Enterprise Management Commands

Commands related to Admin Console and Enterprise Management functions

Commands

Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.

To get help on a particular command, run:

help <command>

Enterprise Management Commands

Command

Explanation

enterprise-info or ei

Display enterprise information

enterprise-user or eu

Manage enterprise users

enterprise-role or er

Manage enterprise roles and policies

enterprise-team or et

Manage enterprise teams

enterprise-node or en

Manage enterprise nodes

enterprise-push

Populate user and team vaults with predetermined records

enterprise-down or ed

Download & decrypt enterprise data

team-approve

Approve queued teams and users provisioned by SCIM or Active Directory Bridge

device-approve

Approve SSO Cloud devices that are pending from end-users

create-user

Create a new user and vault, and add a record to the current vault with that user's credentials

transfer-user

Transfer an account to another user

automator

Manage SSO Cloud Automator for Device Approvals

scim

Manage SCIM endpoints

audit-alert

Manage Audit Alerts

enterprise-info command

Command: enterprise-infoor ei

Detail: Display information about your enterprise in a tree structure

Parameters:

Text to search for. Can apply to users, teams, and roles

Switches:

-n, --nodes display nodes

--node <NODE> show tree structure from a specified node

-u, --users display user list

-t, --teams display team list

-r, --roles display role list

-v, --verbose show ids with output

--format <{table, csv, json}> format to show output

table - show information in a table layout
csv - output information in CSV format
json - output information in JSON format

--output <OUTPUT FILE> a file to write the output to

--columns <COLUMNS> columns to include in the output. Given as comma separated list. Available columns depends on type of data being viewed

Users
- name
- status
- transfer_status
- node
- team_count
- teams
- role_count
- roles
- alias
- 2FA status
Teams
- restricts
- node
- user_count
- users
- queued_user_count
- queued_users
Roles
- is_visible_below
- is_new_user
- is_admin
- node
- user_count
- users
Nodes
- parent_node
- user_count
- team_count
- teams
- role_count
- roles
- provisioning

Examples:

enterprise-info
ei "John Doe" --users 
ei --teams --format csv --output teams.csv
ei --roles --columns is_admin,user_count
ei --node "Keeper Security"

Display the enterprise name and node structure
Search the enterprise for users named "John Doe"
Output a list of teams in the enterprise to a CSV file
Display a list of roles, and only show if they are an admin role and how many users are in the role
See the node tree structure starting from the Node named "Keeper Security" Give this the root node to see the entire organization's node tree

enterprise-user command

Command: enterprise-useror eu

Detail: Manage an enterprise user

Parameters:

User's UID or email address.

Note: you can use the following command to see a list of users in the enterprise:

ei --users

Switches:

--expire expire the user's master password

--extend extend vault transfer consent for 7 days. Supports the following pseudo users: @all

--lock lock the user's account

--unlock unlock the user's account. Supports the following pseudo users: @all

--disable-2fa disable 2fa for the user

--add invite the given email address to create a vault in the enterprise (only works with email as parameter)

--invite send an invite to the given email address. Can be sent to previously invited users

--delete delete the user from the enterprise. Be careful as this will also delete all of their records, however, any shared records will remain accessible to other users in their vault.

--name <NAME> set a name to be used as the user's display name

--node <NODE NAME OR UID> move the user to a node with the specified name or UID. To view a list of your nodes, use enterprise-info --nodes

--add-role <ROLE NAME OR UID> add the user to a role with the specified name or UID. To view a list of roles, use enterprise-info --roles. Supports the following pseudo users: @all

--remove-role <ROLE NAME OR UID> remove the user from the role with the specified name or UID

--add-team <TEAM NAME OR UID> add the user to the team with the specified name or UID. To view a list of teams, use enterprise-info --teams

--remove-team <TEAM NAME OR UID> remove the user from the team with the specified name or UID. To view a list of teams, use enterprise-info --teams

--add-alias <EMAIL> Add an alias, in the form of an email address, to a user. The alias added will become the "primary" email for the user. Applying the command to an existing alias will set it as primary. Note that this command is only permitted on reserved domains.

--delete-alias <EMAIL> delete an email alias for a user

-f, --force do not prompt for confirmation

-v, --verbose debug output which includes IDs and other data

Examples:

enterprise-user [email protected]
eu 20379619819523 --node Chicago --add-team "Chicago Engineering"
eu add [email protected]
eu 19819523203796 --lock
eu --add-alias [email protected] [email protected]
eu --add-role Employee @all

Show details of user "[email protected]"
For the user with the given UID, add them to the Chicago node and the "Chicago Engineering" team
Send an invite to "[email protected]" to open a vault in the enterprise
Lock the account with the given UID
Add an alias for a user who changed their name and set as primary
Add all enterprise users to the "Employee" role

enterprise-role command

Command: enterprise-roleor er

Detail: Manage an enterprise role or enforcement policy

Note: you can use the following command to see a list of roles in the enterprise:

ei --roles

Usage: er <ROLE>

Parameters:

<ROLE> Name or UID of role(s). Separate with space to use multiple

Switches:

