KEPM Policy Commands

This page gives information of commands related to perform operations related to KEPM policies

Overview

This section covers all the Keeper Commander commands for managing KEPM privilege elevation policies. Policies define privilege elevation rules with filters and controls that determine when and how users can elevate privileges. These commands allow administrators to create, view, edit, assign, and delete policies with various filters including user, machine, application, date, time, and day restrictions.

This section supports the following commands:

Usage

pedm policy command [--options] OR pedm p command [--options]

Alias: p

Policy List Command

View all KEPM policies with their configuration including policy type, status, controls, and filter settings. Provides an overview of all privilege elevation policies configured in the system.

DotNet CLI

Command: epm-policy list

Examples:

My Vault > epm-policy list

DotNet SDK

Function:

// Get all policies
IEnumerable<EpmPolicy> allPolicies = plugin.Policies.GetAll();

Power Commander

Command: Get-KeeperEpmPolicyList

Alias: kepm-policy-list

Example:

PS > Get-KeeperEpmPolicyList

PolicyUid              PolicyName                               PolicyType         Status             Controls
---------              ----------                               ----------         ------             --------          
1JBnIqMnJOCRNn1DYtyjeA Elevation requires MFA                   PrivilegeElevation off                MFA
40wYBMWDNPUNbkiZwYIhQQ Terraform example — elevation enforce    LeastPrivilege     enforce
4BiVZXCLBucxUQmTeQbZ6w                                                             enforce
4cMI6ZksSre0FHidfhd-bQ Process Management CommandLine Policy    CommandLine        off                APPROV

Python CLI

Command: pedm policy list

Aliases: pedm p l, pedm p list

Flags:

Flag

Description

--format

Output format - json, csv, or table

--output

Save output to specified file

Example:

My Vault> pedm policy list

Policy UID: policy_xyz789
Policy Name: Elevation Policy
Policy Type: PrivilegeElevation
Status: enforce
Controls: ['AUDIT', 'MFA']

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policies = plugin.policies.get_all_entities()

Policy Add Command

Create a new privilege elevation policy with specified filters and controls. Policies can include user, machine, and application filters, along with date, time, and day restrictions. Controls determine what actions are required or allowed during privilege elevation.

DotNet CLI

Command: epm-policy add

Parameters:

Parameter

Description

--uid

New policy UID. If omitted, one is generated by the SDK.

--plain

Plain policy JSON string (template/admin data).

--plain-file

Path to file containing plain policy JSON.

--data

Policy JSON data to encrypt.

--data-file

Path to file containing policy JSON data to encrypt.

Example:

My Vault > epm-policy add --plain '{"name":"MyPolicy","type":"elevation"}' --data '{"Status":"on","Rules":[]}'

DotNet SDK

Function:

public async Task<ModifyStatus> ModifyPolicies(
    IEnumerable<PolicyInput> addPolicies = null,
    IEnumerable<PolicyInput> updatePolicies = null,
    IEnumerable<string> removePolicies = null)

Power Commander

Command: Add-KeeperEpmPolicy

Alias: kepm-policy-add

Parameters:

Parameter

Description

-PolicyName

Display name for the policy.

-PolicyType

Policy type: PrivilegeElevation, FileAccess, CommandLine, LeastPrivilege.

-Status

Policy status: enforce, monitor, monitor_and_notify, off.

-Control

One or more controls: APPROVAL, JUSTIFY, MFA.

-UserFilter

User scope — collection UID(s) or * for all users.

-MachineFilter

Machine scope — collection UID(s).

-AppFilter

Application scope — collection UID(s).

-RiskLevel

Risk level (0–100).

-NotificationMessage

Notification message displayed to end users.

-NotificationRequiresAcknowledge

Whether users must acknowledge the notification.

-DayFilter

Allowed days: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday.

-DateFilter

Date range(s) in YYYY-MM-DD:YYYY-MM-DD format.

-TimeFilter

Time range(s) in 24-hour HH-HH format, e.g. 09-17.

