Enterprise Management Commands
Commands related to Admin Console and Enterprise Management functions
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Enterprise Management Commands
Command | Explanation |
Display enterprise information | |
Manage enterprise users | |
Manage enterprise roles and policies | |
Manage enterprise teams | |
Manage enterprise nodes | |
Populate user and team vaults with predetermined records | |
Download & decrypt enterprise data | |
Approve queued teams and users provisioned by SCIM or Active Directory Bridge | |
Approve SSO Cloud devices that are pending from end-users | |
Create a new user and vault, and add a record to the current vault with that user's credentials | |
Transfer an account to another user | |
Manage SSO Cloud Automator for Device Approvals | |
Manage SCIM endpoints | |
Manage Audit Alerts |
Command:
enterprise-info
or ei
Detail: Display information about your enterprise in a tree structure
Parameters:
Text to search for. Can apply to users, teams, and roles
Switches:
-n
, --nodes display nodes--node
<NODE> show tree structure from a specified node-u
, --users display user list-t
, --teams display team list-r
, --roles display role list-v
, --verbose show ids with output--format
<{table, csv, json}> format to show output- table - show information in a table layout
- csv - output information in CSV format
- json - output information in JSON format
--output
<OUTPUT FILE> a file to write the output to--columns
<COLUMNS> columns to include in the output. Given as comma separated list. Available columns depends on type of data being viewed- Users
- name
- status
- transfer_status
- node
- team_count
- teams
- role_count
- roles
- alias
- 2FA status
- Teams
- restricts
- node
- user_count
- users
- queued_user_count
- queued_users
- Roles
- is_visible_below
- is_new_user
- is_admin
- node
- user_count
- users
- Nodes
- parent_node
- user_count
- team_count
- teams
- role_count
- roles
- provisioning
Examples:
1
enterprise-info
2
ei "John Doe" --users
3
ei --teams --format csv --output teams.csv
4
ei --roles --columns is_admin,user_count
5
ei --node "Keeper Security"
- 1.Display the enterprise name and node structure
- 2.Search the enterprise for users named "John Doe"
- 3.Output a list of teams in the enterprise to a CSV file
- 4.Display a list of roles, and only show if they are an admin role and how many users are in the role
- 5.See the node tree structure starting from the Node named "Keeper Security" Give this the root node to see the entire organization's node tree
Command:
enterprise-user
or eu
Detail: Manage an enterprise user
Parameters:
User's UID or email address.
Note: you can use the following command to see a list of users in the enterprise:
ei --users
Switches:
--expire
expire the user's master password--extend
extend vault transfer consent for 7 days. Supports the following pseudo users: @all--lock
lock the user's account--unlock
unlock the user's account. Supports the following pseudo users: @all--disable-2fa
disable 2fa for the user--add
invite the given email address to create a vault in the enterprise (only works with email as parameter)--invite