--add add a new role to the enterprise

--delete delete the role

--add-user <USER NAME OR UID> add a user to the role. Use with --add

--remove-user <USER NAME OR UID> remove a user from the role

--visible-below <{on,off}> make a role visible or invisible to roles beneath it

--new-user <{on,off}> make new users assigned to this role

--node <NODE NAME OR UID> the node to add the role to

--name <NAME> name the role

--add-admin <NODE> set node to be administered by the specified role(s)

--remove-admin <NODE> unset node administered by the specified role(s)

--cascade <{on,off}> use with --add-admin to extend admin-privileges for the specified role(s) to child nodes as well (if 'on')

--enforcement <POLICY>:<VALUE>, --enforcement <POLICY>:$FILE=<PATH TO FILE WITH VALUE> set the enforcement policy for the given role (using either the literal policy value -- e.g., "True", "e", 10 -- or a reference to a file containing that value). See the list of available enforcement policies in the 2nd tab of the table below.

--copy make a duplicate role with no users

--clone make a duplicate role with the same users as the original

--add-team, -at <TEAM NAME> add a team to the given role

--add-privilege, -ap <PRIVILEGE NAME> add an admin privilege to the role

--remove-privilege, -rp <PRIVILEGE NAME> remove an admin privilege to the role

-v, --verbose show ids with output, including all available enforcement policies

-f, --force do not prompt for confirmation (non-interactive mode)

Examples:

enterprise-role -v "Keeper Administrator"
er 20379621916672 "Engineer Team Lead"
er --add Onboarding --new-users
er 20379621916672 --add-admin "[email protected]" --cascade yes
er PM --name "Product Manager"
er 20379619819524 20379619819525 20379621916672 --Node Chicago
er 20379619819524 --copy --Node Chicago

Show details about the "Keeper Administrator" role including all enforcements
Show details about the role with the given UID and the "Engineer Team Lead" role
Add a new role named "Onboarding" and make new users automatically assigned to this role
Make user John Dow admin of the role with the given UID and all child roles
Rename the "PM" role to "Product Manager"
Add the three nodes with given UIDs to the "Chicago" node
Create a copy of the role in the "Chicago" node

Changing Role Enforcements and Privileges

Use the --enforcement switch to edit enforcement policies on the given role. Pass a policy key and corresponding value to the switch in order to change the enforcement.

enterprise-role ROLE --enforcement "<POLICY>:<VALUE>"

Alternatively, set a role enforcement policy to the value specified in an external file.

enterprise-role ROLE --enforcement "<POLICY>:$FILE=<PATH_TO_FILE_WITH_POLICY_VALUE>"

Example restricting the "Engineering" role to access import records.

enterprise-role Engineering --enforcement "RESTRICT_IMPORT:True"

The available enforcement policies are listed below.