Examples:

PS > Add-KeeperEpmPolicy `    -PolicyName "Prod Elevation" `    -PolicyType PrivilegeElevation `    -Status enforce `    -Control APPROVAL, MFA `    -UserFilter "*" `    -RiskLevel 75 `    -NotificationMessage "This action requires manager approval." `    -NotificationRequiresAcknowledge $true `    -DayFilter Monday, Tuesday, Wednesday, Thursday, Friday `    -DateFilter "2026-07-01:2026-09-30" `    -TimeFilter "09-17"
Policy added. UID: QtgZ_1sZhLsC4ERAo7QJkQ
  Added: QtgZ_1sZhLsC4ERAo7QJkQ

Python CLI

Command: pedm policy add

Aliases: pedm p a, pedm p add

Flags:

Flag

Description

--policy-type

Policy type (choices: elevation, file_access, command, least_privilege)

--policy-name

Name for the policy

--control

Policy controls (choices: allow, deny, audit, notify, mfa, justify, approval) - can be repeated

--status

Policy status (choices: enforce, monitor, monitor_and_notify)

--enable

Enable or disable policy (choices: on, off)

--user-filter

User collection UID or * for all users - can be repeated

--machine-filter

Machine collection UID - can be repeated

--app-filter

Application collection UID - can be repeated

--date-filter

Date range in ISO format (YYYY-MM-DD:YYYY-MM-DD) - can be repeated

--time-filter

Time range in 24-hour format (HH:MM-HH:MM) - can be repeated

--day-filter

Day of week filter - can be repeated

--risk-level

Policy risk level (0-100)

Example:

My Vault> pedm policy add --policy-type elevation --policy-name "Admin Elevation" --control audit --control mfa --user-filter "*" --status enforce

Policy created successfully
Policy UID: policy_new123

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin, admin_types
from keepersdk import utils

plugin = admin_plugin.PedmPlugin(enterprise_loader)

controls = ['policy controls']
policy_name = 'policy name'
policy_type = 'LeastPrivilege' ## or 'FileAccess', 'PrivilegeElevation'
policy_uid = utils.generate_uid()
policy_data: Dict[str, Any] = {
    'PolicyName': policy_name,
    'PolicyType': policy_type,
    'PolicyId': policy_uid,
    'Status': 'off',
    'Actions': {
        'OnSuccess': {'Controls': controls or []},
        'OnFailure': {'Command': ''}
    },
    "NotificationMessage": "A policy has been set to monitor mode.  When this policy is enabled, [mfa, justification, request] will be required to run this process as an administrator.",
    "NotificationRequiresAcknowledge": False,
    "RiskLevel": 50,
    'Operator': 'And',
    'Rules': [
        {
            'RuleName': 'UserCheck',
            'ErrorMessage': 'This user is not included in this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckUser()'
        },
        {
            'RuleName': 'MachineCheck',
            'ErrorMessage': 'This Machine is not included in this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckMachine()'
        },
        {
            'RuleName': 'ApplicationCheck',
            'ErrorMessage': 'This application is not included in this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckFile(false)'
        },
        {
            "RuleName": "DateCheck",
            "ErrorMessage": "Current date is not covered by this policy",
            "RuleExpressionType": "BuiltInAction",
            "Expression": "CheckDate()"
        },
        {
            'RuleName': 'TimeCheck',
            'ErrorMessage': 'Current time is not covered by this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckTime()'
        },
        {
            'RuleName': 'DayCheck',
            'ErrorMessage': 'Today is not included in this policy',
            'RuleExpressionType': 'BuiltInAction',
            'Expression': 'CheckDay()'
        }
    ]
}
disabled: bool = False
policy_key = utils.generate_aes_key()
add_policy = admin_types.PedmPolicy(
    policy_uid=policy_uid, policy_key=policy_key, data=policy_data, admin_data={}, disabled=disabled)
response = plugin.modify_policies(add_policies=[add_policy])

Policy Edit Command

Modify an existing policy's configuration including name, controls, filters, and status. This command allows administrators to update policy settings without recreating the policy.

