# Compliance command ### Overview This is the set of commands which we use related to sharing with user 1. [Compliance Report](#compliance-report) 2. [Compliance Team Report](#compliance-team-report) 3. [Compliance Record Access Report](#compliance-record-access-report) 4. [Compliance Summary Report](#compliance-summary-report) 5. [Compliance Shared Folder Report](#compliance-shared-folder-report) ### Compliance Report The `compliance-report` command allows administrators to generate compliance reports from the command line just as they would in the Keeper Admin Console. It provides visibility into record permissions by node, user, and record title, supports filtering by owned or shared records, and enables exporting the results to a file for auditing, analysis, or record-keeping purposes.
DotNet CLI **Command:** Coming Soon
DotNet SDK **Function:** Coming Soon
Power Commander **Command:** `Get-KeeperComplianceReport` | Parameter | Description | | --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `-Format` | `table` (default), `json`, or `csv`. | | `-Output` | File path for `json` or `csv`. Not used for `table`. | | `-Username` | Limit to records owned by listed enterprise email(s). Repeatable. | | `-Node` | Limit to owners under the given enterprise node (and descendants, per resolution logic). | | `-JobTitle` | Limit to owners whose job title matches (repeatable). | | `-Record` | Filter by record UID or title pattern (wildcard). Repeatable. | | `-Team` | Limit to records owned by members of the given team(s). Repeatable. | | `-Url` | Keep records whose Login URL contains the given substring(s). Repeatable. | | `-Shared` | Only shared records. | | `-DeletedItems` | Only records in trash. Cannot be combined with `-ActiveItems`. | | `-ActiveItems` | Only active (not in trash) records. Cannot be combined with `-DeletedItems`. | | `-Rebuild` | Rebuild the in-session compliance cache from Keeper. | | `-NoRebuild` | Use existing in-session cache when valid; build once if missing. | | `-NoCache` | After the report, clear the in-session compliance cache. | | `-Aging` | Add aging columns from audit data: Created, Last Password Change, Last Modified, Last Rotation (extra API work; uses a separate aging cache with a one-day TTL per record). | **Example:** {% code expandable="true" %} ```ps PS > Get-KeeperComplianceReport -Username test1@example.com record_uid title type username permissions url in_trash shared_folder_uid ---------- ----- ---- -------- ----------- --- -------- ----------------- MHNV99kNkUmIN6FCWmRfeg Facebook test1@example.com owner,edit,share,share_admin facebook.com False sQ8XAqyz_6i6yGHrgbbpjw rM9REkN_YGeogYUbgRxFeg Twitter test1@example.com owner,edit,share,share_admin twitter.com False nk41p6S-nVH8I-vYPwM4mg rnGPMp4bHsgrinfJj2JlSA n test1@example.com owner,edit,share,share_admin False wN-a2c22g2NQxJleVlatbw Audit Log: JSON login test1@example.com owner,edit,share,share_admin False xRJRlK36SFaaVEoTfesadw Twitter test1@example.com owner,edit,share,share_admin twitter.com False zsaOU8Rusa6C05EVEC-wCQ a1 login test1@example.com owner,edit,share,share_admin False xI8S-WbmUfbP5Q5AZ6C4Tg ``` {% endcode %}
Python CLI **Command:** `compliance report` **Flags:** `--format` : Format of output `{table,csv,json}.`\ `--output` : Output path to resulting output file (ignored for "table" format).\ `--rebuild`, `-r` : rebuild local data from source.\ `--no-rebuild`, `-nr` : prevent remote data fetching if local cache present.\ `--no-cache`, `-nc` : remove any local non-memory storage of data after report is generated.\ `--node` : Node ID or name of node (defaults to root node).\ `--regex` : Allow use of regular expressions in search criteria.\ `--username,` `-u` : Username user(s) whose records are to be included in report.\ `--job-title`, `-jt` : JOB\_TITLE job title(s) of users whose records are to be included in report.\ `--team` : Team name or UID of team(s) whose members' records are to be included in report.\ `--record` : Record UID or title of record(s) to include in report.\ `--url URL` : URL of record(s) to include in report.\ `--shared` : Show shared records only.