Enforcement Policy Key

Type

MASTER_PASSWORD_MINIMUM_LENGTH

LONG

MASTER_PASSWORD_MINIMUM_SPECIAL

LONG

MASTER_PASSWORD_MINIMUM_UPPER

LONG

MASTER_PASSWORD_MINIMUM_LOWER

LONG

MASTER_PASSWORD_MINIMUM_DIGITS

LONG

MASTER_PASSWORD_RESTRICT_DAYS_BEFORE_REUSE

LONG

REQUIRE_TWO_FACTOR

BOOLEAN

MASTER_PASSWORD_MAXIMUM_DAYS_BEFORE_CHANGE

LONG

MASTER_PASSWORD_EXPIRED_AS_OF

LONG

MINIMUM_PBKDF2_ITERATIONS

LONG

MAX_SESSION_LOGIN_TIME

LONG

RESTRICT_PERSISTENT_LOGIN

BOOLEAN

STAY_LOGGED_IN_DEFAULT

BOOLEAN

RESTRICT_SHARING_ALL

BOOLEAN

RESTRICT_SHARING_ENTERPRISE

BOOLEAN

RESTRICT_SHARING_ALL_OUTGOING

BOOLEAN

RESTRICT_SHARING_ENTERPRISE_OUTGOING

BOOLEAN

RESTRICT_EXPORT

BOOLEAN

RESTRICT_FILE_UPLOAD

BOOLEAN

REQUIRE_ACCOUNT_SHARE

ACCOUNT_SHARE

RESTRICT_SHARING_ALL_INCOMING

BOOLEAN

RESTRICT_SHARING_ENTERPRISE_INCOMING

BOOLEAN

RESTRICT_SHARING_RECORD_WITH_ATTACHMENTS

BOOLEAN

RESTRICT_IP_ADDRESSES

IP_WHITELIST

REQUIRE_DEVICE_APPROVAL

BOOLEAN

REQUIRE_ACCOUNT_RECOVERY_APPROVAL

BOOLEAN

RESTRICT_VAULT_IP_ADDRESSES

IP_WHITELIST

TIP_ZONE_RESTRICT_ALLOWED_IP_RANGES

IP_WHITELIST

AUTOMATIC_BACKUP_EVERY_X_DAYS

LONG

RESTRICT_OFFLINE_ACCESS

BOOLEAN

SEND_INVITE_AT_REGISTRATION

BOOLEAN

RESTRICT_EMAIL_CHANGE

BOOLEAN

RESTRICT_IOS_FINGERPRINT

BOOLEAN

RESTRICT_MAC_FINGERPRINT

BOOLEAN

RESTRICT_ANDROID_FINGERPRINT

BOOLEAN

RESTRICT_WINDOWS_FINGERPRINT

BOOLEAN

LOGOUT_TIMER_WEB

LONG

LOGOUT_TIMER_MOBILE

LONG

LOGOUT_TIMER_DESKTOP

LONG

RESTRICT_WEB_VAULT_ACCESS

BOOLEAN

RESTRICT_EXTENSIONS_ACCESS

BOOLEAN

RESTRICT_MOBILE_ACCESS

BOOLEAN

RESTRICT_DESKTOP_ACCESS

BOOLEAN

RESTRICT_MOBILE_IOS_ACCESS

BOOLEAN

RESTRICT_MOBILE_ANDROID_ACCESS

BOOLEAN

RESTRICT_MOBILE_WINDOWS_PHONE_ACCESS

BOOLEAN

RESTRICT_DESKTOP_WIN_ACCESS

BOOLEAN

RESTRICT_DESKTOP_MAC_ACCESS

BOOLEAN

RESTRICT_CHAT_DESKTOP_ACCESS

BOOLEAN

RESTRICT_CHAT_MOBILE_ACCESS

BOOLEAN

RESTRICT_COMMANDER_ACCESS

BOOLEAN

RESTRICT_TWO_FACTOR_CHANNEL_TEXT

BOOLEAN

RESTRICT_TWO_FACTOR_CHANNEL_GOOGLE

BOOLEAN

RESTRICT_TWO_FACTOR_CHANNEL_DNA

BOOLEAN

RESTRICT_TWO_FACTOR_CHANNEL_DUO

BOOLEAN

RESTRICT_TWO_FACTOR_CHANNEL_RSA

BOOLEAN

TWO_FACTOR_DURATION_WEB

TWO_FACTOR_DURATION

TWO_FACTOR_DURATION_MOBILE

TWO_FACTOR_DURATION

TWO_FACTOR_DURATION_DESKTOP

TWO_FACTOR_DURATION

RESTRICT_TWO_FACTOR_CHANNEL_SECURITY_KEYS

BOOLEAN

TWO_FACTOR_BY_IP

JSONARRAY

RESTRICT_DOMAIN_ACCESS

STRING

RESTRICT_DOMAIN_CREATE

STRING

RESTRICT_HOVER_LOCKS

BOOLEAN

RESTRICT_PROMPT_TO_LOGIN

BOOLEAN

RESTRICT_PROMPT_TO_FILL

BOOLEAN

RESTRICT_AUTO_SUBMIT

BOOLEAN

RESTRICT_PROMPT_TO_SAVE

BOOLEAN

RESTRICT_PROMPT_TO_CHANGE

BOOLEAN

RESTRICT_AUTO_FILL

BOOLEAN

RESTRICT_CREATE_FOLDER

BOOLEAN

RESTRICT_CREATE_FOLDER_TO_ONLY_SHARED_FOLDERS

BOOLEAN

RESTRICT_CREATE_IDENTITY_PAYMENT_RECORDS

BOOLEAN

MASK_CUSTOM_FIELDS

BOOLEAN

MASK_NOTES

BOOLEAN

MASK_PASSWORDS_WHILE_EDITING

BOOLEAN

GENERATED_PASSWORD_COMPLEXITY

STRING

GENERATED_SECURITY_QUESTION_COMPLEXITY

STRING

RESTRICT_IMPORT

BOOLEAN

DAYS_BEFORE_DELETED_RECORDS_CLEARED_PERM

LONG

DAYS_BEFORE_DELETED_RECORDS_AUTO_CLEARED

LONG

ALLOW_ALTERNATE_PASSWORDS

BOOLEAN

RESTRICT_CREATE_RECORD

BOOLEAN

RESTRICT_CREATE_RECORD_TO_SHARED_FOLDERS

BOOLEAN

RESTRICT_CREATE_SHARED_FOLDER

BOOLEAN

RESTRICT_LINK_SHARING

BOOLEAN

RESTRICT_SHARING_OUTSIDE_OF_ISOLATED_NODES

BOOLEAN

RESTRICT_SHARING_RECORD_TO_SHARED_FOLDERS

BOOLEAN

DISABLE_SETUP_TOUR

BOOLEAN

RESTRICT_PERSONAL_LICENSE

BOOLEAN

DISABLE_ONBOARDING

BOOLEAN

DISALLOW_V2_CLIENTS

BOOLEAN

RESTRICT_IP_AUTOAPPROVAL

BOOLEAN

SEND_BREACH_WATCH_EVENTS

BOOLEAN

RESTRICT_BREACH_WATCH

BOOLEAN

RESEND_ENTERPRISE_INVITE_IN_X_DAYS

LONG

MASTER_PASSWORD_REENTRY

JSON

RESTRICT_ACCOUNT_RECOVERY

BOOLEAN

KEEPER_FILL_HOVER_LOCKS

TERNARY_DEN

KEEPER_FILL_AUTO_FILL

TERNARY_DEN

KEEPER_FILL_AUTO_SUBMIT

TERNARY_DEN

KEEPER_FILL_MATCH_ON_SUBDOMAIN

TERNARY_DEN

KEEPER_FILL_AUTO_SUGGEST

TERNARY_DEN

RESTRICT_PROMPT_TO_DISABLE

BOOLEAN

RESTRICT_HTTP_FILL_WARNING

