KEPM Approval Commands

This page gives information of commands related to perform operations related to KEPM approval requests

Overview

This section covers all the Keeper Commander commands for managing KEPM privilege elevation approval requests. Approvals manage privilege elevation requests that require administrative approval before execution. These commands allow administrators to view pending requests and take action by approving, denying, or removing approval requests.

This section supports the following commands:

Usage

pedm approval command [--options]

Approval List Command

View all privilege elevation approval requests with their status, details, and expiration information. Administrators can filter by approval status to view pending, approved, denied, or expired requests.

DotNet CLI

Command: epm-approval list

Parameters:

Parameter

Description

--expired

List only expired approvals.

Examples:

My Vault > epm-approval

Command: epm-approval view

Parameters:

Parameter

Description

(positional)

Approval UID.

Examples:

My Vault > epm-approval view abc123uid

DotNet SDK

Function:

// Get status as int (0=Pending, 1=Approved, 2=Denied)
int? status = plugin.GetApprovalStatus(approvalUid);

// List all approvals
IEnumerable<EpmApproval> approvals = plugin.Approvals.GetAll();

// Get single approval
EpmApproval approval = plugin.Approvals.GetEntity(approvalUid);

// Check if expired locally
bool isExpired = approval.ExpireIn > 0 
    && DateTimeOffset.UtcNow.ToUnixTimeSeconds() > (approval.Created + approval.ExpireIn);

Power Commander

Command: Get-KeeperEpmApprovalList

Alias: kepm-approval-list

Parameters:

Parameter

Description

-Type

Filter by approval status: approved, denied, pending, expired, escalated.

Examples:

PS > Get-KeeperEpmApprovalList

Approval UID           Approval Type Status  Agent UID              Account Info          Application Info
------------           ------------- ------  ---------              ------------          ----------------                         
bYEWk2Ido0mcPMoASh9mgw CommandLine   EXPIRED xerWlrlsaF_YLdHDx75c-g Username: mohsinnaqvi FileName: sudo, Description: sudo, FileP…
fKaUe6VE3ESDk0oXSCVIIg CommandLine   EXPIRED xerWlrlsaF_YLdHDx75c-g Username: mohsinnaqvi FileName: sudo, Description: sudo, FileP…

Command: Get-KeeperEpmApproval

Alias: kepm-approval-view

Parameters:

Parameter

Description

-ApprovalUid

The approval record UID.

Examples:

PS > Get-KeeperEpmApproval ovhhkpsKak6xExtREkSroA
Approval: ovhhkpsKak6xExtREkSroA
  Type: CommandLine
  Status: DENIED
  Agent UID: xerWlrlsaF_YLdHDx75c-g
  Account Info: Username: mohsinnaqvi
  Application Info: FileName: sudo, Description: sudo, FilePath: /usr/bin...
  Justification: text: test jira, timestamp: 05/11/2026 23:10:20
  Expire In: N/A
  Created: 2026-05-11 17:40:21

Python CLI

Command: pedm approval list

Aliases: pedm approval l

Flags:

Flag

Description

--type

Filter by approval status (choices: approved, denied, pending, expired)

--format

Output format - json, csv, or table

--output

Save output to specified file

Example:

My Vault> pedm approval list --type pending

Approval UID: approval_abc123
Approval Type: PrivilegeElevation
Status: Pending
Agent UID: agent_xyz789
Account Info: User=john.doe
Application Info: Process=powershell.exe
Justification: System maintenance
Expire In: 300
Created: 2024-11-05 10:30:00

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin

plugin = admin_plugin.PedmPlugin(enterprise_loader)
approval_list = plugin.approvals.get_all_entities()

Approval Action Command

Take action on privilege elevation approval requests by approving, denying, or removing them. This command supports bulk operations and special values like @approved, @denied, @expired, and @pending to target groups of requests.

DotNet CLI

Command: epm-approval approve

Parameters:

Parameter

Description

(positional)

Approval UID.

Examples:

My Vault > epm-approval approve abc123uid

Command: epm-approval deny

Parameters:

Parameter

Description

(positional)

Approval UID.

Examples:

My Vault > epm-approval deny abc123uid

Command: epm-approval remove

Parameters:

Parameter

Description

(positional)

Approval UID.

Examples:

My Vault > epm-approval remove abc123uid

DotNet SDK

Function:

public Task<ModifyStatus> ModifyApprovals(
    IEnumerable<string> toApproveUids = null,
    IEnumerable<string> toDenyUids = null,
    IEnumerable<string> toRemoveUids = null)

Power Commander

Command: Approve-KeeperEpmApproval

Alias: kepm-approval-approve

Parameters:

Parameter

Description

-ApprovalUid

The approval record UID.

Example:

PS > Approve-KeeperEpmApproval "abc123uid"

Command: Deny-KeeperEpmApproval

Alias: kepm-approval-deny

Parameters:

Parameter

Description

-ApprovalUid

The approval record UID.

Example:

PS > Deny-KeeperEpmApproval "abc123uid"

Command: Remove-KeeperEpmApproval

Alias: kepm-approval-remove

Parameters:

Parameter

Description

-ApprovalUid

The approval record UID.

-Force

Skip confirmation prompt before delete.

Examples:

PS > Remove-KeeperEpmApproval "abc123uid"

Python CLI

Command: pedm approval action

Aliases: pedm approval a

Flags:

Flag

Description

--approve

Request UIDs to approve - can be repeated

--deny

Request UIDs to deny - can be repeated

--remove

Request UIDs to remove, or special values: @approved, @denied, @expired, @pending - can be repeated

Examples:

My Vault> pedm approval action --approve approval_abc123

Approval request approved successfully

My Vault> pedm approval action --deny approval_def456

Approval request denied successfully

My Vault> pedm approval action --remove @expired

All expired approval requests removed successfully

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin

plugin = admin_plugin.PedmPlugin(enterprise_loader)

def verify_uid(uids: Any) -> Optional[List[bytes]]:
    if isinstance(uids, str):
        uids = [uids]
    if isinstance(uids, list):
        to_uid = []
        for uid in uids:
            approve_uid = utils.base64_url_decode(uid)
            if len(approve_uid) == 16:
                to_uid.append(approve_uid)
            else:
                logger.warning(f'Invalid UID: {uid}')
        if len(to_uid) > 0:
            return to_uid
    return None

list_approve = ['names or uids of approval requests to approve']
list_deny = ['names or uids of approval requests to deny']
list_remove = ['names or uids of approval requests to remove']
to_approve = verify_uid([list('')])
to_deny = verify_uid(kwargs.get('deny'))
to_remove = kwargs.get('remove')
if to_remove:
    if isinstance(to_remove, str):
        to_remove = [to_remove]
    to_remove_set: Set[bytes] = set()
    to_resolve = []
    for uid in to_remove:
        if uid == '@approved':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_APPROVED))
        elif uid == '@denied':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_DENIED))
        elif uid == '@pending':
            to_remove_set.update(
                (utils.base64_url_decode(x.approval_uid) for x in plugin.storage.approval_status.get_all_entities() if x.approval_status == NotificationCenter_pb2.NAS_UNSPECIFIED))
        else:
            to_resolve.append(uid)
    if len(to_resolve) > 0:
        to_remove = verify_uid(to_resolve)
        if isinstance(to_remove, list):
            to_remove_set.update(to_remove)
    to_remove = list(to_remove_set)

status_rs = plugin.modify_approvals(to_approve=to_approve, to_deny=to_deny, to_remove=to_remove)

PreviousKEPM Collection Commands NextKEPM Report Commands

Last updated 1 month ago