# エンドポイント特権マネージャーコマンド
## 概要
エンドポイント特権マネージャーは、特権昇格および委任管理 (PEDM) に該当するソリューションです。IT環境全体にわたり、必要なときだけ安全に昇格特権を付与するジャストインタイムの仕組みを備えています。
{% hint style="info" %}
EPMコマンドは、ユーザー構成フォルダ内 (例: `~/.keeper/keeper_db.sqlite`) に作成されるローカルSQLiteファイルを読み書きします。各エンドポイントから取得した情報は、このデータベースにキャッシュされます。
{% endhint %}
## **`epm` コマンド**
**コマンド:** `epm`
**説明:** Keeperエンドポイント特権マネージャーのデプロイ、エージェント、ポリシー、コレクション、承認リクエストを管理します。
My Vault> epm -h
epm command [--options]
Command Description
---------- ------------------------------------
sync-down Sync down EPM data from the backend
deployment Manage EPM deployments
agent Manage EPM agents
policy Manage EPM policies
collection Manage EPM collections
scim Sync EPM user/group collections from AD or AzureAD
approval Manage EPM requests and approvals
**サブコマンド**
* [sync-down](#sub-command-sync-down)
* [deployment](#sub-command-deployment)
* [agent](#sub-command-agent)
* [policy](#sub-command-policy)
* [collection](#sub-command-collection)
* [approval](#sub-command-approval)
* [scim](#sub-command-scim)
***
### **サブコマンド: sync-down**
**説明:** バックエンドのEPMデータをローカルに取り込み、同期します。
My Vault> epm sync-down -h
usage: sync-down [-h] [--reload]
Sync down EPM data from the backend
options:
-h, --help show this help message and exit
--reload Perform full sync
***
### **サブコマンド: deployment**
**説明:** EPMのデプロイを管理します。
My Vault> epm deployment -h
epm command [--options]
Command Description
--------- --------------------------------
list List EPM deployments
add Add EPM deployments
edit Update EPM deployment
delete Delete EPM deployment
download Download EPM deployment package
#### list
```
My Vault> epm deployment list -h
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v]
List EPM deployments
options:
-h, --help show this help message and exit
--format {table,csv,json,pdf}
format of output
--output OUTPUT path to resulting output file (ignored for "table" format)
-v, --verbose print verbose information
```
#### add
```
My Vault> epm deployment add -h
usage: add [-h] [-f] [--spiffe-cert SPIFFE] name
Add EPM deployments
positional arguments:
name Deployment name
options:
-h, --help show this help message and exit
-f, --force do not prompt for confirmation
--spiffe-cert SPIFFE File containing SPIFFE server certificate
```
#### edit
```
My Vault> epm deployment edit -h
usage: update [-h] [--disable {on,off}] [--spiffe-cert SPIFFE] [--name NAME] DEPLOYMENT
Update EPM deployment
positional arguments:
DEPLOYMENT Deployment name or UID
options:
-h, --help show this help message and exit
--disable {on,off} do not prompt for confirmation
--spiffe-cert SPIFFE File containing SPIFFE server certificate
--name NAME Deployment name
```
#### delete
```
My Vault> epm deployment delete -h
usage: delete [-h] [-f] DEPLOYMENT [DEPLOYMENT ...]
Delete EPM deployment
positional arguments:
DEPLOYMENT Deployment name or UID
options:
-h, --help show this help message and exit
-f, --force do not prompt for confirmation
```
#### download
```
My Vault> epm deployment download -h
usage: download [-h] [--file FILE] DEPLOYMENT
Download EPM deployment package
positional arguments:
DEPLOYMENT Deployment name or UID
options:
-h, --help show this help message and exit
--file FILE File name
```
***
### **サブコマンド: agent**
**説明:** EPMエージェントを管理します。
My Vault> epm agent -h
epm command [--options]
Command Description
---------- -------------------------
list List EPM agents
edit Update EPM agents
delete Delete EPM agents
collection List EPM agent resources
#### list
```
My Vault> epm agent list -h
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v]
List EPM agents
options:
-h, --help show this help message and exit
--format {table,csv,json,pdf}
format of output
--output OUTPUT path to resulting output file (ignored for "table" format)
-v, --verbose print verbose information
```
#### edit
```
My Vault> epm agent edit -h
usage: update [-h] [--enable {on,off}] [--deployment DEPLOYMENT] agent [agent ...]
