. Available columns depends on type of data being viewed
Users
name
status
transfer_status
node
team_count
teams
role_count
roles
alias
2FA status
Teams
restricts
node
user_count
users
queued_user_count
queued_users
Roles
is_visible_below
is_new_user
is_admin
node
user_count
users
Nodes
parent_node
user_count
team_count
teams
role_count
roles
provisioning
Examples:
Display the enterprise name and node structure
Search the enterprise for users named "John Doe"
Output a list of teams in the enterprise to a CSV file
Display a list of roles, and only show if they are an admin role and how many users are in the role
See the node tree structure starting from the Node named "Keeper Security" Give this the root node to see the entire organization's node tree
Command: enterprise-user
or eu
Detail: Manage an enterprise user
Parameters:
User's UID or email address.
Note: you can use the following command to see a list of users in the enterprise:
ei --users
Switches:
--expire
expire the user's master password
--extend
extend vault transfer consent for 7 days. Supports the following pseudo users: @all
--lock
lock the user's account
--unlock
unlock the user's account. Supports the following pseudo users: @all
--disable-2fa
disable 2fa for the user
--add
invite the given email address to create a vault in the enterprise (only works with email as parameter)
--invite
send an invite to the given email address. Can be sent to previously invited users
--delete
delete the user from the enterprise. Be careful as this will also delete all of their records, both owned and shared to others.
--name
<NAME> set a name to be used as the user's display name
--node
<NODE NAME OR UID> add the user to a node with the specified name or UID. To view a list of your nodes, use enterprise-info --nodes
--add-role
<ROLE NAME OR UID> add the user to a role with the specified name or UID. To view a list of roles, use enterprise-info --roles
. Supports the following pseudo users: @all
--remove-role
<ROLE NAME OR UID> remove the user from the role with the specified name or UID
--add-team
<TEAM NAME OR UID> add the user to the team with the specified name or UID. To view a list of teams, use enterprise-info --teams
--remove-team
<TEAM NAME OR UID> remove the user from the team with the specified name or UID. To view a list of teams, use enterprise-info --teams
--add-alias
<EMAIL> Add an alias, in the form of an email address, to a user. The alias added will become the "primary" email for the user. Applying the command to an existing alias will set it as primary. Note that this command is only permitted on reserved domains.
--delete-alias
<EMAIL> delete an email alias for a user
-f
, --force do not prompt for confirmation
-v
, --verbose debug output which includes IDs and other data
Examples:
Show details of user "John.Doe@gmail.com"
For the user with the given UID, add them to the Chicago node and the "Chicago Engineering" team
Send an invite to "Jane.Doe@gmail.com" to open a vault in the enterprise
Lock the account with the given UID
Add an alias for a user who changed their name and set as primary
Add all enterprise users to the "Employee" role
Command: enterprise-role
or er
Detail: Manage an enterprise role or enforcement policy
Note: you can use the following command to see a list of roles in the enterprise:
ei --roles
Usage: er <ROLE>
Parameters:
<ROLE> Name or UID of role(s). Separate with space to use multiple
Switches:
--add
add a new role to the enterprise
--delete
delete the role
--add-user
<USER NAME OR UID> add a user to the role. Use with --add
--remove-user
<USER NAME OR UID> remove a user from the role
--visible-below
<{on,off}> make a role visible or invisible to roles beneath it
--new-user
<{on,off}> make new users assigned to this role
--node
<NODE NAME OR UID> the node to add the role to
--name
<NAME> name the role
--add-admin
<NODE> set node to be administered by the specified role(s)
--remove-admin
<NODE> unset node administered by the specified role(s)
--cascade
<{on,off}> use with --add-admin
to extend admin-privileges for the specified role(s) to child nodes as well (if 'on')
--enforcement <POLICY>:<VALUE>, --enforcement <POLICY>:$FILE=<PATH TO FILE WITH VALUE>
set the enforcement policy for the given role (using either the literal policy value -- e.g., "True", "e", 10 -- or a reference to a file containing that value). See the list of available enforcement policies in the 2nd tab of the table below.
--copy
make a duplicate role with no users
--clone
make a duplicate role with the same users as the original
--add-team
, -at <TEAM NAME> add a team to the given role
--add-privilege
, -ap <PRIVILEGE NAME> add an admin privilege to the role
--remove-privilege
, -rp <PRIVILEGE NAME> remove an admin privilege to the role
-v
, --verbose show ids with output, including all available enforcement policies
-f
, --force
do not prompt for confirmation (non-interactive mode)
Examples:
Show details about the "Keeper Administrator" role including all enforcements
Show details about the role with the given UID and the "Engineer Team Lead" role
Add a new role named "Onboarding" and make new users automatically assigned to this role
Make user John Dow admin of the role with the given UID and all child roles
Rename the "PM" role to "Product Manager"
Add the three nodes with given UIDs to the "Chicago" node
Create a copy of the role in the "Chicago" node
Use the --enforcement
switch to edit enforcement policies on the given role. Pass a policy key and corresponding value to the switch in order to change the enforcement.