send an invite to the given email address. Can be sent to previously invited users--delete
delete the user from the enterprise. Be careful as this will also delete all of their records, both owned and shared to others.--name
<NAME> set a name to be used as the user's display name--node
<NODE NAME OR UID> add the user to a node with the specified name or UID. To view a list of your nodes, use enterprise-info --nodes
--add-role
<ROLE NAME OR UID> add the user to a role with the specified name or UID. To view a list of roles, use enterprise-info --roles
. Supports the following pseudo users: @all--remove-role
<ROLE NAME OR UID> remove the user from the role with the specified name or UID--add-team
<TEAM NAME OR UID> add the user to the team with the specified name or UID. To view a list of teams, use enterprise-info --teams
--remove-team
<TEAM NAME OR UID> remove the user from the team with the specified name or UID. To view a list of teams, use enterprise-info --teams
--add-alias
<EMAIL> Add an alias, in the form of an email address, to a user. The alias added will become the "primary" email for the user. Applying the command to an existing alias will set it as primary. Note that this command is only permitted on reserved domains.--delete-alias
<EMAIL> delete an email alias for a user-f
, --force do not prompt for confirmation-v
, --verbose debug output which includes IDs and other dataExamples:
1
enterprise-user [email protected]
2
eu 20379619819523 --node Chicago --add-team "Chicago Engineering"
3
eu add [email protected]
4
eu 19819523203796 --lock
5
eu --add-alias [email protected] [email protected]
6
eu --add-role Employee @all
- 1.Show details of user "[email protected]"
- 2.For the user with the given UID, add them to the Chicago node and the "Chicago Engineering" team
- 3.Send an invite to "[email protected]" to open a vault in the enterprise
- 4.Lock the account with the given UID
- 5.Add an alias for a user who changed their name and set as primary
- 6.Add all enterprise users to the "Employee" role
Command:
enterprise-role
or er
Detail: Manage an enterprise role or enforcement policy
Note: you can use the following command to see a list of roles in the enterprise:
ei --roles
Usage:
er <ROLE>
Parameters:
<ROLE> Name or UID of role(s). Separate with space to use multiple
Switches:
--add
add a new role to the enterprise--delete
delete the role--add-user
<USER NAME OR UID> add a user to the role. Use with --add--remove-user
<USER NAME OR UID> remove a user from the role--visible-below
<{on,off}> make a role visible or invisible to roles beneath it--new-user
<{on,off}> make new users assigned to this role--node
<NODE NAME OR UID> the node to add the role to--name
<NAME> name the role--add-admin
<NODE> add a node to be administered by the role--remove-admin
<NODE> remove a node to be administered by the role--cascade
<{on,off}> use with --add-admin to also assign the user as admin to child roles (if 'on')--enforcement
<POLICY:VALUE> set the enforcement policy for the given role. See the list of available enforcement policies in the 2nd tab of the table below.--copy
