# Job: Run Guide KeeperAdminCLI

## Job Run Guide: How to Run Each Job (KeeperAdminCLI and API) <a href="#job-run-guide-how-to-run-each-job-keeperadmincli-and-api" id="job-run-guide-how-to-run-each-job-keeperadmincli-and-api"></a>

This guide describes how each job is intended to run, which parameters are required or useful, and gives concrete examples you can use with **KeeperAdminCLI** or with the **trigger API** (curl) when parameters are needed.

**Prerequisites:**

* KeeperPrivilegeManager (KPM) must be running.
* Run KeeperAdminCLI **as Administrator** (the run/trigger API requires admin).
* Default KPM URL: `https://localhost:6889` (override with `--port 6889` or `--url <url>`).

**Two ways to run a job:**

1. **No parameters:** `KeeperAdminCLI --port 6889 jobs run --id <jobId>` (POST `/api/Jobs/{jobId}/run`, no body).
2. **With parameters:** POST to `/api/Jobs/{jobId}/trigger` with JSON body. KeeperAdminCLI does not support this yet; use **curl** (or similar) as shown below.

### Quick reference: KeeperAdminCLI-only jobs (no parameters) <a href="#quick-reference-keeperadmincli-only-jobs-no-parameters" id="quick-reference-keeperadmincli-only-jobs-no-parameters"></a>

These can be run with **only** KeeperAdminCLI (no curl):

<table><thead><tr><th width="262">Job ID</th><th>Command</th></tr></thead><tbody><tr><td>FileInventory</td><td><code>KeeperAdminCLI --port 6889 jobs run --id 68112CE4-A2A8-4243-83C9-90BF8D2188A0</code></td></tr><tr><td>ExecutionGrantStartupCleanup</td><td><code>KeeperAdminCLI --port 6889 jobs run --id ExecutionGrantStartupCleanup</code></td></tr><tr><td>locale-cache-cleanup</td><td><code>KeeperAdminCLI --port 6889 jobs run --id locale-cache-cleanup</code></td></tr><tr><td>UserInventory</td><td><code>KeeperAdminCLI --port 6889 jobs run --id 3A124C4D-2D41-4174-9A13-998D1683DADC</code></td></tr><tr><td>ephemeral-account-cleanup-if-unused</td><td><code>KeeperAdminCLI --port 6889 jobs run --id ephemeral-account-cleanup-if-unused</code></td></tr><tr><td>ephemeral-orphan-profile-folders-cleanup</td><td><code>KeeperAdminCLI --port 6889 jobs run --id ephemeral-orphan-profile-folders-cleanup</code></td></tr><tr><td>log-version-info</td><td><code>KeeperAdminCLI --port 6889 jobs run --id log-version-info</code></td></tr><tr><td>FileAccessStartupCleanup</td><td><code>KeeperAdminCLI --port 6889 jobs run --id FileAccessStartupCleanup</code></td></tr><tr><td>process-configuration-policies</td><td><code>KeeperAdminCLI --port 6889 jobs run --id process-configuration-policies</code></td></tr><tr><td>ApplyFileAccessPolicies</td><td><code>KeeperAdminCLI --port 6889 jobs run --id ApplyFileAccessPolicies</code></td></tr><tr><td>agent_registration</td><td><code>KeeperAdminCLI --port 6889 jobs run --id agent_registration</code></td></tr><tr><td>keeperagent-silent-expiration-check</td><td><code>KeeperAdminCLI --port 6889 jobs run --id keeperagent-silent-expiration-check</code></td></tr><tr><td>InventoryBasic</td><td><code>KeeperAdminCLI --port 6889 jobs run --id 60260BA2-0713-4292-8A93-974E0E329BE1</code></td></tr><tr><td>ShowAgent</td><td><code>KeeperAdminCLI --port 6889 jobs run --id ShowAgent</code></td></tr><tr><td>least-privilege-check</td><td><code>KeeperAdminCLI --port 6889 jobs run --id least-privilege-check</code></td></tr><tr><td>RevertFileAccess</td><td><code>KeeperAdminCLI --port 6889 jobs run --id RevertFileAccess</code></td></tr><tr><td>StartKeeperClient</td><td><code>KeeperAdminCLI --port 6889 jobs run --id StartKeeperClient</code></td></tr></tbody></table>

Jobs that **need parameters** require `POST /api/Jobs/{jobId}/trigger` (or `/evaluate`) with JSON body — use **curl** as in the examples above until KeeperAdminCLI supports passing context.

***

### FileInventory (68112CE4-A2A8-4243-83C9-90BF8D2188A0) <a href="#id-68112ce4-a2a8-4243-83c9-90bf8d2188a0--fileinventory" id="id-68112ce4-a2a8-4243-83c9-90bf8d2188a0--fileinventory"></a>

**Name:** FileInventory\
**How it should run:** Scheduled (every 7200 min) or manually. Runs file inventory and reports to KeeperLogger/KeeperApi.\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id 68112CE4-A2A8-4243-83C9-90BF8D2188A0
```

***

### ExecutionGrantStartupCleanup <a href="#executiongrantstartupcleanup" id="executiongrantstartupcleanup"></a>

**Name:** Execution Grant Startup Cleanup\
**How it should run:** On startup (event) or manually. Cleans expired execution grants and orphaned expire-exec-grant job files.\
**Required parameters:** None.\
**Optional parameters:** `KeeperApiBaseUrl` (default: `https://127.0.0.1:6889`).

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id ExecutionGrantStartupCleanup
```

***

### privilege-elevation-policy-controls <a href="#privilege-elevation-policy-controls" id="privilege-elevation-policy-controls"></a>

**Name:** Privilege Elevation Policy Controls\
**How it should run:** Triggered by **PolicyEvaluationPending** event (from KeeperPolicy when a privilege-elevation request is PENDING). Not intended for manual run without full policy context.\
**Required parameters:** `SessionId`, `RespondToTopic`.\
**Optional parameters:** `ControlList`, `CommandLine`, `UserName`, `RequestId`, `JobId`, `FileName`, `FilePath`, `EventType` (PrivilegeElevation), `KeeperApiBaseUrl`.

**Example (with parameters via API):** Use only when simulating a policy pending flow (e.g. testing). Normally triggered by MQTT/event.

```
curl -k -X POST "https://localhost:6889/api/Jobs/privilege-elevation-policy-controls/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"SessionId\":\"test-session\",\"RespondToTopic\":\"test/topic\",\"EventType\":\"PrivilegeElevation\",\"FileName\":\"cmd.exe\",\"FilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"RequestId\":\"req-1\",\"UserName\":\"DOMAIN\\\\User\"}"
```

*Note: Running manually without real MQTT response topic will not complete the flow; job may run but response has nowhere to go.*

***

### LaunchFileAccess <a href="#launchfileaccess" id="launchfileaccess"></a>

**Name:** Launch File Access Grant\
**How it should run:** Triggered by **LaunchFileAccess** custom event after file-access policy allows (and controls satisfied). Grants temporary file access and/or launches the executable.\
**Required parameters:** `FilePath`.\
**Optional parameters:** `RequestId`, `FileName`, `UserIdentifier`, `UserName`, `PolicyUid`, `ControlList`, `Justification`, `ApprovalUid`, `GrantedAccess`, `DurationMinutes`, `KeeperApiBaseUrl`, `IsFromHook`, `CommandLine`.

**Example (with parameters via API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/LaunchFileAccess/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"FilePath\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\",\"UserName\":\"DOMAIN\\\\User\",\"FileName\":\"notepad.exe\"}"
```

***

### StartKeeperClient <a href="#startkeeperclient" id="startkeeperclient"></a>

**Name:** Start Keeper Client for User Session\
**How it should run:** Triggered by **UserLogin**, **SessionConnect**, **StartKeeperClient**, or **ExistingSession** when desktop is available. Starts KeeperClient in the user session.\
**Required parameters:** `SessionId`, `UserName` (in schema; task does not pass them to exe).\
**Optional parameters:** `Domain`, `EventType`, `IsInteractive`.

**Example (minimal – KeeperAdminCLI):** May start client with no session context.

```
KeeperAdminCLI --port 6889 jobs run --id StartKeeperClient
```

**Example (with context via API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/StartKeeperClient/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"SessionId\":\"1\",\"UserName\":\"DOMAIN\\\\User\"}"
```

***

### locale-cache-cleanup <a href="#locale-cache-cleanup" id="locale-cache-cleanup"></a>

**Name:** Locale Cache Cleanup\
**How it should run:** Scheduled (every 30 min) or manually. Cleans locale cache for users no longer logged on.\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id locale-cache-cleanup
```

***

### composite-risk-evaluation <a href="#composite-risk-evaluation" id="composite-risk-evaluation"></a>

**Name:** Composite Risk Evaluation\
**How it should run:** Called **synchronously** via `/api/Jobs/{jobId}/evaluate` by policy/risk logic with file/user/machine context. Not typically run via “run” or “trigger”; use **evaluate** for a result.\
**Required parameters:** `FilePath`, `UserName`, `MachineName`, `TargetRiskScore`.\
**Optional parameters:** `LocationRiskJobId`, `UserRiskJobId`, `ApplicationRiskJobId`, `MachineRiskJobId` (defaults in job).

**Example (evaluate API – synchronous, returns pass/fail):**\
Include `KeeperApiBaseUrl` so the job can call sub-risk jobs; the executor may also fall back to config if missing.

```
curl -k -X POST "https://localhost:6889/api/Jobs/composite-risk-evaluation/evaluate" \
  -H "Content-Type: application/json" \
  -d "{\"FilePath\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\",\"UserName\":\"DOMAIN\\\\User\",\"MachineName\":\"MYPC\",\"TargetRiskScore\":5.0,\"KeeperApiBaseUrl\":\"https://127.0.0.1:6889\"}"
```

***

### file-access-policy-controls <a href="#file-access-policy-controls" id="file-access-policy-controls"></a>

**Name:** File Access Policy Controls\
**How it should run:** Triggered by **PolicyEvaluationPending** for FileAccess. Not intended for standalone manual run.\
**Required parameters:** `SessionId`, `RespondToTopic`.\
**Optional parameters:** `ControlList`, `UserName`, `RequestId`, `FilePath`, `FileName`, `EventType` (FileAccess), `KeeperApiBaseUrl`, `DurationMinutes`.

**Example (with parameters via API – for testing only):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/file-access-policy-controls/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"SessionId\":\"s1\",\"RespondToTopic\":\"test/topic\",\"EventType\":\"FileAccess\",\"FileName\":\"file.txt\",\"FilePath\":\"C:\\\\temp\\\\file.txt\",\"RequestId\":\"r1\",\"UserName\":\"DOMAIN\\\\User\"}"
```

***

### UserInventory (3A124C4D-2D41-4174-9A13-998D1683DADC) <a href="#id-3a124c4d-2d41-4174-9a13-998d1683dadc--userinventory" id="id-3a124c4d-2d41-4174-9a13-998d1683dadc--userinventory"></a>

**Name:** UserInventory\
**How it should run:** Scheduled (every 7200 min) or on AgentRegistered/Startup. Runs user inventory.\
**Required parameters:** None (httpport is injected by executor).\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id 3A124C4D-2D41-4174-9A13-998D1683DADC
```

***

### ephemeral-account-cleanup-if-unused <a href="#ephemeral-account-cleanup-if-unused" id="ephemeral-account-cleanup-if-unused"></a>

**Name:** Ephemeral Account Cleanup If Unused\
**How it should run:** Scheduled (every 30 sec) or manually. Deletes ephemeral account if no process is running as KeeperUserSession.\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id ephemeral-account-cleanup-if-unused
```

***

### create-approved-request-from-policy-result <a href="#create-approved-request-from-policy-result" id="create-approved-request-from-policy-result"></a>

**Name:** Create Approved Request From Policy Result\
**How it should run:** Triggered by **PolicyEvaluationResult** when policy returns ALLOW. Creates approved request server-side.\
**Required parameters:** `RequestId`, `Response`.\
**Optional parameters:** `FileName`, `FilePath`, `CommandLine`, `UserName`, `EventType`, `OriginalEventType`, `RespondToTopic`, `KeeperApiBaseUrl`.

**Example (with parameters via API):** Only meaningful when `Response` is `ALLOW`.

```
curl -k -X POST "https://localhost:6889/api/Jobs/create-approved-request-from-policy-result/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"RequestId\":\"req-123\",\"Response\":\"ALLOW\",\"FileName\":\"cmd.exe\",\"FilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"UserName\":\"DOMAIN\\\\User\",\"OriginalEventType\":\"PrivilegeElevation\"}"
```

***

### ephemeral-orphan-profile-folders-cleanup <a href="#ephemeral-orphan-profile-folders-cleanup" id="ephemeral-orphan-profile-folders-cleanup"></a>

**Name:** Ephemeral Orphan Profile Folders Cleanup\
**How it should run:** Scheduled (every 5 min) or manually. Cleans orphaned KeeperUserSession profile folders (Windows).\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id ephemeral-orphan-profile-folders-cleanup
```

***

### user-risk-assessment <a href="#user-risk-assessment" id="user-risk-assessment"></a>

**Name:** User Risk Assessment\
**How it should run:** Called via **evaluate** by composite-risk-evaluation or policy.\
**Required parameters:** `UserName`.\
**Optional parameters:** `RiskAssessmentExecutable`, `RiskAssessmentArguments`, `KeeperApiBaseUrl` (from context).

**Example (evaluate API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/user-risk-assessment/evaluate" \
  -H "Content-Type: application/json" \
  -d "{\"UserName\":\"DOMAIN\\\\User\"}"
```

***

### custom-event-example <a href="#custom-event-example" id="custom-event-example"></a>

**Name:** Custom Event Handler Example\
**How it should run:** Triggered by custom event (e.g. **MyCustomEvent**). Job is **disabled** by default.\
**Required parameters:** None.\
**Optional parameters:** `MachineName`, `UserName`, `Source`.

**Example (KeeperAdminCLI – job must be enabled first):**

```
KeeperAdminCLI --port 6889 jobs run --id custom-event-example
```

Or trigger by event with context:

```
curl -k -X POST "https://localhost:6889/api/Jobs/custom-event-example/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"MachineName\":\"MYPC\",\"UserName\":\"User\",\"Source\":\"Manual\"}"
```

***

### LaunchApprovedRequest <a href="#launchapprovedrequest" id="launchapprovedrequest"></a>

**Name:** Launch Approved Request\
**How it should run:** Triggered by **LaunchApprovedRequest** event with either `ApprovalUid` (from keeperAgent) or `RequestId`/`FilePath`/`CommandLine` (from policy job). Launches elevated or non-elevated.\
**Required parameters:** Either `ApprovalUid` **or** (`FilePath` for launch path).\
**Optional parameters:** `RequestId`, `CommandLine`, `EventType`, `UserName`, `KeeperApiBaseUrl`.

**Example (by ApprovalUid – from approval workflow):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/LaunchApprovedRequest/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"ApprovalUid\":\"<approval-uid-from-keeper>\"}"
```

**Example (by path – e.g. from policy job):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/LaunchApprovedRequest/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"FilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"CommandLine\":\"\",\"EventType\":\"PrivilegeElevation\",\"UserName\":\"DOMAIN\\\\User\"}"
```

***

### LaunchNativeElevation <a href="#launchnativeelevation" id="launchnativeelevation"></a>

**Name:** Launch Native OS Elevation\
**How it should run:** Triggered by **LaunchNativeElevation** when EnforcementDisabled (no policies apply); launches with OS UAC/sudo.\
**Required parameters:** `FilePath`.\
**Optional parameters:** `FileName`, `CommandLine`, `WorkingDirectory`, `RequestId`, `UserName`, `KeeperApiBaseUrl`, `RespondToTopic`, `SessionId`.

**Example (with parameters via API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/LaunchNativeElevation/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"FilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"UserName\":\"DOMAIN\\\\User\",\"FileName\":\"cmd.exe\"}"
```

***

### policy-evaluation-error-handler <a href="#policy-evaluation-error-handler" id="policy-evaluation-error-handler"></a>

**Name:** Policy Evaluation Error Handler\
**How it should run:** Triggered by **HookErrorEvent** when policy evaluation fails (desktop). Sends DENY and shows error.\
**Required parameters:** `RequestId` (recommended).\
**Optional parameters:** `SessionId`, `RespondToTopic`, `EventType`, `ErrorReason`, `FileName`, `FilePath`, `CommandLine`, `UserName`, `KeeperApiBaseUrl`.

**Example (with parameters via API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/policy-evaluation-error-handler/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"RequestId\":\"req-1\",\"ErrorReason\":\"MessageHelper not initialized\"}"
```

***

### policy-evaluation-error-handler-headless <a href="#policy-evaluation-error-handler-headless" id="policy-evaluation-error-handler-headless"></a>

**Name:** Policy Evaluation Error Handler (Headless)\
**How it should run:** Same as above for headless (no desktop).\
**Required parameters:** `RequestId` (recommended).\
**Optional parameters:** Same as policy-evaluation-error-handler.

**Example:** Same as above, replace job id with `policy-evaluation-error-handler-headless`.

***

### log-version-info <a href="#log-version-info" id="log-version-info"></a>

**Name:** Log Version Information\
**How it should run:** Triggered by **LogVersionInfo** or manually. Logs component versions.\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id log-version-info
```

***

### monitor-and-notify-notification <a href="#monitor-and-notify-notification" id="monitor-and-notify-notification"></a>

**Name:** Monitor and Notify Notification\
**How it should run:** Triggered by **MonitorAndNotifyNotification** when a MonitorAndNotify policy fires.\
**Required parameters:** `Message`.\
**Optional parameters:** `Username`, `RequestId`, `SessionId`, `RequiresAcknowledgement`, `KeeperApiBaseUrl`.

**Example (with parameters via API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/monitor-and-notify-notification/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"Message\":\"Your action is being monitored.\",\"RequiresAcknowledgement\":false}"
```

***

### FileAccessStartupCleanup <a href="#fileaccessstartupcleanup" id="fileaccessstartupcleanup"></a>

**Name:** FileAccess Startup Cleanup\
**How it should run:** On startup or manually. Cleans expired file access grants and orphaned revert jobs.\
**Required parameters:** None.\
**Optional parameters:** `KeeperApiBaseUrl`.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id FileAccessStartupCleanup
```

***

### process-configuration-policies <a href="#process-configuration-policies" id="process-configuration-policies"></a>

**Name:** Process Configuration Policies\
**How it should run:** Triggered by **PolicyPreprocessingCompleted**. Applies SettingsUpdate and JobUpdate policies.\
**Required parameters:** None.\
**Optional parameters:** `KeeperApiBaseUrl`, `JobsDirectory`, `PluginsDirectory`, `AppSettingsPath`.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id process-configuration-policies
```

***

### file-risk-assessment <a href="#file-risk-assessment" id="file-risk-assessment"></a>

**Name:** File Risk Assessment\
**How it should run:** Called via **evaluate** by composite-risk or policy.\
**Required parameters:** `FilePath`.\
**Optional parameters:** `FileRiskExecutable`, `SelectedVendor`.

**Example (evaluate API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/file-risk-assessment/evaluate" \
  -H "Content-Type: application/json" \
  -d "{\"FilePath\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\"}"
```

***

### send-audit-event <a href="#send-audit-event" id="send-audit-event"></a>

**Name:** Send Audit Event\
**How it should run:** Triggered by **SendAuditEvent** with audit payload.\
**Required parameters:** None in job; payload uses placeholders.\
**Optional parameters:** `RequestId`, `Timestamp`, `RequestUid`, `PolicyType`, `UserName`, `TargetInfo`, `EvaluationStatus`, `AuditEventType`.

**Example (with parameters via API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/send-audit-event/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"RequestId\":\"r1\",\"AuditEventType\":\"PrivilegeElevation\",\"Timestamp\":\"2026-02-24T12:00:00Z\",\"UserName\":\"DOMAIN\\\\User\",\"EvaluationStatus\":\"ALLOW\"}"
```

***

### ApplyFileAccessPolicies <a href="#applyfileaccesspolicies" id="applyfileaccesspolicies"></a>

**Name:** Apply FileAccess Policies\
**How it should run:** Triggered by **FileAccessPoliciesChanged** or **PolicySyncCompleted**, or manually. Applies FileAccess DENY ACLs from pending enforcements.\
**Required parameters:** None.\
**Optional parameters:** `KeeperApiBaseUrl`.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id ApplyFileAccessPolicies
```

***

### agent\_registration <a href="#agent_registration" id="agent_registration"></a>

**Name:** Registration\
**How it should run:** On startup or manually. Registers the agent.\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id agent_registration
```

***

### location-risk-assessment <a href="#location-risk-assessment" id="location-risk-assessment"></a>

**Name:** Location Risk Assessment\
**How it should run:** Called via **evaluate** by composite-risk or policy.\
**Required parameters:** `FilePath`.\
**Optional parameters:** `RiskAssessmentExecutable`, `RiskAssessmentArguments`.

**Example (evaluate API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/location-risk-assessment/evaluate" \
  -H "Content-Type: application/json" \
  -d "{\"FilePath\":\"C:\\\\Windows\\\\System32\\\\notepad.exe\"}"
```

***

### send-toast <a href="#send-toast" id="send-toast"></a>

**Name:** Send Toast\
**How it should run:** Triggered by **SendAuditEvent** or other callers with message/severity.\
**Required parameters:** None (but message is empty without context).\
**Optional parameters:** `title`, `message`, `severity`, `targetUser`.

**Example (with parameters via API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/send-toast/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"title\":\"Test\",\"message\":\"Hello from admin\",\"severity\":\"Info\"}"
```

***

### expire-exec-grant-\* (e.g. expire-exec-grant-4e85aed0bf2d4f38a4c25a80413aa7b8) <a href="#expire-exec-grant--eg-expire-exec-grant-4e85aed0bf2d4f38a4c25a80413aa7b8" id="expire-exec-grant--eg-expire-exec-grant-4e85aed0bf2d4f38a4c25a80413aa7b8"></a>

**Name:** Expire Execution Grant - \<ExecutableName>\
**How it should run:** Scheduled at grant expiration time, or manually. Grant ID is in the job ID and in the task body.\
**Required parameters:** None (grantId is in job definition).\
**Optional parameters:** None.

**Example (KeeperAdminCLI):** Use the exact job ID created for that grant.

```
KeeperAdminCLI --port 6889 jobs run --id expire-exec-grant-4e85aed0bf2d4f38a4c25a80413aa7b8
```

***

### RevertFileAccess <a href="#revertfileaccess" id="revertfileaccess"></a>

**Name:** Revert File Access\
**How it should run:** On schedule, **RevertFileAccess** event, or startup. Reverts expired file access grants. Job is **disabled** by default.\
**Required parameters:** None.\
**Optional parameters:** `GrantId` (specific grant; if empty, reverts all expired), `KeeperApiBaseUrl`.

**Example (KeeperAdminCLI – enable job first if needed):**

```
KeeperAdminCLI --port 6889 jobs run --id RevertFileAccess
```

***

### GrantFileAccess <a href="#grantfileaccess" id="grantfileaccess"></a>

**Name:** Grant File Access\
**How it should run:** Triggered by **GrantFileAccess** event when approval/MFA/justify grants access.\
**Required parameters:** None in schema; meaningful grant needs at least one of `RestrictionId` or `FilePath` + `UserName`.\
**Optional parameters:** `RestrictionId`, `FilePath`, `UserName`, `DurationMinutes`, `ApprovalUid`, `Justification`, `ControlMethod`, `KeeperApiBaseUrl`.

**Example (with parameters via API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/GrantFileAccess/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"FilePath\":\"C:\\\\temp\\\\report.docx\",\"UserName\":\"DOMAIN\\\\User\",\"DurationMinutes\":60}"
```

***

### default-policy-controls-headless <a href="#default-policy-controls-headless" id="default-policy-controls-headless"></a>

**Name:** Default Policy Controls (Headless)\
**How it should run:** Triggered by **PolicyEvaluationPending** when hasdesktop=false (headless). Forwards or denies.\
**Required parameters:** `SessionId`, `RespondToTopic`.\
**Optional parameters:** Same as default-policy-controls.

**Example:** Use trigger API with SessionId and RespondToTopic; normally invoked by policy, not manually.

***

### keeperagent-silent-expiration-check <a href="#keeperagent-silent-expiration-check" id="keeperagent-silent-expiration-check"></a>

**Name:** KeeperAgent Silent Expiration Check\
**How it should run:** Scheduled (every 1440 min) or manually. Runs keeperAgent in silent mode if conditions met.\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id keeperagent-silent-expiration-check
```