Alternatively, set a role enforcement policy to the value specified in an external file.
Example restricting the "Engineering" role to access import records.
The available enforcement policies are listed below.
Enforcement Policy Key
Type
MASTER_PASSWORD_MINIMUM_LENGTH
LONG
MASTER_PASSWORD_MINIMUM_SPECIAL
LONG
MASTER_PASSWORD_MINIMUM_UPPER
LONG
MASTER_PASSWORD_MINIMUM_LOWER
LONG
MASTER_PASSWORD_MINIMUM_DIGITS
LONG
MASTER_PASSWORD_RESTRICT_DAYS_BEFORE_REUSE
LONG
REQUIRE_TWO_FACTOR
BOOLEAN
MASTER_PASSWORD_MAXIMUM_DAYS_BEFORE_CHANGE
LONG
MASTER_PASSWORD_EXPIRED_AS_OF
LONG
MINIMUM_PBKDF2_ITERATIONS
LONG
MAX_SESSION_LOGIN_TIME
LONG
RESTRICT_PERSISTENT_LOGIN
BOOLEAN
STAY_LOGGED_IN_DEFAULT
BOOLEAN
RESTRICT_SHARING_ALL
BOOLEAN
RESTRICT_SHARING_ENTERPRISE
BOOLEAN
RESTRICT_SHARING_ALL_OUTGOING
BOOLEAN
RESTRICT_SHARING_ENTERPRISE_OUTGOING
BOOLEAN
RESTRICT_EXPORT
BOOLEAN
RESTRICT_FILE_UPLOAD
BOOLEAN
REQUIRE_ACCOUNT_SHARE
ACCOUNT_SHARE
RESTRICT_SHARING_ALL_INCOMING
BOOLEAN
RESTRICT_SHARING_ENTERPRISE_INCOMING
BOOLEAN
RESTRICT_SHARING_RECORD_WITH_ATTACHMENTS
BOOLEAN
RESTRICT_IP_ADDRESSES
IP_WHITELIST
REQUIRE_DEVICE_APPROVAL
BOOLEAN
REQUIRE_ACCOUNT_RECOVERY_APPROVAL
BOOLEAN
RESTRICT_VAULT_IP_ADDRESSES
IP_WHITELIST
TIP_ZONE_RESTRICT_ALLOWED_IP_RANGES
IP_WHITELIST
AUTOMATIC_BACKUP_EVERY_X_DAYS
LONG
RESTRICT_OFFLINE_ACCESS
BOOLEAN
SEND_INVITE_AT_REGISTRATION
BOOLEAN
RESTRICT_EMAIL_CHANGE
BOOLEAN
RESTRICT_IOS_FINGERPRINT
BOOLEAN
RESTRICT_MAC_FINGERPRINT
BOOLEAN
RESTRICT_ANDROID_FINGERPRINT
BOOLEAN
RESTRICT_WINDOWS_FINGERPRINT
BOOLEAN
LOGOUT_TIMER_WEB
LONG
LOGOUT_TIMER_MOBILE
LONG
LOGOUT_TIMER_DESKTOP
LONG
RESTRICT_WEB_VAULT_ACCESS
BOOLEAN
RESTRICT_EXTENSIONS_ACCESS
BOOLEAN
RESTRICT_MOBILE_ACCESS
BOOLEAN
RESTRICT_DESKTOP_ACCESS
BOOLEAN
RESTRICT_MOBILE_IOS_ACCESS
BOOLEAN
RESTRICT_MOBILE_ANDROID_ACCESS
BOOLEAN
RESTRICT_MOBILE_WINDOWS_PHONE_ACCESS
BOOLEAN
RESTRICT_DESKTOP_WIN_ACCESS
BOOLEAN
RESTRICT_DESKTOP_MAC_ACCESS
BOOLEAN
RESTRICT_CHAT_DESKTOP_ACCESS
BOOLEAN
RESTRICT_CHAT_MOBILE_ACCESS
BOOLEAN
RESTRICT_COMMANDER_ACCESS
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_TEXT
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_GOOGLE
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_DNA
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_DUO
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_RSA
BOOLEAN
TWO_FACTOR_DURATION_WEB
TWO_FACTOR_DURATION
TWO_FACTOR_DURATION_MOBILE
TWO_FACTOR_DURATION
TWO_FACTOR_DURATION_DESKTOP
TWO_FACTOR_DURATION
RESTRICT_TWO_FACTOR_CHANNEL_SECURITY_KEYS
BOOLEAN
TWO_FACTOR_BY_IP
JSONARRAY
RESTRICT_DOMAIN_ACCESS
STRING
RESTRICT_DOMAIN_CREATE
STRING
RESTRICT_HOVER_LOCKS
BOOLEAN
RESTRICT_PROMPT_TO_LOGIN
BOOLEAN
RESTRICT_PROMPT_TO_FILL
BOOLEAN
RESTRICT_AUTO_SUBMIT
BOOLEAN
RESTRICT_PROMPT_TO_SAVE
BOOLEAN
RESTRICT_PROMPT_TO_CHANGE
BOOLEAN