BOOLEAN

RESTRICT_RECORD_TYPES

RECORD_TYPES

ALLOW_SECRETS_MANAGER

BOOLEAN

REQUIRE_SELF_DESTRUCT

BOOLEAN

MAXIMUM_RECORD_SIZE

LONG

ALLOW_PAM_ROTATION

BOOLEAN

ALLOW_PAM_DISCOVERY

BOOLEAN

RESTRICT_IMPORT_SHARED_FOLDERS

BOOLEAN

REQUIRE_SECURITY_KEY_PIN

BOOLEAN

DISABLE_CREATE_DUPLICATE

BOOLEAN

ALLOW_PAM_GATEWAY

BOOLEAN

ALLOW_CONFIGURE_ROTATION_SETTINGS

BOOLEAN

ALLOW_ROTATE_CREDENTIALS

BOOLEAN

ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS

BOOLEAN

ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION

BOOLEAN

ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS

BOOLEAN

ALLOW_LAUNCH_PAM_TUNNELS

BOOLEAN

ALLOW_LAUNCH_RBI

BOOLEAN

ALLOW_CONFIGURE_RBI

BOOLEAN

ALLOW_VIEW_KCM_RECORDINGS

BOOLEAN

ALLOW_VIEW_RBI_RECORDINGS

BOOLEAN

RESTRICT_MANAGE_TLA

BOOLEAN

RESTRICT_SELF_DESTRUCT_RECORDS

BOOLEAN

RESTRICT_ACCOUNT_SWITCHING

BOOLEAN

RESTRICT_PASSKEY_LOGIN

BOOLEAN

ALLOW_CAN_EDIT_EXTERNAL_SHARES

BOOLEAN

RESTRICT_SNAPSHOT_TOOL

BOOLEAN

RESTRICT_FORCEFIELD

BOOLEAN

RESTRICT_CLIPBOARD_EXPIRE_IN_X_SECS

LONG

RESTRICT_SF_RECORD_REMOVAL

BOOLEAN

RESTRICT_SF_FOLDER_DELETION

BOOLEAN

You can assign an Administrative Node to a user with this command:

er 'Node Admin' -aa 'Node Name' --cascade on

You can then assign Administrative privileges with the -ap flag, and remove them with the -rp flag:

er 'Admin' --node 'Node Name' -ap manage_nodes -ap manage_roles

Find bellow all supported privilege codes:

Administrative Privilege Name

Administrative Privilege Code

Manage Nodes

manage_nodes

Manage Users

manage_user

Manage Roles

manage_roles

Manage Teams

manage_teams

Run Security Reports

run_reports

Manage Bridge/SSO

manage_bridge

Perform Device Approvals

approve_device

Manage Record Types in Vault

manage_record_types

Run Compliance Reports

run_compliance_reports

Transfer Account

transfer_account

Sharing Administrator

sharing_administrator

Examples for each value type

# command format
enterprise-role ROLE --enforcement "POLICY:VALUE"

# boolean (allow secrets manager)
enterprise-role Engineering --enforcement "ALLOW_SECRETS_MANAGER:True"

# string (restrict access to a domain)
er "Support Admin" --enforcement "RESTRICT_DOMAIN_ACCESS:https://www.baddomain.com"

# long (set minimum password length)
er users --enforcement "MASTER_PASSWORD_MINIMUM_LENGTH:10"

# ternary DEN (set auto fill to off)
er DB_Admin --enforcement "KEEPER_FILL_AUTO_FILL:d"
# ternary values: d:disable e:enable n:null
# Note - n:null removes the enforcement

# RESTRICT_RECORD_TYPES accepts a list of record types separated by comma
# to get a list of all available record types
My Vault> rti
  Record Type ID  Record Type Name
----------------  -----------------------
               1  login
              11  bankAccount
              14  address
              ...
              34  sshKeys
# to restrict sshKeys and address record types
My Vault> er Finance --enforcement "RESTRICT_RECORD_TYPES:sshKeys, address"
# restrict all record types (other than legacy general type)
My Vault> er Finance --enforcement "RESTRICT_RECORD_TYPES:all"

# ip-whitelist (allow logins only from specified IPs)
My Vault> er --enforcement "RESTRICT_IP_ADDRESSES:1.0.0.1-1.0.0.10,172.15.0.1,192.0.0.2" IP-Restricted_Role

enterprise-team command

Command: enterprise-teamor et

Detail: Manage enterprise teams

Parameters:

Team name or id

Note: you can use the following command to see a list of teams in the enterprise:

ei --teams

Switches:

--add add a new team to the enterprise

--delete delete the team

--add-user <USER NAME OR UID> add a user to the team

--remove-user <USER NAME OR UID> remove a user from the team

--node <NODE NAME OR UID> the node to add the team to

--name <NAME> name the team

--approve approve a queued team. Queued teams are typically created by SCIM requests which still need encryption keys to be created. Therefore they remain in a queued state until the admin logs into the Admin Console or this command is executed.

