Enterprise Management Commands

Commands related to Admin Console and Enterprise Management functions

Commands
Keeper Command Reference
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Enterprise Management Commands
Command
Explanation
​enterprise-info or ei
Display enterprise information
​enterprise-user or eu
Manage enterprise users
​enterprise-role or er
Manage enterprise roles and policies
​enterprise-team or et
Manage enterprise teams
​enterprise-node or en
Manage enterprise nodes
​enterprise-push​
Populate user and team vaults with predetermined records
 enterprise-down or ed
Download & decrypt enterprise data
​team-approve​
Approve queued teams and users provisioned by SCIM or Active Directory Bridge
​device-approve​
Approve SSO Cloud devices that are pending from end-users
​create-user​
Create a new user and vault, and add a record to the current vault with that user's credentials
​transfer-user​
Transfer an account to another user
​automator​
Manage SSO Cloud Automator for Device Approvals
​scim​
Manage SCIM endpoints
enterprise-info command
Command: enterprise-infoor ei
Detail: Display information about your enterprise in a tree structure 
Parameters:
Text to search for. Can apply to users, teams, and roles
Switches: 
-n, --nodes display nodes
--node <NODE> show tree structure from a specified node
-u, --users display user list
-t, --teams display team list
-r, --roles display role list
-v, --verbose show ids with output
--format <{table, csv, json}> format to show output
table - show information in a table layout
csv - output information in CSV format
json - output information in JSON format
--output <OUTPUT FILE> a file to write the output to
--columns <COLUMNS> columns to include in the output.  Given as comma separated list.  Available columns depends on type of data being viewed
Users
name
status
transfer_status
node
team_count
teams
role_count
roles
Teams
restricts
node
user_count
users
queued_user_count (Commander v16.5.5+)
queued_users (Commander v16.5.5+)
Roles
is_visible_below
is_new_user
is_admin
node
user_count
users
Nodes (Commander v16.5.5+)
parent_node
user_count
team_count
teams
role_count
roles
Examples:
enterprise-info
ei "John Doe" --users 
ei --teams --format csv --output teams.csv
ei --roles --columns is_admin,user_count
ei --node "Keeper Security"
1.Display the enterprise name and node structure
2.Search the enterprise for users named "John Doe"
3.Output a list of teams in the enterprise to a CSV file
4.Display a list of roles, and only show if they are an admin role and how many users are in the role
5.See the node tree structure starting from the Node named "Keeper Security" Give this the root node to see the entire organization's node tree
enterprise-user command
Command: enterprise-useror eu
Detail: Manage an enterprise user
Parameters:
User's id or email address.
note: you can use the following command to see a list of users in the enterprise:
ei --users
Switches: 
--expire expire the user's master password
--extend extend vault transfer consent for 7 days. Supports the following pseudo users: @all
--lock lock the user's account
--unlock unlock the user's account. Supports the following pseudo users: @all
--disable-2fa  disable 2fa for the user