DotNet CLI

Command: epm-policy update

Parameters:

Parameter

Description

(positional)

Policy UID or name (case-insensitive).

--plain

Plain policy JSON string (template/admin data).

--plain-file

Path to file containing plain policy JSON.

--data

Policy JSON data to encrypt.

--data-file

Path to file containing policy JSON data to encrypt.

Examples:

My Vault > epm-policy update abc123uid --data '{"Status":"off"}'

DotNet SDK

Function:

public async Task<ModifyStatus> ModifyPolicies(
    IEnumerable<PolicyInput> addPolicies = null,
    IEnumerable<PolicyInput> updatePolicies = null,
    IEnumerable<string> removePolicies = null)

Power Commander

Command: Update-KeeperEpmPolicy

Alias: kepm-policy-edit

Parameters:

Parameter

Description

-PolicyUidOrName

Policy UID or policy display name (case-insensitive match on name).

-PolicyName

New policy name.

-Status

Policy status: enforce, monitor, monitor_and_notify, off.

-Control

Updated controls: APPROVAL, JUSTIFY, MFA.

-UserFilter

User scope — collection UID(s) or * for all users.

-MachineFilter

Machine scope — collection UID(s).

-AppFilter

Application scope — collection UID(s).

-RiskLevel

Risk level (0–100).

-NotificationMessage

Notification message displayed to end users.

-NotificationRequiresAcknowledge

Whether users must acknowledge the notification.

-DayFilter

Allowed days of the week.

-DateFilter

Date range(s) in YYYY-MM-DD:YYYY-MM-DD format.

-TimeFilter

Time range(s) in 24-hour HH-HH format.

Examples:

PS > Update-KeeperEpmPolicy "Prod Elevation" `
>>     -PolicyName "Prod Elevation (Restricted)" `
>>     -NotificationMessage "Elevation requests are logged." `
>>     -NotificationRequiresAcknowledge $true  
>> 
Policy 'QtgZ_1sZhLsC4ERAo7QJkQ' updated.
  Updated: QtgZ_1sZhLsC4ERAo7QJkQ

Python CLI

Command: pedm policy edit <policy>

Aliases: pedm p e, pedm p edit

Flags:

Flag

Description

policy

Policy UID (required)

--policy-name

New policy name

--control

Policy controls (choices: allow, deny, audit, notify, mfa, justify, approval) - can be repeated

--status

Policy status (choices: enforce, monitor, monitor_and_notify)

--enable

Enable or disable policy (choices: on, off)

--user-filter

User collection UID or * - can be repeated

--machine-filter

Machine collection UID - can be repeated

--app-filter

Application collection UID - can be repeated

--date-filter

Date range (YYYY-MM-DD:YYYY-MM-DD) - can be repeated

--time-filter

Time range (HH:MM-HH:MM) - can be repeated

--day-filter

Day of week - can be repeated

--risk-level

Risk level (0-100)

Example:

My Vault> pedm policy edit policy_xyz789 --policy-name "Updated Admin Policy" --control justify --enable on

Policy updated successfully

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_data = copy.deepcopy(policy.data or {})
policy_type = policy_data.get('PolicyType') or 'Unknown'
controls = ['policy controls']
if isinstance(controls, list):
    actions = policy_data.get('Actions')
    if not isinstance(actions, dict):
        actions = {}
        policy_data['Actions'] = actions
    on_success = actions.get('OnSuccess')
    if not isinstance(on_success, dict):
        on_success = {}
    on_success['Controls'] = controls
    policy_data['OnSuccess'] = on_success

policy_name = 'policy name'
if policy_name:
    policy_data['PolicyName'] = policy_name

disabled = True #or False
pu = admin_types.PedmUpdatePolicy(policy_uid=policy.policy_uid, data=policy_data, disabled=disabled)

rs = plugin.modify_policies(update_policies=[pu])

Policy View Command

Display the complete JSON configuration of a policy. This command shows all policy details including filters, controls, rules, and metadata in JSON format.