RESTRICT_AUTO_FILL
BOOLEAN
RESTRICT_CREATE_FOLDER
BOOLEAN
RESTRICT_CREATE_FOLDER_TO_ONLY_SHARED_FOLDERS
BOOLEAN
RESTRICT_CREATE_IDENTITY_PAYMENT_RECORDS
BOOLEAN
MASK_CUSTOM_FIELDS
BOOLEAN
MASK_NOTES
BOOLEAN
MASK_PASSWORDS_WHILE_EDITING
BOOLEAN
GENERATED_PASSWORD_COMPLEXITY
STRING
GENERATED_SECURITY_QUESTION_COMPLEXITY
STRING
RESTRICT_IMPORT
BOOLEAN
DAYS_BEFORE_DELETED_RECORDS_CLEARED_PERM
LONG
DAYS_BEFORE_DELETED_RECORDS_AUTO_CLEARED
LONG
ALLOW_ALTERNATE_PASSWORDS
BOOLEAN
RESTRICT_CREATE_RECORD
BOOLEAN
RESTRICT_CREATE_RECORD_TO_SHARED_FOLDERS
BOOLEAN
RESTRICT_CREATE_SHARED_FOLDER
BOOLEAN
RESTRICT_LINK_SHARING
BOOLEAN
RESTRICT_SHARING_OUTSIDE_OF_ISOLATED_NODES
BOOLEAN
RESTRICT_SHARING_RECORD_TO_SHARED_FOLDERS
BOOLEAN
DISABLE_SETUP_TOUR
BOOLEAN
RESTRICT_PERSONAL_LICENSE
BOOLEAN
DISABLE_ONBOARDING
BOOLEAN
DISALLOW_V2_CLIENTS
BOOLEAN
RESTRICT_IP_AUTOAPPROVAL
BOOLEAN
SEND_BREACH_WATCH_EVENTS
BOOLEAN
RESTRICT_BREACH_WATCH
BOOLEAN
RESEND_ENTERPRISE_INVITE_IN_X_DAYS
LONG
MASTER_PASSWORD_REENTRY
JSON
RESTRICT_ACCOUNT_RECOVERY
BOOLEAN
KEEPER_FILL_HOVER_LOCKS
TERNARY_DEN
KEEPER_FILL_AUTO_FILL
TERNARY_DEN
KEEPER_FILL_AUTO_SUBMIT
TERNARY_DEN
KEEPER_FILL_MATCH_ON_SUBDOMAIN
TERNARY_DEN
KEEPER_FILL_AUTO_SUGGEST
TERNARY_DEN
RESTRICT_PROMPT_TO_DISABLE
BOOLEAN
RESTRICT_HTTP_FILL_WARNING
BOOLEAN
RESTRICT_RECORD_TYPES
RECORD_TYPES
ALLOW_SECRETS_MANAGER
BOOLEAN
REQUIRE_SELF_DESTRUCT
BOOLEAN
MAXIMUM_RECORD_SIZE
LONG
ALLOW_PAM_ROTATION
BOOLEAN
ALLOW_PAM_DISCOVERY
BOOLEAN
RESTRICT_IMPORT_SHARED_FOLDERS
BOOLEAN
REQUIRE_SECURITY_KEY_PIN
BOOLEAN
DISABLE_CREATE_DUPLICATE
BOOLEAN
ALLOW_PAM_GATEWAY
BOOLEAN
ALLOW_CONFIGURE_ROTATION_SETTINGS
BOOLEAN
ALLOW_ROTATE_CREDENTIALS
BOOLEAN
ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS
BOOLEAN
ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION
BOOLEAN
ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS
BOOLEAN
ALLOW_LAUNCH_PAM_TUNNELS
BOOLEAN
ALLOW_LAUNCH_RBI
BOOLEAN
ALLOW_CONFIGURE_RBI
BOOLEAN
ALLOW_VIEW_KCM_RECORDINGS
BOOLEAN
ALLOW_VIEW_RBI_RECORDINGS
BOOLEAN
RESTRICT_MANAGE_TLA
BOOLEAN
RESTRICT_SELF_DESTRUCT_RECORDS
BOOLEAN
Examples for each value type
Command: enterprise-team
or et
Detail: Manage enterprise teams
Parameters:
Team name or id
Note: you can use the following command to see a list of teams in the enterprise:
ei --teams
Switches:
--add
add a new team to the enterprise
--delete
delete the team
--add-user
<USER NAME OR UID> add a user to the team
--remove-user
<USER NAME OR UID> remove a user from the team
--node
<NODE NAME OR UID> the node to add the team to
--name
<NAME> name the team
--approve
approve a queued team. Queued teams are typically created by SCIM requests which still need encryption keys to be created. Therefore they remain in a queued state until the admin logs into the Admin Console or this command is executed.