--add invite the given email address to create a vault in the enterprise (only works with email as parameter)
--invite send an invite to the given email address. Can be sent to previously invited users
--delete delete the user from the enterprise
--name <NAME> set a name to be used as the user's display name
--node <NODE NAME OR UID> add the user to a node with the specified name or UID
--add-role <ROLE NAME OR UID> add the user to a role with the specified name or UID
--remove-role <ROLE NAME OR UID> remove the user from the role with the specified name or UID
--add-team <TEAM NAME OR UID> add the user to the team with the specified name or UID
--remove-team <TEAM NAME OR UID> remove the user from the team with the specified name or UID
-f, --force do not prompt for confirmation
-v, --verbose show ids with output
Examples:
enterprise-user [email protected]
eu 20379619819523 --node Chicago --add-team "Chicago Engineering"
eu add [email protected]
eu 19819523203796 --lock
1.Show details of user "[email protected]"
2.For the user with the given UID, add them to the Chicago node and the "Chicago Engineering" team
3.Send an invite to "[email protected]" to open a vault in the enterprise
4.Lock the account with the given UID
enterprise-role command
Command: enterprise-roleor er
Detail: Manage an enterprise role or enforcement policy
Parameters:
Name or UID of role(s).  Separate with space to use multiple
note: you can use the following command to see a list of roles in the enterprise:
ei --roles
Switches: 
--add add a new role to the enterprise
--delete delete the role
--add-user <USER NAME OR UID> add a user to the role. Use with --add
--remove-user <USER NAME OR UID> remove a user from the role
--visible-below <{on,off}> make a role visible or invisible to roles beneath it
--new-user <{on,off}> make new users assigned to this role
--node <NODE NAME OR UID> the node to add the role to
--name <NAME> name the role
--add-admin <USER NAME OR UID> make a user an admin of the role
--remove-admin <USER NAME OR UID> remove a user from being admin of the role
--cascade <{on,off}> use with --add-admin to also assign the user as admin to child roles (if 'on')
--enforcement <POLICY:VALUE> set the enforcement policy for the given role
--copy (requires v16.5.10+) make a duplicate role with no users
--clone (requires v16.5.10+) make a duplicate role with the same users as the original
--add-team, -at <TEAM NAME> add a team to the given role
--add-privilege, -ap <PRIVILEGE NAME> add an admin privilege to the role
--remove-privilege, -rp <PRIVILEGE NAME> remove an admin privilege to the role
-v, --verbose show ids with output
Examples:
enterprise-role "Keeper Administrator"
er 20379621916672 "Engineer Team Lead"
er --add Onboarding --new-users
er 20379621916672 --add-admin "[email protected]" --cascade yes
er PM --name "Product Manager"
er 20379619819524 20379619819525 20379621916672 --Node Chicago
er 20379619819524 --copy --Node Chicago
1.Show details about the "Keeper Administrator" role
2.Show details about the role with the given UID and the "Engineer Team Lead" role
3.Add a new role named "Onboarding" and make new users automatically assigned to this role
4.Make user John Dow admin of the role with the given UID and all child roles
5.Rename the "PM" role to "Product Manager"