DotNet CLI

Command: epm-policy view

Parameters:

Parameter

Description

(positional)

Policy UID or name (case-insensitive).

Example:

My Vault > epm-policy view abc123uid

DotNet SDK

Function:

// Get a single policy by UID
EpmPolicy policy = plugin.Policies.GetEntity(policyUid);

Power Commander

Command: Get-KeeperEpmPolicy

Alias: kepm-policy-view

Example:

PS > Get-KeeperEpmPolicy "Test-Json2  "
Policy: Test-Json2
  UID: ZdDNd7zqZJh7hLy52nbblQ
  Type: PrivilegeElevation
  Status: enforce
  On Success Controls: APPROVAL, JUSTIFY, MFA
  Controls: APPROVAL, JUSTIFY, MFA
  Created: 2026-05-05 05:33:42
  Updated: 2026-05-05 05:38:06

Python CLI

Command: pedm policy view <policy>

Aliases: pedm p v, pedm p view

Flags:

Flag

Description

policy

Policy UID or name (required)

--format

Output format - json

--output

Save to file

Example:

My Vault> pedm policy view policy_xyz789

{
    "PolicyName": "Admin Elevation",
    "PolicyType": "PrivilegeElevation",
    "Status": "enforce",
    "Actions": {
        "OnSuccess": {
            "Controls": ["AUDIT", "MFA"]
        }
    }
}

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)

Policy Delete Command

Remove one or more policies from the system. This command permanently deletes policy configurations and removes them from all collection assignments.

DotNet CLI

Command: epm-policy remove

Parameters:

Parameter

Description

(positional)

Policy UID or name (case-insensitive).

Examples:

My Vault > epm-policy delete "My Policy"

DotNet SDK

Function:

public async Task<ModifyStatus> ModifyPolicies(
    IEnumerable<PolicyInput> addPolicies = null,
    IEnumerable<PolicyInput> updatePolicies = null,
    IEnumerable<string> removePolicies = null)

Power Commander

Command: Remove-KeeperEpmPolicy

Aliases: kepm-policy-delete, kepm-policy-remove

Parameters:

Parameter

Description

-PolicyUidOrName

Policy UID or policy display name (case-insensitive match on name).

-Force

Skip the confirmation prompt.

Examples:

PS > Remove-KeeperEpmPolicy "Prod Elevation (Restricted)"

Confirm
Are you sure you want to perform this action?
Performing the operation "Remove" on target "policy 'Prod Elevation (Restricted)'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Policy 'QtgZ_1sZhLsC4ERAo7QJkQ' removed.
  Removed: QtgZ_1sZhLsC4ERAo7QJkQ

Python CLI

Command: pedm policy delete <policy> [policy...]

Aliases: pedm p delete

Flags:

Flag

Description

policy

Policy UID or name (required, can specify multiple)

Example:

My Vault> pedm policy delete policy_old123

Policy deleted successfully

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
to_delete = [policy.policy_uid]

response = plugin.modify_policies(remove_policies=to_delete)

Policy Agents Command

View which agents are affected by specific policies. This command shows all agents that are assigned to the specified policies through collection assignments.

DotNet CLI

Command: epm-policy agents

Parameters:

Parameter

Description

(positional)

Policy UID(s) or name(s), space or comma separated.

Examples:

My Vault > epm-policy agents abc123uid

DotNet SDK

Function: Coming Soon

Power Commander

Command: Get-KeeperEpmPolicyAgent

Alias: kepm-policy-agents

Parameters:

Parameter

Description

-PolicyUidOrNames

One or more policy UIDs or policy names. Accepts pipeline input.

