> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/commander-sdk/keeper-commander-sdks/sdk-command-reference/pedm-commands/pedm-approval-commands.md). # KEPM Approval Commands ### Overview This section covers all the Keeper Commander commands for managing KEPM privilege elevation approval requests. Approvals manage privilege elevation requests that require administrative approval before execution. These commands allow administrators to view pending requests and take action by approving, denying, or removing approval requests. This section supports the following commands: * [**Approval List Command**](#approval-list-command) * [**Approval Action Command**](#approval-action-command) ### Usage `pedm approval command [--options]` *** ### Approval List Command View all privilege elevation approval requests with their status, details, and expiration information. Administrators can filter by approval status to view pending, approved, denied, or expired requests.

DotNet CLI

**Command:** `epm-approval list` **Parameters**:

Parameter	Description
`--expired`	List only expired approvals.

**Examples**: {% code expandable="true" %} ```bash My Vault > epm-approval ``` {% endcode %} **Command**: `epm-approval view` **Parameters**:

Parameter	Description
(positional)	Approval UID.

**Examples**: {% code expandable="true" %} ```bash My Vault > epm-approval view abc123uid ``` {% endcode %}

DotNet SDK

**Function:** {% code expandable="true" %} ```csharp // Get status as int (0=Pending, 1=Approved, 2=Denied) int? status = plugin.GetApprovalStatus(approvalUid); // List all approvals IEnumerable approvals = plugin.Approvals.GetAll(); // Get single approval EpmApproval approval = plugin.Approvals.GetEntity(approvalUid); // Check if expired locally bool isExpired = approval.ExpireIn > 0 && DateTimeOffset.UtcNow.ToUnixTimeSeconds() > (approval.Created + approval.ExpireIn); ``` {% endcode %}

Power Commander

**Command:** `Get-KeeperEpmApprovalList` **Alias**: `kepm-approval-list` **Parameters**: | Parameter | Description | | --------- | ----------------------------------------------------------------------------------- | | `-Type` | Filter by approval status: `approved`, `denied`, `pending`, `expired`, `escalated`. | **Examples**: {% code expandable="true" %} ```ps1 PS > Get-KeeperEpmApprovalList Approval UID Approval Type Status Agent UID Account Info Application Info ------------ ------------- ------ --------- ------------ ---------------- bYEWk2Ido0mcPMoASh9mgw CommandLine EXPIRED xerWlrlsaF_YLdHDx75c-g Username: mohsinnaqvi FileName: sudo, Description: sudo, FileP… fKaUe6VE3ESDk0oXSCVIIg CommandLine EXPIRED xerWlrlsaF_YLdHDx75c-g Username: mohsinnaqvi FileName: sudo, Description: sudo, FileP… ``` {% endcode %} **Command**: `Get-KeeperEpmApproval` **Alias**: `kepm-approval-view` **Parameters**:

Parameter	Description
`-ApprovalUid`	The approval record UID.

**Examples**: {% code expandable="true" %} ```ps PS > Get-KeeperEpmApproval ovhhkpsKak6xExtREkSroA Approval: ovhhkpsKak6xExtREkSroA Type: CommandLine Status: DENIED Agent UID: xerWlrlsaF_YLdHDx75c-g Account Info: Username: mohsinnaqvi Application Info: FileName: sudo, Description: sudo, FilePath: /usr/bin... Justification: text: test jira, timestamp: 05/11/2026 23:10:20 Expire In: N/A Created: 2026-05-11 17:40:21 ``` {% endcode %}

Python CLI

**Command:** `pedm approval list` **Aliases:** `pedm approval l` **Flags:** | Flag | Description | | ---------- | ----------------------------------------------------------------------- | | `--type` | Filter by approval status (choices: approved, denied, pending, expired) | | `--format` | Output format - json, csv, or table | | `--output` | Save output to specified file | **Example:** ``` My Vault> pedm approval list --type pending Approval UID: approval_abc123 Approval Type: PrivilegeElevation Status: Pending Agent UID: agent_xyz789 Account Info: User=john.doe Application Info: Process=powershell.exe Justification: System maintenance Expire In: 300 Created: 2024-11-05 10:30:00 ```

Python SDK

**Function:** ```python from keepersdk.plugins.pedm import admin_plugin plugin = admin_plugin.PedmPlugin(enterprise_loader) approval_list = plugin.approvals.get_all_entities() ```

### Approval Action Command Take action on privilege elevation approval requests by approving, denying, or removing them. This command supports bulk operations and special values like @approved, @denied, @expired, and @pending to target groups of requests.