make a duplicate role with no users--clone
make a duplicate role with the same users as the original--add-team
, -at <TEAM NAME> add a team to the given role--add-privilege
, -ap <PRIVILEGE NAME> add an admin privilege to the role--remove-privilege
, -rp <PRIVILEGE NAME> remove an admin privilege to the role-v
, --verbose show ids with outputExamples:
1
enterprise-role "Keeper Administrator"
2
er 20379621916672 "Engineer Team Lead"
3
er --add Onboarding --new-users
4
er 20379621916672 --add-admin "[email protected]" --cascade yes
5
er PM --name "Product Manager"
6
er 20379619819524 20379619819525 20379621916672 --Node Chicago
7
er 20379619819524 --copy --Node Chicago
- 1.Show details about the "Keeper Administrator" role
- 2.Show details about the role with the given UID and the "Engineer Team Lead" role
- 3.Add a new role named "Onboarding" and make new users automatically assigned to this role
- 4.Make user John Dow admin of the role with the given UID and all child roles
- 5.Rename the "PM" role to "Product Manager"
- 6.Add the three nodes with given UIDs to the "Chicago" node
- 7.Create a copy of the role in the "Chicago" node
Command
Enforcement Policies
Examples
Use the
--enforcement
switch to edit enforcement policies on the given role. Pass a policy key and corresponding value to the switch in order to change the enforcement.enterprise-role ROLE --enforcement "POLICY:VALUE"
enterprise-role Engineering --enforcement "RESTRICT_IMPORT:True"
Enforcement Policy Key | Type |
MASTER_PASSWORD_MINIMUM_LENGTH | LONG |
MASTER_PASSWORD_MINIMUM_SPECIAL | LONG |
MASTER_PASSWORD_MINIMUM_UPPER | LONG |
MASTER_PASSWORD_MINIMUM_LOWER | LONG |
MASTER_PASSWORD_MINIMUM_DIGITS | LONG |
MASTER_PASSWORD_RESTRICT_DAYS_BEFORE_REUSE | LONG |
REQUIRE_TWO_FACTOR | BOOLEAN |
MASTER_PASSWORD_MAXIMUM_DAYS_BEFORE_CHANGE | LONG |
MASTER_PASSWORD_EXPIRED_AS_OF | LONG |
MINIMUM_PBKDF2_ITERATIONS | LONG |
MAX_SESSION_LOGIN_TIME | LONG |
RESTRICT_PERSISTENT_LOGIN | BOOLEAN |
RESTRICT_SHARING_ALL | BOOLEAN |
RESTRICT_SHARING_ENTERPRISE | BOOLEAN |
RESTRICT_EXPORT | BOOLEAN |
RESTRICT_FILE_UPLOAD | BOOLEAN |
RESTRICT_SHARING_INCOMING_ALL | BOOLEAN |
RESTRICT_SHARING_INCOMING_ENTERPRISE | BOOLEAN |
RESTRICT_SHARING_RECORD_WITH_ATTACHMENTS | BOOLEAN |
RESTRICT_IP_ADDRESSES | IP_WHITELIST |
REQUIRE_DEVICE_APPROVAL | BOOLEAN |
REQUIRE_ACCOUNT_RECOVERY_APPROVAL | BOOLEAN |
RESTRICT_VAULT_IP_ADDRESSES | IP_WHITELIST |
TIP_ZONE_RESTRICT_ALLOWED_IP_RANGES | IP_WHITELIST |
AUTOMATIC_BACKUP_EVERY_X_DAYS | LONG |
RESTRICT_OFFLINE_ACCESS | BOOLEAN |
SEND_INVITE_AT_REGISTRATION | BOOLEAN |
RESTRICT_EMAIL_CHANGE | BOOLEAN |
RESTRICT_IOS_FINGERPRINT | BOOLEAN |
RESTRICT_MAC_FINGERPRINT | BOOLEAN |
RESTRICT_ANDROID_FINGERPRINT | BOOLEAN |
RESTRICT_WINDOWS_FINGERPRINT | BOOLEAN |
LOGOUT_TIMER_WEB | LONG |
LOGOUT_TIMER_MOBILE | LONG |
LOGOUT_TIMER_DESKTOP | LONG |
RESTRICT_WEB_VAULT_ACCESS | BOOLEAN |
RESTRICT_EXTENSIONS_ACCESS | BOOLEAN |
RESTRICT_MOBILE_ACCESS | BOOLEAN |
RESTRICT_DESKTOP_ACCESS | BOOLEAN |
RESTRICT_MOBILE_IOS_ACCESS | BOOLEAN |
RESTRICT_MOBILE_ANDROID_ACCESS | BOOLEAN |