--restrict-edit
<{on,off}> decide if users in this team can edit records
--restrict-share
<{on,off}> decide if users in this team can share records
--restrict-view
<{on,off}> decide if users in this team can view record passwords
--hide-shared-folder
, -hsf <{on,off}> flag to determine if users in this team can see shared folders
--add-role, -ar <ROLE NAME> add a role to the given team
-v, --verbose show ids with output
Examples:
Show details of "Chicago Engineering" team
Show details for "Chicago Engineering" and "Legal" teams
Add a new team named "Chicago Product" in the "Chicago" node, and restrict users in the team from editing records
Change the name of the team with the given UID to "El Dorado Hills Engineering"
Command: enterprise-node
or en
Detail: Manage enterprise nodes
Parameters:
Node name or UID
Note: you can use the following command to see a list of nodes in the enterprise:
ei --nodes
Switches:
--add
add a new node to the enterprise
--delete
delete the node. Note this won't be allowed until all objects from the node are deleted.
--parent
<NODE NAME OR UID> make given node the parent of this node
--name
<NAME> set node's display name
--wipe-out
delete all nodes, roles, users, and teams under the node. Does not delete the node itself. Be careful with this command.
--toggle-isolated
make node visible or invisible to people in other nodes
--invite-email
<FILE_NAME> Sets invite email template from file. Saves current template if file does not exist. dash (-) use stdout. See Custom Emails section below.
--logo-file
<FILE_NAME> Sets company / node logo using local image file (max size: 500 kB, min dimensions: 10x10, max dimensions: 320x320)
Examples:
Show details for the "Chicago" node
For the three nodes: "Chicago", "El Dorado Hills" and node with the given UID, change the parent node to node "NA"
Add a new node named "Cork" under the "EMEA" node
Delete all nodes, roles, users, and teams from under the "APAC" node
Make the "Chicago" node invisible (if currently visible) or visible (if currently invisible) to people in other nodes
Customize the appearance of invite emails and vault UI by using the "chicago_logo.jpg" file in the current user's $HOME directory as the logo image for the "Chicago" node.
The --invite-email
switch allows you to set the custom email template per node.
Similar to how email templates can be customized on the web admin console, custom email templates on the CLI supports customization of the following four attributes:
Subject
Message Heading
Message Body
Download Button Text
Custom email templates can be defined in a .txt
file in the following format:
Custom Emails can also be formatted using markdown syntax, for more information please refer to this page.
Suppose there are company branches in Chicago and Tokyo with its respective nodes Chicago
and Tokyo
. Ideally, you want the invitation emails to be in its native language:
Invitation emails sent to the Chicago Branch should be in its native language English
Invitation emails sent to the Tokyo Branch should be in its native language Japanese
The --invite-email
switch makes this possible by enabling you to set the desired email template per node.
First, I define the custom email templates for both of my branches: Chicago
and Tokyo
Next, I set the appropriate email template for each node:
On windows, file paths can be specified either in quotations or double backslash. Either of the following file paths are valid:
"C:\users\file.txt"
or c:\\users\\file.txt
When sending invitation emails, users will receive the following emails based on their branch location:
Command: enterprise-push
Detail: Populate a vault with a set of default records
Parameters:
File name of file with template records. File must be JSON format.
Switches:
--syntax-help
show example file format and template parameters
--team
<TEAM NAME OR UID> team to assign records to
--email
<USER EMAIL OR UID> user to assign records to
Examples:
Send records templated in the "office-codes.json" file to every user in the "Chicago Office" team
Send records templated in the "default.json" file to user "Jane.Doe@gmail.com"
See the syntax help
File Format
The "enterprise-push" command uses Keeper JSON record import format.
Example JSON file:
Supported template parameters:
An easy way to find the proper JSON structure is to export some data from your Keeper vault in JSON format. Then, modify the file as required for creating an import file.
To export JSON data for creating a template:
Create an empty folder for storing templates. e.g. "Templates"
Create records in that folder
export
the folder as JSON using the below command
Optional: edit the JSON file to delete the following properties: "uid", "schema", "folders" not used by enterprise-push
command
The template JSON file should be either array of records or an object that contains a property "records" containing an array of records.
Command: enterprise-down
or ed
Detail: Download & decrypt enterprise data locally.
When there is an active instance of Commander running and a change is made on the admin console or another instance of commander, the enterprise-down command can be used to download & decrypt the latest enterprise data locally.