\ `--deleted-items` : Show deleted records only.\ `--active-items` : Show active records only. **Example:** ``` My Vault> compliace report Record UID Title Record Type Username Permissions URL In Trash Shared Folder UID ---------------------- -------------------------------------------------- ----------------------- --------------------------------------- ---------------------------- ----------------------------------------------- ---------- ---------------------- 0PrTTeT6kvFiX26iT44LXA L login u.kr@example.com owner,edit,share,share_admin True 0Whot6iNYx9nIFNZu3QP1A Gateway test - VNC Machine pamMachine a.pohane@example.com owner,edit,share,share_admin True 0hm9atvqJI5sHI61r1NJZQ Facebook login p.vagare@example.com owner,edit,share,share_admin facebook.com False 0oPd6C358MuQT-GzOvlA8Q Workflow - VNC Machine pamMachine a.pohane@example.com owner,edit,share,share_admin False t5qV_CaToHs7sOFmyUdbaQ ```
Python SDK **Function:** ```python def generate_default_report(self) -> List[ComplianceReportEntry]: ```
### Compliance Team Report Shared folders can be shared with both Keeper Teams and individual users. The compliance report provides visibility into shared folder access, allowing administrators to view the permissions and access levels that each team has to these shared folders.
DotNet CLI **Command:** Coming Soon
DotNet SDK **Function:** Coming Soon
Power Commander **Command:** `Get-KeeperComplianceTeamReport` **Parameters** | Parameter | Description | | ---------------- | ------------------------------------------------------------------------------------- | | `-Format` | `table` (default), `json`, `csv`. | | `-Output` | Path for `json` / `csv` (ignored for `table`). | | `-Node` | Limit to owners under this enterprise node (and descendants per internal resolution). | | `-Team` | Filter by team name or UID (repeatable). | | `-ShowTeamUsers` | Add `team_users`: member emails for each team (comma-separated in table). | | `-Rebuild` | Rebuild compliance cache. | | `-NoRebuild` | Use cache when valid. | | `-NoCache` | Clear compliance cache after completion. | **Example:** {% code expandable="true" %} ```ps PS > Get-KeeperComplianceTeamReport team_name team_uid node shared_folder_name shared_folder_uid permissions records --------- -------- ---- ------------------ ----------------- ----------- ------- aas tgdrmPFRqbXCB9-pDNdupA 22_jan H1 my2whFiHJT4IaJGH31K4hg Can Share 1 Terraform Developer zGvmeHVgIc9OILmT4hf8RA 21_jan H1 my2whFiHJT4IaJGH31K4hg Can Share; Can Edit 1 ``` {% endcode %}
Python CLI **Command:** `compliance team-report` **Flags:** `--format` : Format of output `{table,csv,json}.`\ `--output` : Output path to resulting output file (ignored for "table" format).\ `--rebuild`, `-r` : Rebuild local data from source.\ `--no-rebuild`, `-nr` : Prevent remote data fetching if local cache present.\ `--no-cache`, `-nc` : Remove any local non-memory storage of data after report is generated.\ `--node` : Node ID or name of node (defaults to root node).\ `--regex` : Allow use of regular expressions in search criteria.\ `--show-team-users`, `-tu` : show all members of each team. **Example:** ``` My Vault> compliance team-report Team Access Report Team Name Team UID Shared Folder Name Shared Folder UID Permissions Records ----------- ---------- -------------------- ------------------- ------------- --------- ```
Python SDK **Function:** ```python def generate_team_report(self) -> List[TeamReportEntry]: ```
### Compliance Record Access Report The compliance record-access report provides a list of all records that have either (a) been accessed by or (b) are currently accessible to specified user(s). The report also includes relevant event details such as the application used, IP address, timestamp, and other associated access information for auditing and compliance purposes.
DotNet CLI **Command:** Coming Soon
DotNet SDK **Function:** Coming Soon
Power Commander **Command:** `Get-KeeperComplianceRecordAccessReport` **Parameters**
ParameterDescription
-EmailUsers to report on: enterprise email(s), numeric enterprise user ID(s), and @all. Repeat -Email for multiple values. If omitted, behaves as @all.