RESTRICT_MOBILE_WINDOWS_PHONE_ACCESS | BOOLEAN |
RESTRICT_DESKTOP_WIN_ACCESS | BOOLEAN |
RESTRICT_DESKTOP_MAC_ACCESS | BOOLEAN |
RESTRICT_CHAT_DESKTOP_ACCESS | BOOLEAN |
RESTRICT_CHAT_MOBILE_ACCESS | BOOLEAN |
RESTRICT_COMMANDER_ACCESS | BOOLEAN |
RESTRICT_TWO_FACTOR_CHANNEL_TEXT | BOOLEAN |
RESTRICT_TWO_FACTOR_CHANNEL_GOOGLE | BOOLEAN |
RESTRICT_TWO_FACTOR_CHANNEL_DNA | BOOLEAN |
RESTRICT_TWO_FACTOR_CHANNEL_DUO | BOOLEAN |
RESTRICT_TWO_FACTOR_CHANNEL_RSA | BOOLEAN |
TWO_FACTOR_DURATION_WEB | TWO_FACTOR_DURATION |
TWO_FACTOR_DURATION_MOBILE | TWO_FACTOR_DURATION |
TWO_FACTOR_DURATION_DESKTOP | TWO_FACTOR_DURATION |
RESTRICT_TWO_FACTOR_CHANNEL_SECURITY_KEYS | BOOLEAN |
RESTRICT_DOMAIN_ACCESS | STRING |
RESTRICT_DOMAIN_CREATE | STRING |
RESTRICT_HOVER_LOCKS | BOOLEAN |
RESTRICT_PROMPT_TO_LOGIN | BOOLEAN |
RESTRICT_PROMPT_TO_FILL | BOOLEAN |
RESTRICT_AUTO_SUBMIT | BOOLEAN |
RESTRICT_PROMPT_TO_SAVE | BOOLEAN |
RESTRICT_PROMPT_TO_CHANGE | BOOLEAN |
RESTRICT_AUTO_FILL | BOOLEAN |
RESTRICT_CREATE_FOLDER | BOOLEAN |
RESTRICT_CREATE_IDENTITY_PAYMENT_RECORDS | BOOLEAN |
MASK_CUSTOM_FIELDS | BOOLEAN |
MASK_NOTES | BOOLEAN |
MASK_PASSWORDS_WHILE_EDITING | BOOLEAN |
GENERATED_PASSWORD_COMPLEXITY | STRING |
GENERATED_SECURITY_QUESTION_COMPLEXITY | STRING |
RESTRICT_IMPORT | BOOLEAN |
DAYS_BEFORE_DELETED_RECORDS_CLEARED_PERM | LONG |
DAYS_BEFORE_DELETED_RECORDS_AUTO_CLEARED | LONG |
ALLOW_ALTERNATE_PASSWORDS | BOOLEAN |
RESTRICT_SHARING_OUTSIDE_OF_ISOLATED_NODES | BOOLEAN |
DISABLE_SETUP_TOUR | BOOLEAN |
RESTRICT_PERSONAL_LICENSE | BOOLEAN |
DISABLE_ONBOARDING | BOOLEAN |
DISALLOW_V2_CLIENTS | BOOLEAN |
RESTRICT_IP_AUTOAPPROVAL | BOOLEAN |
SEND_BREACH_WATCH_EVENTS | BOOLEAN |
RESTRICT_BREACH_WATCH | BOOLEAN |
RESEND_ENTERPRISE_INVITE_IN_X_DAYS | LONG |
RESTRICT_ACCOUNT_RECOVERY | BOOLEAN |
KEEPER_FILL_HOVER_LOCKS | TERNARY_DEN |
KEEPER_FILL_AUTO_FILL | TERNARY_DEN |
KEEPER_FILL_AUTO_SUBMIT | TERNARY_DEN |
KEEPER_FILL_MATCH_ON_SUBDOMAIN | TERNARY_DEN |
KEEPER_FILL_AUTO_SUGGEST | TERNARY_DEN |
RESTRICT_PROMPT_TO_DISABLE | BOOLEAN |
RESTRICT_HTTP_FILL_WARNING | BOOLEAN |
RESTRICT_RECORD_TYPES | RECORD_TYPES |
ALLOW_SECRETS_MANAGER | BOOLEAN |
MAXIMUM_RECORD_SIZE | LONG |
RESTRICT_IMPORT_SHARED_FOLDERS | BOOLEAN |
REQUIRE_SECURITY_KEY_PIN | BOOLEAN |
RESTRICT_IMPORT_SHARED_FOLDERS | BOOLEAN |
| |
Examples for each value type
# command format
enterprise-role ROLE --enforcement "POLICY:VALUE"
# boolean (allow secrets manager)
enterprise-role Engineering --enforcement "ALLOW_SECRETS_MANAGER:True"
# string (restrict access to a domain)
er "Support Admin" --enforcement "RESTRICT_DOMAIN_ACCESS:https://www.baddomain.com"
# long (set minimum password length)
er users --enforcement "MASTER_PASSWORD_MINIMUM_LENGTH:10"
# ternary DEN (set auto fill to off)
er DB_Admin --enforcement "KEEPER_FILL_AUTO_FILL:d"
# ternary values: d:disable e:enable n:null
# Note - n:null removes the enforcement
# RESTRICT_RECORD_TYPES accepts a list of record types separated by comma
# to get a list of all available record types
My Vault> rti
Record Type ID Record Type Name
---------------- -----------------------
1 login
11 bankAccount
14 address
...