Example:
Suppose a new user is added on the Admin Console while an active commander session is running, executing the following command on the running commander session will download and decrypt the latest changes locally:
Command: team-approve
Detail: Enable or disable automatic team approval or user approval to teams
When using a provisioning method such as Keeper Bridge or SCIM, new teams and users that have not yet activated their vault are queued for approval. Use this command to enable or disable automatic approval of provisioned teams or users.
Switches:
--team
approve teams
--email
approve team users
--restrict-edit
<{on, off}> restrict or allow editing records in approved teams
--restrict-share
<{on, off}> restrict or allow sharing records in approved teams
--restrict-view
<{on, off}>restrict or allow viewing record passwords in approved teams
Examples:
Sync down any pending Enterprise Team approvals
Automatically approve queued provisioned teams
Automatically approve queued provisioned users
Automatically approve queued provisioned teams and don't allow users in those teams to edit records
Command: device-approve
Detail: Approve cloud SSO devices
Parameters:
User's email or device ID to approve or blank to see a list of pending devices
Switches:
-r
, --reload load current list of pending approvals
-a
, --approve approve the device for the given user email or device id
-d
, --deny deny the device for the given user email or device id
--trusted-ip
approve devices from a trusted ip address
--format
<{table, csv, json}> format to show output in
--output
<FILE NAME> file to send output to (must use json or csv format)
Examples:
Show list of pending device approvals
Approve user "John.Doe@gmail.com"
Refresh list of pending device approvals
Write list of pending device approvals to a file in csv format
Command: create-user
Detail
Create a new account and vault for the given email address and create a record for the new user's credentials in the current Keeper vault.
To invite new users to an enterprise see the enterprise-user command
Parameters:
User's email address
Switches:
--name <Name>
user's name
--node <NODE>
name or ID of node to add user to
--record <RECORD UID>
UID of record that holds password for the new account
--folder <FOLDER NAME OR UID>
folder to store created user credentials in
Examples:
Create a new user account and vault for John.Doe@gmail.com
Send an invitation to John Doe to join Keeper, name the new user "John Doe" and add him to the "Chicago" node
When the create-user command is used to create a new user in the Keeper account, a record is created in the current logged in account with the new user's username and temporary password. Once the new record is created, it can be shared with the new user with a one-time share URL.
The new user will follow this url to receive their temporary credentials and perform the first login.
Command: transfer-user
Detail: Lock account, then transfer a vault from one user to another.
Parameter:
Email or user ID of the vault to be transferred. More than one can be provided, separated by spaces.
Switches:
--target-user <USER EMAIL>
email address of user account to transfer the vault(s) to
--force, -f
do not prompt for confirmation
Account Transfer must be enabled for the account or role the account is in.
The contents of the transferred vault are placed in a folder in the recipient's vault.
Example:
Transfer the vault of keeperuser1@keepersecurity.com to recipient@keepersecurity.com.
To perform a bulk transfer of user accounts, use the command:
transfer-user @filename
This will look for the file named filename that contains a FROM and TO mapping. For example:
Command: automator
Detail: Configures SSO Cloud device automators.
An Automator is a program running at a customer site that can perform some Keeper administrative actions such as performing device approvals or team approvals. More information about the Keeper Automator service is found at this link.
Only the root-level Keeper Administrator role can manage the Automator configuration
When the automator
command is executed without parameters it displays the list of available automators as well as a command help.
Examples:
Create automator with name "Cloud SSO Device Approval".
Edit automator to set the Webhook URL. The Webhook URL is provided by the Automator application.
Skills (Team Approvals, Team-User Approvals, Device Approvals) can be set with the "skill" argument. For example:
Initialize the automator instance using "setup", "init" and "enable" commands. The backend verifies that the Automator is configured and ready to process requests.
For more information about the Keeper Automator for SSO device approvals, see the Automator Service documentation.
Command: scim
Detail: Configures SCIM endpoints
When scim
command is executed without parameters it displays the list of available SCIM endpoints as well as a command help.
Examples:
Create SCIM endpoint for node SCIM Node
Edit SCIM endpoint configuration. Editing SCIM endpoint generates a new provisioning token
Delete SCIM endpoint
Push group and user data to SCIM endpoint
Switches
--source
Source of SCIM data. Available values: google, ad
--record
Record UID with SCIM configuration
Command: audit-alert
Detail: Manages Audit Alerts
When audit-alert
is executed without parameters it displays the list of available alerts as well as a command help
To get help on command run
list
options
view
options
history
options
delete
options
add
options
edit
options
reset-counts
options
recipient
options
recipient enable,
disable. or delete
options
recipient add or edit
options
Methods for creating user account with Commander
There are two methods for creating user accounts with Commander:
Invite users to an enterprise with the enterprise-user --add
command
Create new user accounts and vaults with the create-user
command
This page will go over the usage of each method.