Example -Email user1, user2...
-ReportTypehistory: audit-driven record access. vault: all vault records per user from the compliance snapshot, with audit fields when available.
-Formattable, json, or csv.
-OutputFile path for json or csv export.
-NodeOptional. With Username / Team, limits which enterprise users are in scope (same semantics as other compliance reports).
-UsernameOptional. Filter to specific enterprise user email(s).
-TeamOptional. Filter to members of the given team(s) (name or UID).
-PatternOptional. Wildcard filters (-like on each column). Cannot be used with PatternRegex (different parameter sets).
-PatternRegexOptional. Regex filters on the tab‑joined row. Cannot be used with Pattern. example "login"
-RebuildRebuild the in-session compliance snapshot cache from the server.
-NoRebuildPrefer using an existing in-session cache when possible.
-NoCacheClear the in-session compliance cache after the command finishes.
-AgingAdd aging columns: created, last_pw_change, last_modified, last_rotation.
**Example:** {% code expandable="true" %} ```ps PS > Get-KeeperComplianceRecordAccessReport -Format json -Aging [ { "vault_owner": "test1@example.com", "record_uid": "yAgxq69uEhtJFsMZ9vqH3A", "record_title": "test server creds", "record_type": "serverCredentials", "record_url": "", "has_attachments": false, "in_trash": true, "record_owner": "test1@example.com", "ip_address": "15.207.138.241", "device": "Example 17.1.9", "last_access": "2025-11-21T10:45:48+05:30", "created": "2025-11-21T10:44:55+05:30", "last_pw_change": null, "last_modified": "2025-11-21T10:45:48+05:30", "last_rotation": null }, { "vault_owner": "test2@example.com", "record_uid": "d4x9bfaAXQqFp9KSlHXBWQ", "record_title": "My Site Login", "record_type": "login", "record_url": "example.com/login", "has_attachments": false, "in_trash": false, "record_owner": "test2@example.com", "ip_address": "10.0.12.33", "device": "Example 17.2.0", "last_access": "2026-03-27T11:37:39+05:30", "created": "2026-03-27T11:37:39+05:30", "last_pw_change": null, "last_modified": "2026-03-27T11:37:39+05:30", "last_rotation": null } ] ``` {% endcode %}
Python CLI **Command:** `compliance record-access-report` **Flags:** `--format` : Format of output `{table,csv,json}.`\ `--output` : Output path to resulting output file (ignored for "table" format).\ `--rebuild`, `-r` : Rebuild local data from source.\ `--no-rebuild`, `-nr` : Prevent remote data fetching if local cache present.\ `--no-cache`, `-nc` : Remove any local non-memory storage of data after report is generated.\ `--node` : Node ID or name of node (defaults to root node).\ `--regex` : Allow use of regular expressions in search criteria.\ `--username,` `-u` : Username user(s) whose records are to be included in report.\ `--email`, `-e` : Email username(s) or ID(s), use "@all" for all users.\ `--report-type` : Type of record-access data: "history" or "vault" `{history,vault}.`\ `--aging` : Include record-aging data. **Example:** ``` My Vault> compliance record-access-report Record Access Report (history) Vault Owner Record UID Record Title Record Type Record URL Has Attachments In Trash Record Owner IP Address Device Last Access --------------------------------- ---------------------- --------------------------------- ----------------------- ------------- ----------------- ---------- --------------------------------- ------------ ---------------- ------------------- a.test@example.com ZMwO7u9zJ9bpgmKHDND7WA PAM Test - MySQL Database pamDatabase False False a.test@example@example... 10.15.12.71 Web App 17.6.0 2026-02-12 12:16:13 a.mangalam@example.com 2-_yTwwBwcKVU6NmmmShjg PAM Test Dev - VNC Admin pamUser False False a.test@example@example... 10.15.12.71 Web App 17.6.0 2026-02-13 16:45:21 2HnszgPlJ0sZ-tmfXPMglw PAM Test Dev - RDP Admin pamUser False False a.test@example@example... 10.15.12.71 Web App 17.6.0 2026-02-13 16:45:23 2fD3NGhYtxHlYMc3Q8byCw Commander Service Mode login True False a.test@example@example... 