--restrict-edit <{on,off}> decide if users in this team can edit records

--restrict-share <{on,off}> decide if users in this team can share records

--restrict-view <{on,off}> decide if users in this team can view record passwords

--hide-shared-folder, -hsf <{on,off}> flag to determine if users in this team can see shared folders

--add-role, -ar <ROLE NAME> add a role to the given team

-v, --verbose show ids with output

Examples:

enterprise-team "Chicago Engineering"
et "Chicago Engineering" Legal 
et --add "Chicago Product" --node Chicago --restrict-edit on
et 20379619819524 --name "El Dorado Hills Engineering"

Show details of "Chicago Engineering" team
Show details for "Chicago Engineering" and "Legal" teams
Add a new team named "Chicago Product" in the "Chicago" node, and restrict users in the team from editing records
Change the name of the team with the given UID to "El Dorado Hills Engineering"

enterprise-node command

Command: enterprise-nodeor en

Detail: Manage enterprise nodes

Parameters:

Node name or UID

Note: you can use the following command to see a list of nodes in the enterprise:

ei --nodes

Switches:

--add add a new node to the enterprise

--delete delete the node. Note this won't be allowed until all objects from the node are deleted.

--parent <NODE NAME OR UID> make given node the parent of this node

--name <NAME> set node's display name

--wipe-out delete all nodes, roles, users, and teams under the node. Does not delete the node itself. Be careful with this command.

--toggle-isolated make node visible or invisible to people in other nodes

--invite-email <FILE_NAME> Sets invite email template from file. Saves current template if file does not exist. dash (-) use stdout. See Custom Emails section below.

--logo-file <FILE_NAME> Sets company / node logo using local image file (max size: 500 kB, min dimensions: 10x10, max dimensions: 320x320)

Examples:

enterprise-node Chicago
en Chicago "El Dorado Hills" 20379619819524 --parent NA
en --add Cork --parent EMEA
en APAC --wipe-out
en Chicago --toggle-isolated
en --logo-file ~/chicago_logo.jpg Chicago

Show details for the "Chicago" node
For the three nodes: "Chicago", "El Dorado Hills" and node with the given UID, change the parent node to node "NA"
Add a new node named "Cork" under the "EMEA" node
Delete all nodes, roles, users, and teams from under the "APAC" node
Make the "Chicago" node invisible (if currently visible) or visible (if currently invisible) to people in other nodes
Customize the appearance of invite emails and vault UI by using the "chicago_logo.jpg" file in the current user's $HOME directory as the logo image for the "Chicago" node.

Custom Emails

The --invite-email switch allows you to set the custom email template per node.

Similar to how email templates can be customized on the web admin console, custom email templates on the CLI supports customization of the following four attributes:

Subject
Message Heading
Message Body
Download Button Text

Custom email templates can be defined in a .txt file in the following format:

[Subject]
// Insert E-mail Subject line text

[Heading]
// Insert E-mail Message heading text here

[Message]
// Insert E-mail Message body text here

[Button Text]
// Insert the download button text here

Custom Emails can also be formatted using markdown syntax. See this page for additional details.

Custom Email Use Case

Suppose there are company branches in Chicago and Tokyo with its respective nodes Chicago and Tokyo. Ideally, you want the invitation emails to be in its native language:

Invitation emails sent to the Chicago Branch should be in its native language English
Invitation emails sent to the Tokyo Branch should be in its native language Japanese

The --invite-email switch makes this possible by enabling you to set the desired email template per node.

First, I define the custom email templates for both of my branches: Chicago and Tokyo

Next, I set the appropriate email template for each node:

en Chicago --invite-email="C:\user\emailTemplates\emailChicago.txt"
en Tokyo --invite-email="C:\user\emailTemplates\emailTokyo.txt"

On windows, file paths can be specified either in quotations or double backslash. Either of the following file paths are valid:

"C:\users\file.txt" or c:\\users\\file.txt

When sending invitation emails, users will receive the following emails based on their branch location:

Invitation email received by users in the Chicago Branch

Invitation email received by users in the Tokyo Branch

enterprise-push command

Command: enterprise-push

Detail: Populate a vault with a set of default records

Parameters:

File name of file with template records. File must be JSON format.

Switches:

--syntax-help show example file format and template parameters

--team <TEAM NAME OR UID> team to assign records to

--email <USER EMAIL OR UID> user to assign records to

Examples:

enterprise-push office-codes.json --team "Chicago Office"
enterprise-push default.json --email [email protected]
enterprise=push --syntax-help

Send records templated in the "office-codes.json" file to every user in the "Chicago Office" team
Send records templated in the "default.json" file to user "[email protected]"
See the syntax help

File Format

The "enterprise-push" command uses Keeper JSON record import format.

Example JSON file:

[
    {
        "title": "Google",
        "login": "${user_email}",
        "password": "${generate_password}",
        "login_url": "https://google.com",
        "notes": "",
        "custom_fields": {
            "Name 1": "Value 1",
            "Name 2": "Value 2"
        }
    },
    {
        "title": "Admin Tool",
        "login": "${user_email}",
        "password": "",
        "login_url": "https://192.168.1.1",
        "notes": "",
        "custom_fields": {
        }
    }
]

Supported template parameters:

${user_email}          User email address
${generate_password}   Generate random password
${user_name}           User full name

An easy way to find the proper JSON structure is to export some data from your Keeper vault in JSON format. Then, modify the file as required for creating an import file.