In most cases the best method to use is to invite new users with enterprise-user --add
which will send vault creation instructions to new users' email.
create-user
may be useful in special circumstances where it is necessary for an administrator to have immediate access to a new vault, or when records need to be shared to a new vault right away.
Enterprises that require MFA or SSO Login will need to have these credentials available for each new user if using the create-user
command.
Use Commander to invite users to an enterprise by their email address.
To invite users to your enterprise using Commander, use the enterprise-user
command with the --add
flag.
The invited user's display name can be pre-set by adding the --name
flag followed by the desired name.
The invited user can be automatically put into a designated node with the --node
flag followed by the name of a node in the enterprise.
Hint: You can use the shortened version of the command as well: eu
e.g. eu John_Smith@example.com --add
Find more information in the command documentation.
To join the enterprise, the invited user will need to accept an invite emailed to them.
When the user clicks "Set Up Your Account Now" they are taken to the Keeper Web Vault to proceed with account creation.
Until the invited user logs into their Vault, their Vault is not setup or accessible and records cannot be shared with them.
In this example, we will take a file with a list of email addresses and send an invite to each email address.
Update Commander
Before getting started, be sure that you have the most up-to-date version of Commander. Find the most recent release on the GitHub releases page.
Set Persistent Login
Persistent login will allow Commander to run commands without needing you to login between each call. To enable persistent login, run the following commands in Keeper Commander:
For more information on persistent login and options, see the documentation page.
First gather the email addresses into a file. In this example the file will look like this:
For this example, each email address is on its own line. The file can contain any number of email addresses.
Now that the file is ready, we can use a simple script to cycle through each email and send an invite.
Run the script for your operating system from the examples above to send an invite to each email address from the file.
To expand upon the above example, we can include a user's display name and node in the file then apply these details to the user's account when sending them an invite.
For this example the file will now look like this:
Each line now has each user's email address, display name, and node separated by commas.
The given nodes must match an existing node name in the Keeper Enterprise. The nodes must exist before sending invites to new users.
To include these details in the invitation command, we simply need to add the relevant flags to the script.
Notice that the shortened version of the enterprise-user command eu is used here
Run the script appropriate for your OS and each user from the file will get an invite in their email, their display name will be set, and they will be placed in the correct node.
This example could be altered to only supply the display name or node, or to perform other tasks like adding a list of users to a specified team or role.
Sometimes it is necessary to create a new user account and vault which are setup and ready to go before the user logs in. To do this, another command can be used: create-user
When the create-user
command is used Commander will create a new user account, and set the enterprise data key required for the account to share records with other accounts in the enterprise. To do this Commander must login to the new account once when it is created.
When the account is run, you will be prompted to create a password for the new user. Alternatively you can provide a record from your vault with a password already set to use as the account's password.
See more information about this command in the command documentation
When using the create-user
command Commander needs to login to the new account. This means that if the enterprise requires MFA or SSO Login, Commander will need the corresponding credentials for the new account in order to complete vault creation.
It is recommended that enterprises only use create-user
in special circumstances, or on initial enterprise creation before MFA or SSO login is setup and required.
The create-user
command differs from the enterprise-user --add
method in the following ways:
create-user
requires a password for the new account be set by the Commander user
(Users invited be enterprise-user --add
will set their own passwords at account creation)
create-user
requires Commander to login to the new account
When creating a user account with create-user
the vault is created immediately, and can be accessed or have records shared to it right away
create-user
should only be used in special circumstances or when first creating a new enterprise.
To use the create-user
command with a list of email addresses from a file, follow the steps above for the enterprise-user
command and swap out that command with create-user
For example:
Keeper Commander compliance reporting commands
Requires Compliance Reporting add-on
Compliance reports let account administrators adhere to regulations by providing on-demand visibility to access permissions on records and credentials across the enterprise.
Using Commander, compliance reports can be scheduled and automated, and results can be exported to a CSV file or JSON.
For more information about Compliance Reports, see the Compliance Reports documentation:
compliance-report
commandThe compliance-report
command allows you to run reports just as you would in the Keeper Admin Console. See record permissions by node, user and title, filter by owned or shared records and output results to a file.
The compliance-report
command relies on a cache in order to improve performance across multiple report queries.
This means that the first call to compliance-report
may take several minutes as the system pulls in the required data.
During this time, Commander will display messaging explaining the current step.
Additionally, a manual rebuild of the cache can be performed with the -r
flag. Do this to see recent changes in the compliance data.
compliance-report -r
By default (so that the generated report reflects reasonably current and accurate data), locally-cached data older than 1 day are automatically refreshed via the process described above. As a result, any call to compliance-report
that occurs more than 1 day after a previous call to the same command will result in another data-fetching operation that may take some time to finish (as described above for first-time calls) .