34 sshKeys
# to restrict sshKeys and address record types
My Vault> er Finance --enforcement "RESTRICT_RECORD_TYPES:sshKeys, address"
# restrict all record types (other than legacy general type)
My Vault> er Finance --enforcement "RESTRICT_RECORD_TYPES:all"
Command:
enterprise-team
or et
Detail: Manage enterprise teams
Parameters:
Team name or id
Note: you can use the following command to see a list of teams in the enterprise:
ei --teams
Switches:
--add
add a new team to the enterprise--delete
delete the team--add-user
<USER NAME OR UID> add a user to the team--remove-user
<USER NAME OR UID> remove a user from the team--node
<NODE NAME OR UID> the node to add the team to--name
<NAME> name the team--approve
approve a queued team. Queued teams are typically created by SCIM requests which still need encryption keys to be created. Therefore they remain in a queued state until the admin logs into the Admin Console or this command is executed.--restrict-edit
<{on,off}> decide if users in this team can edit records--restrict-share
<{on,off}> decide if users in this team can share records--restrict-view
<{on,off}> decide if users in this team can view record passwords--hide-shared-folder
, -hsf <{on,off}> flag to determine if users in this team can see shared folders --add-role, -ar <ROLE NAME> add a role to the given team
-v, --verbose show ids with output
Examples:
enterprise-team "Chicago Engineering"
et "Chicago Engineering" Legal
et --add "Chicago Product" --node Chicago --restrict-edit on
et 20379619819524 --name "El Dorado Hills Engineering"
- 1.Show details of "Chicago Engineering" team
- 2.Show details for "Chicago Engineering" and "Legal" teams
- 3.Add a new team named "Chicago Product" in the "Chicago" node, and restrict users in the team from editing records
- 4.Change the name of the team with the given UID to "El Dorado Hills Engineering"
Command:
enterprise-node
or en
Detail: Manage enterprise nodes
Parameters:
Node name or UID
Note: you can use the following command to see a list of nodes in the enterprise:
ei --nodes
Switches:
--add
add a new node to the enterprise--delete
delete the node. Note this won't be allowed until all objects from the node are deleted.--parent
<NODE NAME OR UID> make given node the parent of this node--name
<NAME> set node's display name--wipe-out
delete all nodes, roles, users, and teams under the node. Does not delete the node itself. Be careful with this command.--toggle-isolated
make node visible or invisible to people in other nodes--invite-email
<FILE_NAME> Sets invite email template from file. Saves current template if file does not exist. dash (-) use stdout. See Custom Emails section below.
Examples:
1
enterprise-node Chicago
2
en Chicago "El Dorado Hills" 20379619819524 --parent NA
3
en --add Cork --parent EMEA
4
en APAC --wipe-out
5
en Chicago --toggle-isolated
- 1.Show details for the "Chicago" node
- 2.For the three nodes: "Chicago", "El Dorado Hills" and node with the given UID, change the parent node to node "NA"
- 3.Add a new node named "Cork" under the "EMEA" node
- 4.Delete all nodes, roles, users, and teams from under the "APAC" node
- 5.Make the "Chicago" node invisible (if currently visible) or visible (if currently invisible) to people in other nodes
The
--invite-email
switch allows you to set the custom email template per node. Similar to how email templates can be customized on the web admin console, custom email templates on the CLI supports customization of the following four attributes:
- Subject
- Message Heading
- Message Body
- Download Button Text
Custom email templates can be defined in a
.txt
file in the following format: [Subject]
// Insert E-mail Subject line text
[Heading]
// Insert E-mail Message heading text here
[Message]
// Insert E-mail Message body text here
[Button Text]
// Insert the download button text here
Custom Emails can also be formatted using markdown syntax, for more information please refer to this page.