To export JSON data for creating a template:

Create an empty folder for storing templates. e.g. "Templates"
Create records in that folder
export the folder as JSON using the below command

export --format=json --folder=Templates templates.json

Optional: edit the JSON file to delete the following properties: "uid", "schema", "folders" not used by enterprise-push command

The template JSON file should be either array of records or an object that contains a property "records" containing an array of records.

enterprise-down command

Command: enterprise-down or ed

Detail: Download & decrypt enterprise data locally.

When there is an active instance of Commander running and a change is made on the admin console or another instance of commander, the enterprise-down command can be used to download & decrypt the latest enterprise data locally.

Example:

Suppose a new user is added on the Admin Console while an active commander session is running, executing the following command on the running commander session will download and decrypt the latest changes locally:

enterprise-down

team-approve command

Command: team-approve

Detail: Enable or disable automatic team approval or user approval to teams

When using a provisioning method such as Keeper Bridge or SCIM, new teams and users that have not yet activated their vault are queued for approval. Use this command to enable or disable automatic approval of provisioned teams or users.

Switches:

--team approve teams

--email approve team users

--restrict-edit <{on, off}> restrict or allow editing records in approved teams

--restrict-share <{on, off}> restrict or allow sharing records in approved teams

--restrict-view <{on, off}>restrict or allow viewing record passwords in approved teams

Examples:

enterprise-down
team-approve --team
team-approve --email
team-approve --team --restrict-edit on

Sync down any pending Enterprise Team approvals
Automatically approve queued provisioned teams
Automatically approve queued provisioned users
Automatically approve queued provisioned teams and don't allow users in those teams to edit records

device-approve command

Command: device-approve

Detail: Approve cloud SSO devices

Parameters:

User's email or device ID to approve or blank to see a list of pending devices

Switches:

-r, --reload load current list of pending approvals

-a, --approve approve the device for the given user email or device id

-d, --deny deny the device for the given user email or device id

--trusted-ip approve devices from a trusted ip address

--format <{table, csv, json}> format to show output in

--output <FILE NAME> file to send output to (must use json or csv format)

Examples:

device-approve
device-approve [email protected] --approve
device-approve --reload
device-approve --output device_approvals.csv --format csv

Show list of pending device approvals
Approve user "[email protected]"
Refresh list of pending device approvals
Write list of pending device approvals to a file in csv format

create-user command:

Command: create-user

Detail

Create a new account and vault for the given email address and create a record for the new user's credentials in the current Keeper vault.

To invite new users to an enterprise see the enterprise-user command

Parameters:

User's email address

Switches:

--name <Name> user's name

--node <NODE> name or ID of node to add user to

--record <RECORD UID> UID of record that holds password for the new account

--folder <FOLDER NAME OR UID> folder to store created user credentials in

Examples:

create-user [email protected]
create-user [email protected] --name "John Doe" --node Chicago

Create a new user account and vault for [email protected]
Send an invitation to John Doe to join Keeper, name the new user "John Doe" and add him to the "Chicago" node

Onboarding with create-user Command

When the create-user command is used to create a new user in the Keeper account, a record is created in the current logged in account with the new user's username and temporary password. Once the new record is created, it can be shared with the new user with a one-time share URL.

My Vault> create-user [email protected]
User "[email protected]" credentials are stored to record "Keeper Account: [email protected]"

My Vault> share create "Keeper Account: [email protected]" --expire 7d
https://keepersecurity.com/vault/share#-Rkzr6w[...]wMw3fQ3kM

The new user will follow this url to receive their temporary credentials and perform the first login.

transfer-user command:

Command: transfer-user

Detail: Lock account, then transfer a vault from one user to another.

Parameter:

Email or user ID of the vault to be transferred. More than one can be provided, separated by spaces.

Switches:

--target-user <USER EMAIL> email address of user account to transfer the vault(s) to

--force, -f do not prompt for confirmation

Account Transfer must be enabled for the account or role the account is in.

The contents of the transferred vault are placed in a folder in the recipient's vault.

Example:

 transfer-user [email protected] --target-user [email protected]

Transfer the vault of [email protected] to [email protected].

To perform a bulk transfer of user accounts, use the command: transfer-user @filename This will look for the file named filename that contains a FROM and TO mapping. For example:

[email protected] -> [email protected]
[email protected] -> [email protected]

automator command:

Command: automator

Detail: Configures SSO Cloud device automators.

An Automator is a program running at a customer site that can perform some Keeper administrative actions such as performing device approvals or team approvals. More information about the Keeper Automator service is found at this link.