DotNet CLI

**Command:** `epm-approval approve` **Parameters**:

Parameter	Description
(positional)	Approval UID.

**Examples**: {% code expandable="true" %} ```bash My Vault > epm-approval approve abc123uid ``` {% endcode %} **Command**: `epm-approval deny` **Parameters**:

Parameter	Description
(positional)	Approval UID.

**Examples**: {% code expandable="true" %} ```bash My Vault > epm-approval deny abc123uid ``` {% endcode %} **Command**: `epm-approval remove` **Parameters**:

Parameter	Description
(positional)	Approval UID.

**Examples**: {% code expandable="true" %} ```bash My Vault > epm-approval remove abc123uid ``` {% endcode %}

DotNet SDK

**Function:** {% code expandable="true" %} ```csharp public Task ModifyApprovals( IEnumerable toApproveUids = null, IEnumerable toDenyUids = null, IEnumerable toRemoveUids = null) ``` {% endcode %}

Power Commander

**Command:** `Approve-KeeperEpmApproval` **Alias**: `kepm-approval-approve` **Parameters**:

Parameter	Description
`-ApprovalUid`	The approval record UID.

**Example**: {% code expandable="true" %} ```ps1 PS > Approve-KeeperEpmApproval "abc123uid" ``` {% endcode %} **Command**: `Deny-KeeperEpmApproval` **Alias**: `kepm-approval-deny` **Parameters**:

Parameter	Description
`-ApprovalUid`	The approval record UID.

**Example**: {% code expandable="true" %} ```ps1 PS > Deny-KeeperEpmApproval "abc123uid" ``` {% endcode %} **Command**: `Remove-KeeperEpmApproval` **Alias**: `kepm-approval-remove` **Parameters**:

Parameter	Description
`-ApprovalUid`	The approval record UID.
`-Force`	Skip confirmation prompt before delete.

**Examples**: {% code expandable="true" %} ```ps1 PS > Remove-KeeperEpmApproval "abc123uid" ``` {% endcode %}

Python CLI

**Command:** `pedm approval action` **Aliases:** `pedm approval a` **Flags:** | Flag | Description | | ----------- | --------------------------------------------------------------------------------------------------- | | `--approve` | Request UIDs to approve - can be repeated | | `--deny` | Request UIDs to deny - can be repeated | | `--remove` | Request UIDs to remove, or special values: @approved, @denied, @expired, @pending - can be repeated | **Examples:** ``` My Vault> pedm approval action --approve approval_abc123 Approval request approved successfully ``` ``` My Vault> pedm approval action --deny approval_def456 Approval request denied successfully ``` ``` My Vault> pedm approval action --remove @expired All expired approval requests removed successfully ```

Python SDK

**Function:** ```python from keepersdk.plugins.pedm import admin_plugin plugin = admin_plugin.PedmPlugin(enterprise_loader) def verify_uid(uids: Any) -> Optional[List[bytes]]: if isinstance(uids, str): uids = [uids] if isinstance(uids, list): to_uid = [] for uid in uids: approve_uid = utils.base64_url_decode(uid) if len(approve_uid) == 16: to_uid.append(approve_uid) else: logger.warning(f'Invalid UID: {uid}') if len(to_uid) > 0: return to_uid return None list_approve = ['names or uids of approval requests to approve'] list_deny = ['names or uids of approval requests to deny'] list_remove = ['names or uids of approval requests to remove'] to_approve = verify_uid([list('')]) to_deny = verify_uid(kwargs.get('deny')) to_remove = kwargs.get('remove') if to_remove: if isinstance(to_remove, str): to_remove = [to_remove] to_remove_set: Set[bytes] = set() to_resolve = [] for uid in to_remove: if uid == '@approved': to_remove_set.update( (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_APPROVED)) elif uid == '@denied': to_remove_set.update( (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_DENIED)) elif uid == '@pending': to_remove_set.update( (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_UNSPECIFIED)) else: to_resolve.append(uid) if len(to_resolve) > 0: to_remove = verify_uid(to_resolve) if isinstance(to_remove, list): to_remove_set.update(to_remove) to_remove = list(to_remove_set) status_rs = plugin.modify_approvals(to_approve=to_approve, to_deny=to_deny, to_remove=to_remove) ```

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/commander-sdk/keeper-commander-sdks/sdk-command-reference/pedm-commands/pedm-approval-commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.