Suppose there are company branches in Chicago and Tokyo with its respective nodes
Chicago
and Tokyo
. Ideally, you want the invitation emails to be in its native language:- Invitation emails sent to the Chicago Branch should be in its native language English
- Invitation emails sent to the Tokyo Branch should be in its native language Japanese
The
--invite-email
switch makes this possible by enabling you to set the desired email template per node.First, I define the custom email templates for both of my branches:
Chicago
and Tokyo
emailChicago.txt
865B
Text
Email Template File for Chicago
emailTokyo.txt
1KB
Text
Email Template File for Tokyo
Next, I set the appropriate email template for each node:
en Chicago --invite-email="C:\user\emailTemplates\emailChicago.txt"
en Tokyo --invite-email="C:\user\emailTemplates\emailTokyo.txt"
On windows, file paths can be specified either in quotations or double backslash. Either of the following file paths are valid:
"C:\users\file.txt"
or c:\\users\\file.txt
When sending invitation emails, users will receive the following emails based on their branch location:

Invitation Email for Chicago Branch

Invitation Email for Tokyo Branch
Command:
enterprise-push
Detail: Populate a vault with a set of default records
Parameters:
File name of file with template records. File must be JSON format.
Switches:
--syntax-help
show example file format and template parameters --team
<TEAM NAME OR UID> team to assign records to--email
<USER EMAIL OR UID> user to assign records toExamples:
1
enterprise-push office-codes.json --team "Chicago Office"
2
enterprise-push default.json --email [email protected]
3
enterprise=push --syntax-help
- 1.Send records templated in the "office-codes.json" file to every user in the "Chicago Office" team
- 2.Send records templated in the "default.json" file to user "[email protected]"
- 3.See the syntax help
File Format
The "enterprise-push" command uses Keeper JSON record import format.
Example JSON file:
[
{
"title": "Google",
"login": "${user_email}",
"password": "${generate_password}",
"login_url": "https://google.com",
"notes": "",
"custom_fields": {
"Name 1": "Value 1",
"Name 2": "Value 2"
}
},
{
"title": "Admin Tool",
"login": "${user_email}",
"password": "",
"login_url": "https://192.168.1.1",
"notes": "",
"custom_fields": {
}
}
]
Supported template parameters:
${user_email} User email address
${generate_password} Generate random password
${user_name} User full name
An easy way to find the proper JSON structure is to export some data from your Keeper vault in JSON format. Then, modify the file as required for creating an import file.
To export JSON data for creating a template:
- Create an empty folder for storing templates. e.g. "Templates"
- Create records in that folder
export
the folder as JSON using the below command
export --format=json --folder=Templates templates.json
- Optional: edit the JSON file to delete the following properties: "uid", "schema", "folders" not used by
enterprise-push
command
The template JSON file should be either array of records or an object that contains a property "records" containing an array of records.
Command:
enterprise-down
or ed
Detail: Download & decrypt enterprise data locally.
When there is an active instance of Commander running and a change is made on the admin console or another instance of commander, the enterprise-down command can be used to download & decrypt the latest enterprise data locally.
Example:
Suppose a new user is added on the Admin Console while an active commander session is running, executing the following command on the running commander session will download and decrypt the latest changes locally:
enterprise-down
Command:
team-approve
Detail: Enable or disable automatic team approval or user approval to teams
When using a provisioning method such as Keeper Bridge or SCIM, new teams and users that have not yet activated their vault are queued for approval. Use this command to enable or disable automatic approval of provisioned teams or users.