Only the root-level Keeper Administrator role can manage the Automator configuration

When the automator command is executed without parameters it displays the list of available automators as well as a command help.

automator command [target] [--options]

 Command            Description
=================================================================
 list               Displays the list of the available automators
 create             Creates automator
 init               Initializes automator
 view               Prints automator details
 edit               Changes automator configuration
 delete             Deletes automator
 reset              Resets automator configuration to the default
 enable             Enables automator
 disable            Disables automator
 log                Retrieves automator logs
 clear              Clears automator logs
 certificate        Display certificate information.
 
 list, create:
 'target' parameter is ignored 
 
 init, view, edit, delete, reset, start, stop, log, clear:
 these commands require 'target' parameter: Automator Name or ID

 Option             Commands
==================================================================
 --node             create 
 --name             create, edit
 --url              edit : Webhook URL 
 --skill            edit : "device" and/or "team"
 --set              edit : KEY=VALUE

Examples:

Create automator with name "Cloud SSO Device Approval".

My Vault> automator create --name="Cloud SSO Device Approval"     

        Automator ID: 888888888888        
                Name: Cloud SSO Device Approval
                 URL:                     
             Enabled: No                  
         Initialized: No                  
              Skills: Device Approval

Edit automator to set the Webhook URL. The Webhook URL is provided by the Automator application.

My Vault> automator edit --url="https://automator.company.com:8089" 888888888888    

        Automator ID: 888888888888        
                Name: Cloud SSO Device Approval
                 URL: https://automator.company.com:8089                    
             Enabled: No                  
         Initialized: No                  
              Skills: Device Approval

Skills (Team Approvals, Team-User Approvals, Device Approvals) can be set with the "skill" argument. For example:

My Vault> automator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"

Initialize the automator instance using "setup", "init" and "enable" commands. The backend verifies that the Automator is configured and ready to process requests.

My Vault> automator setup 888888888888
My Vault> automator init 888888888888
My Vault> automator enable 888888888888

For more information about the Keeper Automator for SSO device approvals, see the Automator Service documentation.

scim command

Command: scim

Detail: Configures SCIM endpoints

When scim command is executed without parameters it displays the list of available SCIM endpoints as well as a command help.

scim command [target] [--options]
 Command            Description
=================================================================
 list               Displays the list of SCIM endpoints
 create             Creates SCIM endpoint
 view               Prints SCIM endpoint details
 edit               Changes SCIM endpoint configuration
 delete             Deletes SCIM endpoint
 push               Pushes data to SCIM endpoint
 
 list, create
 'target' parameter is ignored 
 
 view, edit, delete
 these commands require 'target' parameter: SCIM endpoint ID
 
 Option             Commands
=================================================================
 --reload           all : Reloads SCIM configuration
 --node             create : Node ID or Name 
 --prefix           create, edit : Role prefix
 --unique-groups    create, edit : Unique groups 
 --force            delete : Do not ask for delete confirmation

Examples:

Create SCIM endpoint for node SCIM Node

My Vault> scim create --node="SCIM Node"                                                                                                                                                 

SCIM ID: 888888888888
SCIM URL: https://keepersecurity.com/api/rest/scim/v2/7777777777777
Provisioning Token: yIiq6Y4FnWtOPtqatUzZH7BI4FaUNhIbwEtDT5esL-g

Edit SCIM endpoint configuration. Editing SCIM endpoint generates a new provisioning token

My Vault> scim edit 888888888888 --prefix="Group_"                                                                                                                                   

SCIM ID: 888888888888
SCIM URL: https://keepersecurity.com/api/rest/scim/v2/7777777777777
Provisioning Token: 6oykLqC2-d20Sy3N2d-HKZtGzOt63U60rJz8CLagszY

Delete SCIM endpoint

My Vault> scim delete 820338837203                                                                                                                                                   

ALERT!
You are about to delete SCIM endpoint 888888888888

Do you want to proceed with deletion? [y/n]: y
SCIM endpoint "888888888888" at node "7777777777777" deleted

Push group and user data to SCIM endpoint

My Vault> scim push 820338837203 --source=google --record=AW6XZoJr8VM3rlFoxW_6rg

Switches

--source Source of SCIM data. Available values: google, ad

--record Record UID with SCIM configuration

Configuring SCIM source for push

audit-alert command

Command: audit-alert

Detail: Manages Audit Alerts

When audit-alert is executed without parameters it displays the list of available alerts as well as a command help

audit-alert command [--options]
Command       Description
------------  ---------------------------------------------
list          Display alert list
view          View alert configuration
history       View alert history
delete        Delete audit alert(s) - single, range, or all
add           Add audit alert
edit          Edit audit alert
reset-counts  Reset alert counts
enable        Enable audit alert
disable       Disable audit alert
recipient     Modify alert recipients

To get help on command run

My Vault> audit-alert <command> -h

list options

  --format {table,csv,json} 
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  --reload              reload alert information

My Vault> audit-alert list --reload
My Vault> aa l

view options

positional arguments:
  ALERT                 Alert ID or Name

options:  
  --all                 View all alerts
  --format {table,csv,json,pdf} 
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)

My Vault> audit-alert view "Failed Login"
My Vault> aa v 1
              Alert ID  1
            Alert name  Failed Login
                Status  Enabled
             Frequency  Every Occurrence
            Recipients:
Send To Originator (*)  False

          Recipient ID  1
                  Name  Administrator
                Status  Enabled
              Email To  [email protected]

View all alert configurations

My Vault> audit-alert view --all

Export all alert configurations

My Vault> audit-alert view --all --format <format> --output <path>

Example

My Vault> audit-alert view --all --format csv --output /Users/Commander/output.csv
Report path: /Users/Commander/output.csv

Export a specific alert configuration

My Vault> audit-alert view <ALERT> --format <format> --output <path>

Replace <format> with the desired export format (table, json, csv or pdf,) and <path> with the full file path and name where the output should be saved.

history options

ALERT       Alert ID or Name.