Update EPM agents
positional arguments:
agent Agent UID(s)
options:
-h, --help show this help message and exit
--enable {on,off} Enables or disables agents
--deployment DEPLOYMENT
Moves agent to deployment
```
#### delete
```
My Vault> epm agent delete -h
usage: update [-h] [--force] agent [agent ...]
Delete EPM agents
positional arguments:
agent Agent UID(s)
options:
-h, --help show this help message and exit
--force do not prompt for confirmation
```
#### collection
```
My Vault> epm agent collection -h
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--type TYPE] agent
List EPM agent resources
positional arguments:
agent Agent UID
options:
-h, --help show this help message and exit
--format {table,csv,json,pdf}
format of output
--output OUTPUT path to resulting output file (ignored for "table" format)
-v, --verbose print verbose information
--type TYPE collection type filter
```
***
### **サブコマンド: policy**
**説明:** EPMポリシーを管理します。
My Vault> epm policy -h
epm command [--options]
Command Description
--------- ----------------------------
list List EPM policies
add Add EPM policy
edit Edit EPM policy
view View EPM policy
agents Show agents for policies
assign Assign collections to policy
delete Delete EPM policy
#### list
My Vault> epm policy list -h
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT]
List EPM policies
options:
-h, --help show this help message and exit
--format {table,csv,json,pdf}
format of output
--output OUTPUT path to resulting output file (ignored for "table" format)
#### add
My Vault> epm policy add -h
usage: add [-h] [--user-filter USER_FILTER] [--machine-filter MACHINE_FILTER] [--app-filter APP_FILTER] [--date-filter DATE_FILTER]
[--time-filter TIME_FILTER] [--day-filter DAY_FILTER] [--risk-level RISK_LEVEL]
[--policy-type {elevation,file_access,command,least_privilege}] [--policy-name POLICY_NAME]
[--control {allow,deny,audit,notify,mfa,justify,approval}] [--status {enforce,monitor,monitor_and_notify}] [--enable {on,off}]
Add EPM policy
options:
-h, --help show this help message and exit
--user-filter USER_FILTER
Policy user filter. User collection UID or *
--machine-filter MACHINE_FILTER
Policy machine filter. Machine collection UID
--app-filter APP_FILTER
Policy application filter. Application collection UID
--date-filter DATE_FILTER
Policy date filter. Date range in ISO format. YYYY-MM-DD:YYYY-MM-DD
--time-filter TIME_FILTER
Policy time filter. Time. 24 hours format: HH:MM-HH:MM
--day-filter DAY_FILTER
Policy day filter. Day of Week
--risk-level RISK_LEVEL
Policy risk level
--policy-type {elevation,file_access,command,least_privilege}
Policy type
--policy-name POLICY_NAME
Policy name
--control {allow,deny,audit,notify,mfa,justify,approval}
Policy controls
--status {enforce,monitor,monitor_and_notify}
Policy Status
--enable {on,off} Enables or disables policy
#### edit
My Vault> epm policy edit -h
usage: edit [-h] [--user-filter USER_FILTER] [--machine-filter MACHINE_FILTER] [--app-filter APP_FILTER] [--date-filter DATE_FILTER]
[--time-filter TIME_FILTER] [--day-filter DAY_FILTER] [--risk-level RISK_LEVEL] [--policy-name POLICY_NAME]
[--control {allow,deny,audit,notify,mfa,justify,approval}] [--status {enforce,monitor,monitor_and_notify}] [--enable {on,off}]
policy
Edit EPM policy
positional arguments:
policy Policy UID
options:
-h, --help show this help message and exit
--user-filter USER_FILTER
Policy user filter. User collection UID or *
--machine-filter MACHINE_FILTER
Policy machine filter. Machine collection UID
--app-filter APP_FILTER
Policy application filter. Application collection UID
--date-filter DATE_FILTER
Policy date filter. Date range in ISO format. YYYY-MM-DD:YYYY-MM-DD
--time-filter TIME_FILTER