Example:

PS > Get-KeeperEpmPolicyAgent "xZ3XK5MUJm5o6GNgd31Ung"

Key    UID                    Name                                        Status
---    ---                    ----                                        ------
Policy xZ3XK5MUJm5o6GNgd31Ung EPM Change Test                             enforce
Agent  680p8dW43xugzV_YSnGncg KENzZzzdr1PUB0ktHY9lZSU3zDyBqxw5EJ2yS1WrxYw enforce

Python CLI

Command: pedm policy agents <policy> [policy...]

Aliases: pedm p agents

Flags:

Flag

Description

policy

Policy UID or name (required, can specify multiple)

Example:

My Vault> pedm policy agents policy_xyz789

Policy: policy_xyz789
Name: Admin Elevation
Status: enforce

Agent: agent_abc123
Machine: SERVER-001
Status: on

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_uids = [policy.policy_uid]

rq = pedm_pb2.PolicyAgentRequest()
rq.policyUid.extend(policy_uids)
rq.summaryOnly = False
rs = KeeperAuth.execute_router("pedm/get_policy_agents", rq, response_type=pedm_pb2.PolicyAgentResponse)

Policy Assign Command

Assign collections to policies to determine which resources the policy applies to. Collections can include agents, users, machines, or applications. Use "*" to assign to all agents.

DotNet CLI

Command: epm-policy assign

Parameters:

Parameter

Description

(positional)

Policy UID(s) or name(s), space or comma separated.

--collection

Collection UID(s) to assign. Use * or all for the all-agents collection.

Examples:

My Vault > epm-policy assign abc123uid --collection coll-uid-1

DotNet SDK

Function:

// 1. Build collection links (collection → policy)
var setLinks = new List<CollectionLink>();
foreach (var collectionUid in collectionUids)
{
    setLinks.Add(new CollectionLink
    {
        CollectionUid = collectionUid,
        LinkUid = policyUid,
        LinkType = PEDM.CollectionLinkType.CltPolicy
    });
}
// Use "*" or "all" → plugin.AllAgentsCollectionUid for the all-agents collection
// string allAgentsUid = plugin.AllAgentsCollectionUid;
// 2. Call SetCollectionLinks
ModifyStatus status = await plugin.SetCollectionLinks(
    setLinks: setLinks,
    unsetLinks: null);
// 3. Sync to refresh local state
await plugin.SyncDown();

Power Commander

Command: Add-KeeperEpmPolicyCollection

Alias: kepm-policy-assign

Parameters:

Parameter

Description

-PolicyUidOrNames

One or more policy UIDs or policy names. Accepts pipeline input.

-CollectionUid

One or more collection UIDs. Use * or all for the all-agents collection.

Examples:

PS > Add-KeeperEpmPolicyCollection `
    -PolicyUidOrNames "Dev Elevation", "Prod Elevation" `
    -CollectionUid "xYzAbCdEf", "aBcDeFgHi"

Python CLI

Command: pedm policy assign <policy> [policy...]

Aliases: pedm p assign

Flags:

Flag

Description

-c, --collection

Collection UID to assign (use * for all agents) - can be repeated

policy

Policy UID or name (required, can specify multiple)

Example:

My Vault> pedm policy assign policy_xyz789 -c collection_abc -c collection_def

Collections assigned to policy successfully

Python SDK

Function:

from keepersdk.plugins.pedm import admin_plugin, admin_types

plugin = admin_plugin.PedmPlugin(enterprise_loader)
policy_id = 'policy name or uid'
policy = plugin.policies.get_entity(policy_id)
policy_uids = [policy.policy_uid]
collections = ['Collection UIDs']
collection_uids: List[bytes] = []
if isinstance(collections, list):
    for c in collections:
        if c in ['*', 'all']:
            collection_uids.append(plugin.all_agents)
        elif c:
            collection_uid = utils.base64_url_decode(c)
            if len(collection_uid) == 16:
                collection_uids.append(collection_uid)


statuses = plugin.assign_policy_collections(policy_uids, collection_uids)

PreviousKEPM Agent Commands NextKEPM Collection Commands

Last updated 23 days ago