To manually override this default behavior, see the next section.
Conversely, if you would like to circumvent the automatic cache-refresh behavior described above and generate a report based solely on previously cached data (resulting in possibly stale results but nevertheless useful for avoiding the possibly long loading times required to refresh the cache), you can do so with the -nr
or --no-rebuild
flag. Do this to quickly perform queries on compliance data in cases where you can be fairly confident that the relevant data have not changed significantly since the last command call / cache refresh.
compliance-report -nr
Removing the Cache
The compliance report cache can be removed manually with the --no-cache
flag. When run, this completely removes all cached compliance report information from your machine.
compliance-report --no-cache
Alternatively, you can delete the cache file locally on disk from the location where you ran Commander. Delete the file called sox_<ID>.db
which contains the encrypted compliance data.
The compliance report can be filtered by Node, User, Job Title and if the record is shared, deleted, or active.
Like many Commander reports, the compliance report results can be saved to a file. To do this use the --output
and --format
options.
Output
--output [FILE PATH]
Tells Commander to write results to a file at the given location. If no file exists it will be created.
Format
--format [csv, json, table]
Tells Commander the format to write the report results as. The default result is in table format, which displays a formatted table of results. The other options are Comma Separated Values (CSV), JavaScript Object Notation (JSON).
If the --format
flag is added without the --output
flag, the results will be shown in Commander in the the given format
compliance
commandIn addition to enabling users in generating custom reports, Commander also provides users the ability to generate specific reports with the compliance
command. These specific reports can be generated by invoking the compliance
command's supported sub-commands.
The compliance
command supports the following sub commands:
Refer to the sub command's section for more information.
Shared folders can be shared to Keeper Teams as well as individuals. The compliance report can display a report of the access that each team has to these shared folders.
To run the Compliance Team Report, use the following command in Commander:
compliance team-report
This report uses the compliance report cache described above.
The report shows each team that has access to a shared folder, and what access it has to that shared folder.
If you would like to include team-membership information (i.e., which users belong to each team) in the report, you can include the optional flag --show-team-users
/-tu
in your command call, as illustrated in the following example:
compliance team-report -tu
Please note that, as a result of the additional flag in the above command call, a column titled "Team Users" (in which the usernames of all members of each relevant team can be found) will be added to the generated report.
The compliance record-access report displays a list of all records that either a) have been accessed by, or b) are currently accessible to any given user(s), along with other relevant information (e.g., app used, IP address, event timestamp, etc.).
To run the Compliance Record-Access Report and show a user's record-access history, run the following command in Commander:
compliance record-access-report user1@company.com
where user1@company.com
is the user whose record-access activity we'd like to audit, with the resulting output being something like the following:
Similarly, to show a list of all records that are currently accessible by that same user (i.e., all records currently in the user's vault), run the following command:
compliance record-access-report --report-type=vault user1@company.com
The output of the above command should look similar to the previous example, but will exclude records that are not currently in the user's vault and may include records that have never been accessed by that user.
Additionally, if you would like to run this report for multiple users, you may do so by either specifying each username / ID in a space-delimited list in the command call or by using the "@all" shorthand to indicate that you would like to run the report for all users, as illustrated in the following examples:
compliance record-access-report user1@company.com user2@company.com
compliance record-access-report @all
The compliance summary report displays aggregate information about records within the enterprise (grouped by record-owner by default for now, but support for grouping by other entities may be added to this feature later)
To run the Compliance Summary Report, run the following command in Commander:
compliance summary-report
or
compliance stats
with the resulting output being something like the following:
Similar to compliance team-report
, this command outputs a report detailing the access that all entities (teams as well as individual users) have to all shared folders within the enterprise.
To run the Compliance Shared-Folder Report, run the following command in Commander:
compliance shared-folder-report
or
compliance sfr
with the corresponding output:
Similar to the compliance team-report
command described above, this command also accepts an optional --show-team-users
/-tu
flag indicating that team-membership data be included (where appropriate) in the resulting report. Here is an example of its usage:
compliance sfr -tu
Please note that, in contrast to the output of compliance team-report -tu
, the resulting report generated by the above command will include the appropriate additional team-membership data in the existing column named "Email" and each username associated with a team will by preceded by "(TU)" to denote it as such.