10.15.11.145 Web App 17.4.1 2025-10-10 15:20:26 6pQAU-fq-oF-fikPZm7wHQ PAM Test Dev - SSH Machine wit... pamMachine False False a.test@example@example... 10.15.12.71 Commander 17.2.0 2026-02-13 16:51:49 My Vault> compliance record-access-report --aging Record Access Report (history) Vault Owner Record UID Record Title Record Type Record URL Has Attachments In Trash Record Owner IP Address Device Last Access Created Last Pw Change Last Modified Last Rotation --------------------------------- ---------------------- --------------------------------- ----------------------- ------------- ----------------- ---------- --------------------------------- ------------ ---------------- ------------------- ------------------- ------------------- ------------------- --------------- a.test@example ZMwO7u9zJ9bpgmKHDND7WA PAM Test - MySQL Database pamDatabase False False a.test@example@example... 10.15.12.71 Web App 17.6.0 2026-02-12 12:16:13 2026-02-12 01:15:33 2026-02-12 01:15:33 2026-02-12 21:45:39 a.mang@example 2-_yTwwBwcKVU6NmmmShjg PAM Test Dev - VNC Admin pamUser False False a.test@example@example... 10.15.12.71 Web App 17.6.0 2026-02-13 16:45:21 2026-02-13 16:45:21 2026-02-13 16:45:21 2026-02-13 16:45:21 2HnszgPlJ0sZ-tmfXPMglw PAM Test Dev - RDP Admin pamUser False False a.test@example@example... 10.15.12.71 Web App 17.6.0 2026-02-13 16:45:23 2026-02-13 16:45:23 2026-02-13 16:45:23 2026-02-13 16:45:23 ```
Python SDK **Function:** ```python def generate_record_access_report(self, report_type: str = REPORT_TYPE_HISTORY) -> List[RecordAccessReportEntry]: ```
### Compliance Summary Report The compliance summary report displays aggregated information about records within the enterprise, grouped by record owner by default. Support for grouping by additional entities may be added in future enhancements to this feature.
DotNet CLI **Command:** Coming Soon
DotNet SDK **Function:** Coming Soon
Power Commander **Command:** `Get-KeeperComplianceSummaryReport` **Parameters** | Parameter | Description | | -------------------------------------- | ------------------------------------------------- | | `-Format` | `table`, `json`, `csv`. | | `-Output` | File path for `json` / `csv`. | | `-Node` | Filter with node. | | `-Team` | Limit to members of listed team(s). | | `-Rebuild` / `-NoRebuild` / `-NoCache` | Same cache semantics as other compliance reports. | **Example:** {% code expandable="true" %} ```ps Get-KeeperComplianceSummaryReport email total_items total_owned active_owned deleted_owned ----- ----------- ----------- ------------ ------------- test1@example.com 30 29 16 13 test2@example.com 12 6 4 2 test3@example.com 0 0 0 0 TOTAL 35 20 15 ``` {% endcode %}
Python CLI **Command:** `compliance summary-report` **Flags:** `--format` : Format of output `{table,csv,json}.`\ `--output` : Output path to resulting output file (ignored for "table" format).\ `--rebuild`, `-r` : Rebuild local data from source.\ `--no-rebuild`, `-nr` : Prevent remote data fetching if local cache present.\ `--no-cache`, `-nc` : Remove any local non-memory storage of data after report is generated.\ `--node` : Node ID or name of node (defaults to root node).\ `--regex` : Allow use of regular expressions in search criteria. **Example:** ``` My Vault> compliance summary-report --rebuild Compliance Summary Report Email Total Items Total Owned Active Owned Deleted Owned --------------------------------------- ------------- ------------- -------------- --------------- pvagare@example.com 29 26 26 0 a.mangalampalli@example.com 46 43 21 22 TOTAL 239 217 128 89 ```
Python SDK **Function:** ```python def generate_summary_report(self) -> List[SummaryReportEntry]: ```
### Compliance Shared Folder Report Similar to the `compliance team-report` command, this command generates a report detailing the access that all entities—both teams and individual users—have to all shared folders across the enterprise.