Policy time filter. Time. 24 hours format: HH:MM-HH:MM
--day-filter DAY_FILTER
Policy day filter. Day of Week
--risk-level RISK_LEVEL
Policy risk level
--policy-name POLICY_NAME
Policy name
--control {allow,deny,audit,notify,mfa,justify,approval}
Policy controls
--status {enforce,monitor,monitor_and_notify}
Policy Status
--enable {on,off} Enables or disables policy
#### view
My Vault> epm policy view -h
usage: view [-h] [--format {table,json}] [--output OUTPUT] policy
View EPM policy
positional arguments:
policy Policy UID or name
options:
-h, --help show this help message and exit
--format {table,json}
format of output
--output OUTPUT path to resulting output file (ignored for "table" format)
#### agents
```
My Vault> epm policy agents -h
usage: agent [-h] policy [policy ...]
Show agents for policies
positional arguments:
policy Policy UID or name
options:
-h, --help show this help message and exit
```
#### assign
```
My Vault> epm policy assign -h
usage: assign [-h] [-c COLLECTION] policy [policy ...]
Assign collections to policy
positional arguments:
policy Policy UID or name
options:
-h, --help show this help message and exit
-c, --collection COLLECTION
Collection UID
```
#### delete
My Vault> epm policy delete -h
usage: delete [-h] policy [policy ...]
Delete EPM policy
positional arguments:
policy Policy UID or name
options:
-h, --help show this help message and exit
***
### **サブコマンド: collection**
**説明:** EPMコレクションを管理します。
My Vault> epm collection -h
epm command [--options]
Command Description
---------- -----------------------------------
list List EPM collections
view Show EPM collection details
add Creates EPM collections
update Update EPM collection
delete Delete EPM collections
connect Link values to EPM collection
disconnect Unlink values from EPM collections
wipe-out Wipe out EPM collections
#### list
My Vault> epm collection list -h
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--type TYPE] [--pattern PATTERN]
List EPM collections
options:
-h, --help show this help message and exit
--format {table,csv,json,pdf}
format of output
--output OUTPUT path to resulting output file (ignored for "table" format)
-v, --verbose print verbose information
--type TYPE collection type filter
--pattern PATTERN collection search pattern
#### view
```
My Vault> epm collection view -h
usage: view [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--link LINK] collection [collection ...]
Show EPM collection details
positional arguments:
collection Collection UID
options:
-h, --help show this help message and exit
--format {table,csv,json,pdf}
format of output
--output OUTPUT path to resulting output file (ignored for "table" format)
-v, --verbose print verbose information
--link LINK Show link details
```
#### add
```
My Vault> epm collection add -h
usage: add [-h] [--type TYPE] collection [collection ...]
Creates EPM collections
positional arguments:
collection Collection name
options:
-h, --help show this help message and exit
--type TYPE collection type
```
#### update
```
My Vault> epm collection update -h
usage: update [-h] [--type TYPE] --name NAME collection
Update EPM collection
positional arguments:
collection Collection
options:
-h, --help show this help message and exit
--type TYPE collection type (optional)
--name NAME Collection name
```
#### delete
```
My Vault> epm collection delete -h
usage: delete [-h] [-f] collection [collection ...]
Delete EPM collections
positional arguments:
collection Collection or @orphan_resource
options:
-h, --help show this help message and exit
-f, --force do not prompt for confirmation
```
#### disconnect
```
My Vault> epm collection disconnect -h
usage: unlink [-h] [--collection COLLECTION] [-f] links [links ...]