See the Reporting Documentation for other reports available in Commander
How to use Breachwatch Dark Web scanning in Keeper Commander
breachwatch
Run a Breachwatch dark web scan of your records or password
Requires the Breachwatch addon
Command: breachwatch
or bw
Detail: Run a Breachwatch dark web scan of your records or password
Actions:
list
Displays a list of breached passwords
--all
, -a
display all breached passwords (including ignored) -- note: if this flag is omitted, only the first 30 records are shown if the total count exceeds 32
--owned
, -o
display only breached records owned by user
ignore <UID>
Ignores breached passwords. Accepts multiple passwords separated by a space
password <password>
Check a password against our database of breached accounts. Accepts multiple passwords separated by a space
scan
Perform a Breachwatch scan
report
Run a Breachwatch security report for users in your enterprise (Equivalent to security-audit-report --breachwatch
; Valid only for enterprise admin accounts)
Examples:
See a summary of Breachwatch commands
Run a Breachwatch dark web scan and show which passwords are breached
List any records which have been marked as breached (and not ignored)
Check the passwords "n5@x85tG#gH7&" and "mydog21" for breaches using Breachwatch
Ignore the breached record with the given UID
Run a Breachwatch security report on users in your enterprise (only for admin accounts)
If Breachwatch is enabled for your Keeper account, a Breachwatch scan is performed automatically when you login to Keeper Commander.
Additionally, if you create or edit a record, a scan is automatically performed on the record.
Use Commander to push SCIM messages to the Keeper backend API
For identity providers that don't support SCIM, customers can utilize the Keeper Commander scim push command to provision users and teams.
Prerequisites: please be familiar with User and Team provisioning
Create a SCIM provisioning for your enterprise with the Admin Console or Commander
Create a record in Keeper with login
record type to store the SCIM configuration
Paste the SCIM URL to the Website Address
field of the Keeper record
Paste the SCIM Token to the Password
field of the Keeper record
The setup steps in this section allow you to provision users and teams from your Google Workspace account.
Prerequisites: Active Google Workspace subscription and Google Cloud Platform account
Commander installed with pip:
Make sure Google API Client Python package is installed
Google Cloud Platform: Create a project or chose an existing one
Google Cloud Platform: Enable Admin SDK API
for your project
in the APIs & Services
click +ENABLE APIS AND SERVICES
in the Search for APIs & Services
enter Admin SDK API
click ENABLE
Google Cloud Platform: Create a Service Account
In the IAM and Admin
menu select Service accounts
click +CREATE SERVICE ACCOUNT
with suggested service account name: keeper-scim
For newly created service account click Actions
/dots and select Manage Keys
click ADD KEYS
-> Create New Key.
Choose JSON key type then CREATE
A JSON file with service account credentials will be downloaded to your computer
Rename this file to credentials.json
and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.
Grant the Service Account access to your Google Workspace Directory
Navigate to your Service Account and select DETAILS
tab
in the Domain-wide delegation
section copy the Client ID
. You will need to grant this Client ID access to the Google Workspace Directory
Google Workspace Admin Console
Navigate to Security
-> API controls
Under the Domain wide delegation
click MANAGE DOMAIN WIDE DELEGATION
Click Add new
in API Clients
Paste Client ID
Paste the following text into OAuth scopes (comma-delimited)
https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly
Click AUTHORIZE
- These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership
Google Workspace Admin Console: Provider Keeper with the Service Account
In Google, navigate to Account
-> Account settings
Copy the Primary admin
email into the clipboard (upper right area)
Paste this email into the login field of your Google SCIM configuration record in Keeper
Google Workspace Admin Console: create a group that holds users to be exported to Keeper.
Optional: skip this step if you want all user accounts to be imported
Navigate to Directory
-> Group
Click Create group
Assign all users that need to be provisioned to Keeper to this group
The Google SCIM configuration record in Keeper should now contain the following fields:
Login
Google #5
Google Workspace admin email
Password
Common #4
SCIM Token generated in the Keeper Admin Console
Website Address
Common #3
SCIM URL pasted from the Keeper Admin Console
SCIM Group
Google #6
Google group name or empty to import all users
credentials.json
Google #3
File attachment with Google Service Account credentials
To perform a push of the Google users and Teams into Keeper, use the below command:
The SCIM ID can be found in the Admin Console or using Commander. For example:
Keeper has created a Google Cloud Function to automatically perform provisioning of Google Workspace users and teams. The step by step instructions can be found here:
The setup steps in this section allow you to provision users and teams from Active Directory using the scim push
command.
Prerequisites:
In your Active Directory browser, create a Group and add AD users and groups that need to be provisioned in Keeper.
Get the Active Directory connect URL, e.g. ldap(s):<domain controller host or IP
>
Pick a user that can read Active Directory
The Active Directory configuration record in Keeper should now contain the following fields:
Password
Common #4
SCIM Token generated in the Keeper Admin Console
Website Address
Common #3
SCIM URL pasted from the Keeper Admin Console
SCIM Group
AD # 1
AD group name that lists all users and groups to import
AD URL
AD #2
AD Connect URL
ldap(s)://<domain controller>
AD User
AD #3
AD User login or distinguished name
DOMAIN\USERNAME
CN=...
AD Password
AD #3
AD Password
To perform a push of the Active Directory users and Teams into Keeper, use the below command: