エンドポイント特権マネージャーコマンド

Keeperエンドポイント特権マネージャー (KEPM) の操作用コマンド

概要

エンドポイント特権マネージャーは、特権昇格および委任管理 (PEDM) に該当するソリューションです。IT環境全体にわたり、必要なときだけ安全に昇格特権を付与するジャストインタイムの仕組みを備えています。

EPMコマンドは、ユーザー構成フォルダ内 (例: ~/.keeper/keeper_db.sqlite) に作成されるローカルSQLiteファイルを読み書きします。各エンドポイントから取得した情報は、このデータベースにキャッシュされます。

`epm` コマンド

コマンド: epm

説明: Keeperエンドポイント特権マネージャーのデプロイ、エージェント、ポリシー、コレクション、承認リクエストを管理します。

My Vault> epm -h                                                       
epm command [--options]

Command     Description
----------  ------------------------------------
sync-down   Sync down EPM data from the backend
deployment  Manage EPM deployments 
agent       Manage EPM agents
policy      Manage EPM policies
collection  Manage EPM collections 
scim        Sync EPM user/group collections from AD or AzureAD
approval    Manage EPM requests and approvals

サブコマンド

サブコマンド: sync-down

説明: バックエンドのEPMデータをローカルに取り込み、同期します。

My Vault> epm sync-down -h                                                 
usage: sync-down [-h] [--reload]

Sync down EPM data from the backend

options:
  -h, --help  show this help message and exit
  --reload    Perform full sync

サブコマンド: deployment

説明: EPMのデプロイを管理します。

My Vault> epm deployment -h
epm command [--options]

Command    Description
---------  --------------------------------
list       List EPM deployments
add        Add EPM deployments
edit       Update EPM deployment
delete     Delete EPM deployment
download   Download EPM deployment package

list

My Vault> epm deployment list -h                       
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v]

List EPM deployments

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information

add

My Vault> epm deployment add -h                      
usage: add [-h] [-f] [--spiffe-cert SPIFFE] name

Add EPM deployments

positional arguments:
  name                  Deployment name

options:
  -h, --help            show this help message and exit
  -f, --force           do not prompt for confirmation
  --spiffe-cert SPIFFE  File containing SPIFFE server certificate

edit

My Vault> epm deployment edit -h
usage: update [-h] [--disable {on,off}] [--spiffe-cert SPIFFE] [--name NAME] DEPLOYMENT

Update EPM deployment

positional arguments:
  DEPLOYMENT            Deployment name or UID

options:
  -h, --help            show this help message and exit
  --disable {on,off}    do not prompt for confirmation
  --spiffe-cert SPIFFE  File containing SPIFFE server certificate
  --name NAME           Deployment name

delete

My Vault> epm deployment delete -h
usage: delete [-h] [-f] DEPLOYMENT [DEPLOYMENT ...]

Delete EPM deployment

positional arguments:
  DEPLOYMENT   Deployment name or UID

options:
  -h, --help   show this help message and exit
  -f, --force  do not prompt for confirmation

download

My Vault> epm deployment download -h                      
usage: download [-h] [--file FILE] DEPLOYMENT

Download EPM deployment package

positional arguments:
  DEPLOYMENT   Deployment name or UID

options:
  -h, --help   show this help message and exit
  --file FILE  File name

サブコマンド: agent

説明: EPMエージェントを管理します。

My Vault> epm agent -h                         
epm command [--options]

Command     Description
----------  -------------------------
list        List EPM agents
edit        Update EPM agents
delete      Delete EPM agents
collection  List EPM agent resources

list

My Vault> epm agent list -h             
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v]

List EPM agents

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information

edit

My Vault> epm agent edit -h                          
usage: update [-h] [--enable {on,off}] [--deployment DEPLOYMENT] agent [agent ...]

Update EPM agents

positional arguments:
  agent                 Agent UID(s)

options:
  -h, --help            show this help message and exit
  --enable {on,off}     Enables or disables agents
  --deployment DEPLOYMENT
                        Moves agent to deployment

delete

My Vault> epm agent delete -h                             
usage: update [-h] [--force] agent [agent ...]

Delete EPM agents

positional arguments:
  agent       Agent UID(s)

options:
  -h, --help  show this help message and exit
  --force     do not prompt for confirmation

collection

My Vault> epm agent collection -h 
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--type TYPE] agent

List EPM agent resources

positional arguments:
  agent                 Agent UID

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --type TYPE           collection type filter

サブコマンド: policy

説明: EPMポリシーを管理します。

My Vault> epm policy -h  
epm command [--options]

Command    Description
---------  ----------------------------
list       List EPM policies
add        Add EPM policy
edit       Edit EPM policy
view       View EPM policy
agents     Show agents for policies
assign     Assign collections to policy
delete     Delete EPM policy

list

My Vault> epm policy list -h               
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT]

List EPM policies

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)

add

My Vault> epm policy add -h      
usage: add [-h] [--user-filter USER_FILTER] [--machine-filter MACHINE_FILTER] [--app-filter APP_FILTER] [--date-filter DATE_FILTER]
           [--time-filter TIME_FILTER] [--day-filter DAY_FILTER] [--risk-level RISK_LEVEL]
           [--policy-type {elevation,file_access,command,least_privilege}] [--policy-name POLICY_NAME]
           [--control {allow,deny,audit,notify,mfa,justify,approval}] [--status {enforce,monitor,monitor_and_notify}] [--enable {on,off}]

Add EPM policy

options:
  -h, --help            show this help message and exit
  --user-filter USER_FILTER
                        Policy user filter. User collection UID or *
  --machine-filter MACHINE_FILTER
                        Policy machine filter. Machine collection UID
  --app-filter APP_FILTER
                        Policy application filter. Application collection UID
  --date-filter DATE_FILTER
                        Policy date filter. Date range in ISO format. YYYY-MM-DD:YYYY-MM-DD
  --time-filter TIME_FILTER
                        Policy time filter. Time. 24 hours format: HH:MM-HH:MM
  --day-filter DAY_FILTER
                        Policy day filter. Day of Week
  --risk-level RISK_LEVEL
                        Policy risk level
  --policy-type {elevation,file_access,command,least_privilege}
                        Policy type
  --policy-name POLICY_NAME
                        Policy name
  --control {allow,deny,audit,notify,mfa,justify,approval}
                        Policy controls
  --status {enforce,monitor,monitor_and_notify}
                        Policy Status
  --enable {on,off}     Enables or disables policy

edit

My Vault> epm policy edit -h                                                                                                                           
usage: edit [-h] [--user-filter USER_FILTER] [--machine-filter MACHINE_FILTER] [--app-filter APP_FILTER] [--date-filter DATE_FILTER]
            [--time-filter TIME_FILTER] [--day-filter DAY_FILTER] [--risk-level RISK_LEVEL] [--policy-name POLICY_NAME]
            [--control {allow,deny,audit,notify,mfa,justify,approval}] [--status {enforce,monitor,monitor_and_notify}] [--enable {on,off}]
            policy

Edit EPM policy

positional arguments:
  policy                Policy UID

options:
  -h, --help            show this help message and exit
  --user-filter USER_FILTER
                        Policy user filter. User collection UID or *
  --machine-filter MACHINE_FILTER
                        Policy machine filter. Machine collection UID
  --app-filter APP_FILTER
                        Policy application filter. Application collection UID
  --date-filter DATE_FILTER
                        Policy date filter. Date range in ISO format. YYYY-MM-DD:YYYY-MM-DD
  --time-filter TIME_FILTER
                        Policy time filter. Time. 24 hours format: HH:MM-HH:MM
  --day-filter DAY_FILTER
                        Policy day filter. Day of Week
  --risk-level RISK_LEVEL
                        Policy risk level
  --policy-name POLICY_NAME
                        Policy name
  --control {allow,deny,audit,notify,mfa,justify,approval}
                        Policy controls
  --status {enforce,monitor,monitor_and_notify}
                        Policy Status
  --enable {on,off}     Enables or disables policy

view

My Vault> epm policy view -h                                     
usage: view [-h] [--format {table,json}] [--output OUTPUT] policy

View EPM policy

positional arguments:
  policy                Policy UID or name

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)

agents

My Vault> epm policy agents -h                                 
usage: agent [-h] policy [policy ...]

Show agents for policies

positional arguments:
  policy      Policy UID or name

options:
  -h, --help  show this help message and exit

assign

My Vault> epm policy assign -h                          
usage: assign [-h] [-c COLLECTION] policy [policy ...]

Assign collections to policy

positional arguments:
  policy                Policy UID or name

options:
  -h, --help            show this help message and exit
  -c, --collection COLLECTION
                        Collection UID

delete

My Vault> epm policy delete -h
usage: delete [-h] policy [policy ...]

Delete EPM policy

positional arguments:
  policy      Policy UID or name

options:
  -h, --help  show this help message and exit

サブコマンド: collection

説明: EPMコレクションを管理します。

My Vault> epm collection -h                                   
epm command [--options]

Command     Description
----------  -----------------------------------
list        List EPM collections
view        Show EPM collection details
add         Creates EPM collections
update      Update EPM collection
delete      Delete EPM collections
connect     Link values to EPM collection
disconnect  Unlink values from EPM collections
wipe-out    Wipe out EPM collections

list

My Vault> epm collection list -h                                                                                       
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--type TYPE] [--pattern PATTERN]

List EPM collections

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --type TYPE           collection type filter
  --pattern PATTERN     collection search pattern

view

My Vault> epm collection view -h                                                                                                                       
usage: view [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--link LINK] collection [collection ...]

Show EPM collection details

positional arguments:
  collection            Collection UID

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --link LINK           Show link details

add

My Vault> epm collection add -h                                           
usage: add [-h] [--type TYPE] collection [collection ...]

Creates EPM collections

positional arguments:
  collection   Collection name

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type

update

My Vault> epm collection update -h                               
usage: update [-h] [--type TYPE] --name NAME collection

Update EPM collection

positional arguments:
  collection   Collection

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type (optional)
  --name NAME  Collection name

delete

My Vault> epm collection delete -h                         
usage: delete [-h] [-f] collection [collection ...]

Delete EPM collections

positional arguments:
  collection   Collection or @orphan_resource

options:
  -h, --help   show this help message and exit
  -f, --force  do not prompt for confirmation

disconnect

My Vault> epm collection disconnect -h                 
usage: unlink [-h] [--collection COLLECTION] [-f] links [links ...]

Unlink values from EPM collections

positional arguments:
  links                 UIDs to unlink

options:
  -h, --help            show this help message and exit
  --collection, -c COLLECTION
                        Parent collection UID or name
  -f, --force           do not prompt for confirmation

wipe-out

My Vault> epm collection wipe-out -h                                            
usage: wipe-out [-h] [--type TYPE]

Wipe out EPM collections

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type

サブコマンド: approval

説明: EPMの承認リクエストを管理します。

My Vault> epm approval -h                                                    
epm command [--options]

Command    Description
---------  -----------------------------
list       List EPM approval requests
action     Modify EPM approval requests

list

未処理の承認リクエストを一覧表示します。

My Vault> epm approval list -h 
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [--type {approved,denied,pending}]

List EPM approval requests

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  --type {approved,denied,pending,expired}
                        approval type filter

action

リクエストに対し、承認・削除・却下などの操作を行います。

My Vault> epm approval action -h 
usage: action [-h] [--approve APPROVE] [--deny DENY] [--remove REMOVE]

Modify EPM approval requests

options:
  -h, --help         show this help message and exit
  --approve APPROVE  Request UIDs for approval
  --deny DENY        Request UIDs for denial
  --remove REMOVE    Request UIDs for removal. UID, @approved, @denied, @pending

サブコマンド: scim

説明: Active DirectoryまたはAzure ADから、EPMのユーザー/グループコレクションを同期します。

My Vault> epm scim -h                                                                                                                                                                                                     
usage: scim [-h] {record,azure,ad} ...

Sync EPM user/group collections from AD or AzureAD

options:
  -h, --help         show this help message and exit

Directory Type:
  {record,azure,ad}  Authentication method
    record           Connection parameters from Keeper record
    azure            Connect via Azure AD
    ad               Connect via Active Directory

Azure ADの接続パラメータ

My Vault> epm scim azure -h                                                                                                                                                                                               
usage: scim azure [-h] --tenant-id TENANT_ID --client-id CLIENT_ID --client-secret CLIENT_SECRET [--azure-cloud {US,GOV,CN,EU}]

options:
  -h, --help            show this help message and exit
  --tenant-id TENANT_ID
  --client-id CLIENT_ID
  --client-secret CLIENT_SECRET
  --azure-cloud {US,GOV,CN,EU}
                        Azure cloud (AzureCloud, AzureChinaCloud, etc.)

[AzureクライアントID] → [ログイン]

[Azureクライアントシークレット] → [パスワード]

[AzureテナントID] → [カスタムフィールド]

How to register an app in Microsoft Entra ID - Microsoft identity platformMicrosoftLearn

Microsoft Graph の権限: User.Read.All、Group.Read.All、Directory.Read.All

続いて、クライアントアプリケーションのシークレットを作成します。

Active Directoryの接続パラメータ

epm scim ad コマンドは、2種類のログイン方式に対応しています。

Kerberos: ADに参加しているWindowsマシンから利用できる方式で、ログインユーザーがAD上のユーザーである必要があります。--ad-user パラメータは指定不要です。
Simple: --ad-user を指定した場合に選択される方式で、LDAP (389) を使用する際は、暗号化されていないパスワードの送信を防ぐためにTLS接続をリクエストします。

例

Kerberos認証: --ad-url=ldap://dc1.company.com ドメインコントローラのホスト名を指定します。

LDAPSポート636: --ad-url=ldaps://company.com --ad-user=name@company.com

LDAPポート389 + StartTLS: --ad-url=ldap://company.com --ad-user=name@company.com

My Vault> epm scim ad -h                                                                                                                                                                                                  
usage: scim ad [-h] [--ad-url AD_URL] [--ad-user AD_USER] [--ad-password AD_PASSWORD] [--group GROUPS] [--netbios-domain]

options:
  -h, --help            show this help message and exit
  --ad-url AD_URL       AD LDAP URL (e.g., ldap(s)://<host>)
  --ad-user AD_USER     AD bind user (DOMAIN\username or DN)
  --ad-password AD_PASSWORD
                        AD password
  --group GROUPS        AD group name or DN (repeatable)
  --netbios-domain      Use NetBIOS domain names (e.g., TEST) instead of DNS names (e.g., test.local)

[ADユーザー] → [ログイン]

[ADユーザーのパスワード] → [パスワード]

[AD URL] → [ウェブサイトのアドレス]

[NetBIOSドメイン] → [カスタムフィールド] (値をTRUEにするとNetBIOS形式のドメイン名を使用する)

前へPAM Project KCMインポート次へ接続コマンド

最終更新 28 日前

こんばんは

概要

epm コマンド

サブコマンド: sync-down

サブコマンド: deployment

list

add

edit

delete

download

サブコマンド: agent

list

edit

delete

collection

サブコマンド: policy

list

add

edit

view

agents

assign

delete

サブコマンド: collection

list

view

add

update

delete

disconnect

wipe-out

サブコマンド: approval

list

action

サブコマンド: scim

Azure ADの接続パラメータ

Active Directoryの接続パラメータ

例

`epm` コマンド