My Vault> aa h 1                                                                                                                                           
Alert Sent At         Occurrences
---------------       -------------
2023-02-10 18:55:00              1

delete options

positional arguments:
  ALERT            Alert ID or Name.

options:
  -h, --help       show this help message and exit
  --all            Delete all alerts
  --from ALERT ID  Starting alert ID for range deletion
  --to ALERT ID    Ending alert ID for range deletion
  --force          Force deletion without confirmation prompt

Delete a specific Audit Alert using Alert Name

My Vault> audit-alert delete "Failed Login"

Delete a specific Audit Alert using Alert ID

My Vault> audit-alert delete [ALERT ID]

Example

My Vault> audit-alert delete 1

The following 1 alert(s) will be deleted:
------------------------------------------------------------
  ID: 1 | Name: alert_test_1
------------------------------------------------------------
Are you sure you want to delete 1 alert(s)? (y/n): y
  ID  Name                    Events                  Frequency                          Occurrences    Alerts Sent  Last Sent                  Active
----  ----------------------  ----------------------  -------------------------------  -------------  -------------  -------------------------  --------
   2  Failed Login            login_failure           Every Occurrence                             0                                            True
   3  alert_test_2                                    Every Occurrence                             8              3                             True
   4  alert_test_3                                    Every Occurrence                             8              3                             True
   5  alert_test_4                                    Every Occurrence                             6              2                             True

Delete Audit Alerts in a Range

My Vault> audit-alert delete --from [ALERT ID] --to [ALERT ID]

Delete All Audit Alerts

My Vault> audit-alert delete --all

Delete Audit Alert without confirmation prompt

My Vault> audit-alert delete [ALERT ID] --force
My Vault> audit-alert delete --all --force
My Vault> audit-alert delete --from [ALERT ID] --to [ALERT ID] --force

add options

  --name NAME           Alert Name.
  --frequency FREQUENCY
                        Alert Frequency. "[N:]event|minute|hour|day"
  --audit-event EVENT   Audit Event. Can be repeated.
  --user USER           Username. Can be repeated.
  --record-uid RECORD_UID
                        Record UID. Can be repeated.
  --shared-folder-uid SHARED_FOLDER_UID
                        Shared Folder UID. Can be repeated.

My Vault> audit-alert add --name="Failed Login" --frequency=event --audit-event=login_failure

edit options

  ALERT       Alert ID or Name.

  --name NAME           Alert Name.
  --frequency FREQUENCY
                        Alert Frequency. "[N:]event|minute|hour|day"
  --audit-event EVENT   Audit Event. Can be repeated.
  --user USER           Username. Can be repeated.
  --record-uid RECORD_UID
                        Record UID. Can be repeated.
  --shared-folder-uid SHARED_FOLDER_UID
                        Shared Folder UID. Can be repeated.

My Vault> audit-alert edit --frequency=2:hour

reset-counts options

ALERT       Alert ID or Name.

My Vault> audit-alert reset-counts 1

recipient options

ALERT       Alert ID or Name.

recipient actions:
  {enable,disable,delete,add,edit}
    enable              enables recipient
    disable             disables recipient
    delete              deletes recipient
    add                 adds recipient
    edit                edit recipient

recipient enable, disable. or delete options

  RECIPIENT   Recipient ID or Name. Use "*" for "User who generated event"

My Vault> audit-alert recipient 1 enable *
# enables "User who generated event"  
My Vault> audit-alert recipient 1 disable Administrator
# disables recipient by name
My Vault> audit-alert recipient 1 delete 1

recipient add or edit options

RECIPIENT   Recipient ID or Name.  # edit only
  --name NAME           recipient name
  --email EMAIL         email address
  --phone PHONE         phone number. +1 (555) 555-1234
  --webhook URL         Webhook URL. See https://docs.keeper.io/enterprise-guide/webhooks
  --http-body BODY      Webhook HTTP Body. @filename to load body from a file
  --cert-errors {ignore,enforce}
                        Webhook SSL Certificate errors
  --generate-token      Generate new access token

My Vault> audit-alert recipient "Failed Login" add --name="Administrator" [email protected] 
# add email recipient and assign name "Administrator"
My Vault> aa r 1 edit 1 --name="Admin"  
# change recipient #1 name on alert #1
My Vault> aa r 1 edit 1 --email= --phone="+1(555)555-1234"
# change recipient #1 on alert # 1 from email to Text Message

enable options

  ALERT       Alert ID or Name

options:
  -h, --help  show this help message and exit
  --all       Apply action to all alerts

disable options

  ALERT       Alert ID or Name

options:
  -h, --help  show this help message and exit
  --all       Apply action to all alerts

PreviousReport Types NextCreating and Inviting Users

Last updated 10 days ago

Was this helpful?