***

### default-policy-controls <a href="#default-policy-controls" id="default-policy-controls"></a>

**Name:** Default Policy Controls\
**How it should run:** Triggered by **PolicyEvaluationPending** for CommandLine/Custom (not PrivilegeElevation/FileAccess). Runs MFA/justify/approval.\
**Required parameters:** `SessionId`, `RespondToTopic`.\
**Optional parameters:** `ControlList`, `CommandLine`, `UserName`, `RequestId`, `JobId`, `EventType`, `OriginalEventType`, `KeeperApiBaseUrl`.

**Example:** Use trigger API with full context; normally invoked by policy.

***

### LaunchPrivilegeElevation <a href="#launchprivilegeelevation" id="launchprivilegeelevation"></a>

**Name:** Launch Privilege Elevation\
**How it should run:** Triggered by **LaunchPrivilegeElevation** with either `ApprovalUid` or `FilePath`/`CommandLine`/`UserName` from policy.\
**Required parameters:** Either `ApprovalUid` **or** `FilePath` (for path-based launch).\
**Optional parameters:** `RequestId`, `FileName`, `CommandLine`, `UserName`, `MachineName`, `WorkingDirectory`, `KeeperApiBaseUrl`, `RespondToTopic`, `SessionId`, `EventType`, `DurationMinutes`.

**Example (by ApprovalUid):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/LaunchPrivilegeElevation/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"ApprovalUid\":\"<approval-uid>\"}"
```

**Example (by path):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/LaunchPrivilegeElevation/trigger" \
  -H "Content-Type: application/json" \
  -d "{\"FilePath\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"CommandLine\":\"\",\"UserName\":\"DOMAIN\\\\User\",\"EventType\":\"PrivilegeElevation\"}"
```

***

### machine-risk-assessment <a href="#machine-risk-assessment" id="machine-risk-assessment"></a>

**Name:** Machine Risk Assessment\
**How it should run:** Called via **evaluate** by composite-risk or policy.\
**Required parameters:** `MachineName`.\
**Optional parameters:** `RiskAssessmentExecutable`, `RiskAssessmentArguments`.

**Example (evaluate API):**

```
curl -k -X POST "https://localhost:6889/api/Jobs/machine-risk-assessment/evaluate" \
  -H "Content-Type: application/json" \
  -d "{\"MachineName\":\"MYPC\"}"
```

***

### InventoryBasic (60260BA2-0713-4292-8A93-974E0E329BE1) <a href="#id-60260ba2-0713-4292-8a93-974e0e329be1--inventorybasic" id="id-60260ba2-0713-4292-8a93-974e0e329be1--inventorybasic"></a>

**Name:** InventoryBasic\
**How it should run:** Scheduled (every 7200 min) or on AgentRegistered/Startup.\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id 60260BA2-0713-4292-8A93-974E0E329BE1
```

***

### ShowAgent <a href="#showagent" id="showagent"></a>

**Name:** Show Keeper Agent\
**How it should run:** Triggered by **ShowAgent** (e.g. from KeeperClient menu) or manually. Launches keeperAgent UI on user desktop.\
**Required parameters:** None.\
**Optional parameters:** None.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id ShowAgent
```

***

### least-privilege-check <a href="#least-privilege-check" id="least-privilege-check"></a>

**Name:** Least Privilege Enforcement\
**How it should run:** Triggered by **LeastPrivilegeCheck** or manually. Removes unprotected users from administrators group per policy.\
**Required parameters:** None.\
**Optional parameters:** `MachineName`, `UserName`.

**Example (KeeperAdminCLI):**

```
KeeperAdminCLI --port 6889 jobs run --id least-privilege-check
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/reference/jobs-run-guide-keeperadmincli.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.