DotNet CLI **Command:** Coming Soon
DotNet SDK **Function:** Coming Soon
Power Commander **Command:** `Get-KeeperComplianceSharedFolderReport` **Parameters** | Parameter | Description | | -------------------------------------- | ------------------------------------------------------------------------------------------------------ | | `-Format` | `table`, `json`, `csv`. | | `-Output` | Output file for `json` / `csv`. | | `-Node` | Limit owner scope for snapshot fetch. | | `-Team` | Filter which folders appear: folder must match user and/or team filters (same pattern as team report). | | `-ShowTeamUsers` (`-tu`) | Include team members in the `email` column as `(TU)email`. | | `-Rebuild` / `-NoRebuild` / `-NoCache` | Cache control. | **Example:** {% code expandable="true" %} ```ps PS > Get-KeeperComplianceSharedFolderReport WARNING: Failed to decrypt or parse compliance metadata for 2 record payload(s). Some title/type/url fields may be blank. shared_folder_uid team_uid team_name record_uid record_title email ----------------- -------- --------- ---------- ------------ ----- 3T61yvsZqkXJT7LVdMo0mQ AlAK7SgW1JeQHw0ZN1oSRw, F2DwX0cdJU5HEiWMs89Lzw Service Mode Config, ship card Details test@example.com, test1@example.com, test2@example.com 661n5hg7DBimuc6rsDWLNg Ly-ES_5h-ibzJ3fHgKIKtg AutoGenPass test@example.com, test1@example.com 6T9c_-Tzbz2ss2vKMjPiyg Sh9OWEj3H-M3sKFrohM-mA test12345 test1@example.com ``` {% endcode %}
Python CLI **Command:** `compliance shared-folder-report` **Flags:**\ `--format` : Format of output `{table,csv,json}.`\ `--output` : Output path to resulting output file (ignored for "table" format).\ `--rebuild`, `-r` : Rebuild local data from source.\ `--no-rebuild`, `-nr` : Prevent remote data fetching if local cache present.\ `--no-cache`, `-nc` : Remove any local non-memory storage of data after report is generated.\ `--node` : Node ID or name of node (defaults to root node).\ `--regex` : Allow use of regular expressions in search criteria.\ `--show-team-users`, `-tu` : Show all members of each team. **Example:** ``` My Vault> compliance shared-folder-report --no-rebuild Shared Folder Report Shared Folder UID Team UID Team Name Record UID Record Title Email ---------------------- ---------- ----------- ---------------------- -------------------------------------------------- ---------------------------------- GJCmJHY9a05AzaPpsJivkA bV41wijyqUqpoxk4QBShVw Test Configuration p.vagare@example.com XtxaE5xeF6E5_qpLtkKuMA Test - MySQL Admin User io74G1PolvKpeJ4o6rSFQA Test - MySQL Rotation User tiSBTPbX0l-LropVz_yOwA Test - VNC Admin rMcu4KrG7fPngpzOG0whig Test - SSH Admin with Private Key s9lDKvwGOT9xIwkhAeuxxg Test - RDP User AW9fRQkNVN1ud_SADgU2JA Test - RDP Admin VEP5gFHUFsZPNGzSjWaL0Q Test - SSH Admin with Password usvKj4LuyMqVqShQRip_Uw 6pQAU-fq-oF-fikPZm7wHQ PAM Test Dev - SSH Machine with Password Access a.mangalampalli@example.com BwZWlg_2hdACmIh6_ZW3Qg PAM Test Dev - RDP Machine sCM-ej35HG1ZmmLu8bwUyw PAM Test Dev - MySQL Database OtR_D2g2pUCRg1yeoSR2Ww PAM Test Dev - SSH Machine with Private Key Access c-P7AHK38i-guOS5dT8tww PAM Test Dev - Bing Remote Browser 76GpFaYlejEq2Mks7UKSoA PAM Test Dev - VNC Machine ```
Python SDK **Function:** ```python def generate_shared_folder_report(self) -> List[SharedFolderReportEntry]: ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/commander-sdk/keeper-commander-sdks/sdk-command-reference/reporting-commands/compliance-command.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.