Unlink values from EPM collections
positional arguments:
links UIDs to unlink
options:
-h, --help show this help message and exit
--collection, -c COLLECTION
Parent collection UID or name
-f, --force do not prompt for confirmation
```
#### wipe-out
```
My Vault> epm collection wipe-out -h
usage: wipe-out [-h] [--type TYPE]
Wipe out EPM collections
options:
-h, --help show this help message and exit
--type TYPE collection type
```
***
### **サブコマンド: approval**
**説明:** EPMの承認リクエストを管理します。
My Vault> epm approval -h
epm command [--options]
Command Description
--------- -----------------------------
list List EPM approval requests
action Modify EPM approval requests
#### list
未処理の承認リクエストを一覧表示します。
```
My Vault> epm approval list -h
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [--type {approved,denied,pending}]
List EPM approval requests
options:
-h, --help show this help message and exit
--format {table,csv,json,pdf}
format of output
--output OUTPUT path to resulting output file (ignored for "table" format)
--type {approved,denied,pending,expired}
approval type filter
```
#### action
リクエストに対し、承認・削除・却下などの操作を行います。
```
My Vault> epm approval action -h
usage: action [-h] [--approve APPROVE] [--deny DENY] [--remove REMOVE]
Modify EPM approval requests
options:
-h, --help show this help message and exit
--approve APPROVE Request UIDs for approval
--deny DENY Request UIDs for denial
--remove REMOVE Request UIDs for removal. UID, @approved, @denied, @pending
```
### **サブコマンド: scim**
**説明:** Active DirectoryまたはAzure ADから、EPMのユーザー/グループコレクションを同期します。
```
My Vault> epm scim -h
usage: scim [-h] {record,azure,ad} ...
Sync EPM user/group collections from AD or AzureAD
options:
-h, --help show this help message and exit
Directory Type:
{record,azure,ad} Authentication method
record Connection parameters from Keeper record
azure Connect via Azure AD
ad Connect via Active Directory
```
#### Azure ADの接続パラメータ
```
My Vault> epm scim azure -h
usage: scim azure [-h] --tenant-id TENANT_ID --client-id CLIENT_ID --client-secret CLIENT_SECRET [--azure-cloud {US,GOV,CN,EU}]
options:
-h, --help show this help message and exit
--tenant-id TENANT_ID
--client-id CLIENT_ID
--client-secret CLIENT_SECRET
--azure-cloud {US,GOV,CN,EU}
Azure cloud (AzureCloud, AzureChinaCloud, etc.)
```
\[**AzureクライアントID**] → \[**ログイン**]
\[**Azureクライアントシークレット**] → \[**パスワード**]
\[**AzureテナントID**] → \[**カスタムフィールド**]
{% embed url="" %}
Microsoft Graph の権限: User.Read.All、Group.Read.All、Directory.Read.All
続いて、クライアントアプリケーションのシークレットを作成します。
#### Active Directoryの接続パラメータ
```
My Vault> epm scim ad -h
usage: scim ad [-h] [--ad-url AD_URL] [--ad-user AD_USER] [--ad-password AD_PASSWORD] [--group GROUPS] [--netbios-domain]
options:
-h, --help show this help message and exit
--ad-url AD_URL AD LDAP URL (e.g., ldap(s)://)
--ad-user AD_USER AD bind user (DOMAIN\username or DN)
--ad-password AD_PASSWORD
AD password
--group GROUPS AD group name or DN (repeatable)
--netbios-domain Use NetBIOS domain names (e.g., TEST) instead of DNS names (e.g., test.local)
```
\[**ADユーザー**] → \[**ログイン**]
\[**ADユーザーのパスワード**] → \[**パスワード**]
\[**AD URL**] → \[**ウェブサイトのアドレス**]
\[**NetBIOSドメイン**] → \[**カスタムフィールド**] (値をTRUEにするとNetBIOS形式のドメイン名を使用する)