Switches:
--team
approve teams--email
approve team users --restrict-edit
<{on, off}> restrict or allow editing records in approved teams--restrict-share
<{on, off}> restrict or allow sharing records in approved teams--restrict-view
<{on, off}>restrict or allow viewing record passwords in approved teamsExamples:
1
enterprise-down
2
team-approve --team
3
team-approve --email
4
team-approve --team --restrict-edit on
- 1.Sync down any pending Enterprise Team approvals
- 2.Automatically approve queued provisioned teams
- 3.Automatically approve queued provisioned users
- 4.Automatically approve queued provisioned teams and don't allow users in those teams to edit records
Command:
device-approve
Detail: Approve cloud SSO devices
Parameters:
User's email or device ID to approve or blank to see a list of pending devices
Switches:
-r
, --reload load current list of pending approvals-a
, --approve approve the device for the given user email or device id-d
, --deny deny the device for the given user email or device id--trusted-ip
approve devices from a trusted id address--format
<{table, csv, json}> format to show output in--output
<FILE NAME> file to send output to (must use json or csv format)Examples:
1
device-approve
2
device-approve [email protected] --approve
3
device-approve --reload
4
device-approve --output device_approvals.csv --format csv
- 1.Show list of pending device approvals
- 2.Approve user "[email protected]"
- 3.Refresh list of pending device approvals
- 4.Write list of pending device approvals to a file in csv format
Command:
create-user
Detail
Create a new account and vault for the given email address and create a record for the new user's credentials in the current Keeper vault.
Parameters:
User's email address
Switches:
--name <Name>
user's name--node <NODE>
name or ID of node to add user to--record <RECORD UID>
UID of record that holds password for the new account--folder <FOLDER NAME OR UID>
folder to store created user credentials inExamples:
create-user [email protected]
create-user J[email protected] --name "John Doe" --node Chicago
- 1.Create a new user account and vault for [email protected]
- 2.Send an invitation to John Doe to join Keeper, name the new user "John Doe" and add him to the "Chicago" node
When the create-user command is used to create a new user in the Keeper account, a record is created in the current logged in account with the new user's username and temporary password. Once the new record is created, it can be shared with the new user with a one-time share URL.
My Vault> create-user [email protected]
User "[email protected]" credentials are stored to record "Keeper Account: [email protected]"
My Vault> share create "Keeper Account: [email protected]" --expire 7d
https://keepersecurity.com/vault/share#-Rkzr6w[...]wMw3fQ3kM
The new user will follow this url to receive their temporary credentials and perform the first login.

Command:
transfer-user
Detail: Lock account, then transfer a vault from one user to another.
Parameter:
Email or user ID of the vault to be transferred. More than one can be provided, separated by spaces.
Switches:
--target-user <USER EMAIL>
email address of user account to transfer the vault(s) to--force, -f
do not prompt for confirmationAccount Transfer must be enabled for the account or role the account is in.
The contents of the transferred vault are placed in a folder in the recipient's vault.
Example:
transfer-user keeperuse[email protected] --target-user [email protected]
- 1.Transfer the vault of [email protected] to [email protected].
To perform a bulk transfer of user accounts, use the command:
transfer-user @filename
This will look for the file named filename that contains a FROM and TO mapping. For example:Command:
automator
Detail: Configures SSO Cloud device automators.
An Automator is a program running at a customer site that can perform some Keeper administrative actions such as performing device approvals or team approvals. More information about the Keeper Automator service is found at this link.
When the
automator
command is executed without parameters it displays the list of available automators as well as a command help.automator command [target] [--options]
Command Description
=================================================================
list Displays the list of the available automators
create Creates automator
init Initializes automator
view Prints automator details
edit Changes automator configuration
delete Deletes automator
reset Resets automator configuration to the default
enable Enables automator
disable Disables automator
log Retrieves automator logs
clear Clears automator logs
list, create:
'target' parameter is ignored
init, view, edit, delete, reset, start, stop, log, clear:
these commands require 'target' parameter: Automator Name or ID
Option Commands
==================================================================
--node create
--name