6.Add the three nodes with given UIDs to the "Chicago" node
7.Create a copy of the role in the "Chicago" node
Changing Role Enforcements
Command
Enforcement Policies
Examples
Use the --enforcement switch to edit enforcement policies on the given role.  Pass a policy key and corresponding value to the switch in order to change the enforcement.
enterprise-role ROLE --enforcement "POLICY:VALUE"
Example restricting the "Engineering" role to access import records.
enterprise-role Engineering --enforcement "RESTRICT_IMPORT:True"
Enforcement Policy Key
Type
MASTER_PASSWORD_MINIMUM_LENGTH
LONG
MASTER_PASSWORD_MINIMUM_SPECIAL
LONG
MASTER_PASSWORD_MINIMUM_UPPER
LONG
MASTER_PASSWORD_MINIMUM_LOWER
LONG
MASTER_PASSWORD_MINIMUM_DIGITS
LONG
MASTER_PASSWORD_RESTRICT_DAYS_BEFORE_REUSE
LONG
REQUIRE_TWO_FACTOR
BOOLEAN
MASTER_PASSWORD_MAXIMUM_DAYS_BEFORE_CHANGE
LONG
MASTER_PASSWORD_EXPIRED_AS_OF
LONG
MINIMUM_PBKDF2_ITERATIONS
LONG
MAX_SESSION_LOGIN_TIME
LONG
RESTRICT_PERSISTENT_LOGIN
BOOLEAN
RESTRICT_SHARING_ALL
BOOLEAN
RESTRICT_SHARING_ENTERPRISE
BOOLEAN
RESTRICT_EXPORT
BOOLEAN
RESTRICT_FILE_UPLOAD
BOOLEAN
RESTRICT_SHARING_INCOMING_ALL
BOOLEAN
RESTRICT_SHARING_INCOMING_ENTERPRISE
BOOLEAN
RESTIRCT_SHARING_RECORD_AND_FOLDER
BOOLEAN
RESTRICT_SHARING_RECORD_WITH_ATTACHMENTS
BOOLEAN
RESTRICT_IP_ADDRESSES
IP_WHITELIST
REQUIRE_DEVICE_APPROVAL
BOOLEAN
REQUIRE_ACCOUNT_RECOVERY_APPROVAL
BOOLEAN
RESTRICT_VAULT_IP_ADDRESSES
IP_WHITELIST
TIP_ZONE_RESTRICT_ALLOWED_IP_RANGES
IP_WHITELIST
AUTOMATIC_BACKUP_EVERY_X_DAYS
LONG
RESTRICT_OFFLINE_ACCESS
BOOLEAN
SEND_INVITE_AT_REGISTRATION
BOOLEAN
RESTRICT_EMAIL_CHANGE
BOOLEAN
RESTRICT_IOS_FINGERPRINT
BOOLEAN
RESTRICT_MAC_FINGERPRINT
BOOLEAN
RESTRICT_ANDROID_FINGERPRINT
BOOLEAN
RESTRICT_WINDOWS_FINGERPRINT
BOOLEAN
LOGOUT_TIMER_WEB
LONG
LOGOUT_TIMER_MOBILE
LONG
LOGOUT_TIMER_DESKTOP
LONG
RESTRICT_WEB_VAULT_ACCESS
BOOLEAN
RESTRICT_EXTENSIONS_ACCESS
BOOLEAN
RESTRICT_MOBILE_ACCESS
BOOLEAN
RESTRICT_DESKTOP_ACCESS
BOOLEAN
RESTRICT_MOBILE_IOS_ACCESS
BOOLEAN
RESTRICT_MOBILE_ANDROID_ACCESS
BOOLEAN
RESTRICT_MOBILE_WINDOWS_PHONE_ACCESS
BOOLEAN
RESTRICT_DESKTOP_WIN_ACCESS
BOOLEAN
RESTRICT_DESKTOP_MAC_ACCESS
BOOLEAN
RESTRICT_CHAT_DESKTOP_ACCESS
BOOLEAN
RESTRICT_CHAT_MOBILE_ACCESS
BOOLEAN
RESTRICT_COMMANDER_ACCESS
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_TEXT
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_GOOGLE
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_DNA
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_DUO
BOOLEAN
RESTRICT_TWO_FACTOR_CHANNEL_RSA
BOOLEAN
TWO_FACTOR_DURATION_WEB
TWO_FACTOR_DURATION
TWO_FACTOR_DURATION_MOBILE
TWO_FACTOR_DURATION
TWO_FACTOR_DURATION_DESKTOP
TWO_FACTOR_DURATION
RESTRICT_TWO_FACTOR_CHANNEL_SECURITY_KEYS
BOOLEAN
RESTRICT_DOMAIN_ACCESS
STRING
RESTRICT_DOMAIN_CREATE
STRING
RESTRICT_HOVER_LOCKS
BOOLEAN
RESTRICT_PROMPT_TO_LOGIN
BOOLEAN
RESTRICT_PROMPT_TO_FILL
BOOLEAN
RESTRICT_AUTO_SUBMIT
BOOLEAN
RESTRICT_PROMPT_TO_SAVE
BOOLEAN
RESTRICT_PROMPT_TO_CHANGE
BOOLEAN
RESTRICT_AUTO_FILL
BOOLEAN
RESTRICT_CREATE_FOLDER
BOOLEAN
RESTRICT_CREATE_IDENTITY_PAYMENT_RECORDS
BOOLEAN
MASK_CUSTOM_FIELDS
BOOLEAN
MASK_NOTES
BOOLEAN
MASK_PASSWORDS_WHILE_EDITING
BOOLEAN
GENERATED_PASSWORD_COMPLEXITY
STRING
GENERATED_SECURITY_QUESTION_COMPLEXITY
STRING
RESTRICT_IMPORT
BOOLEAN
DAYS_BEFORE_DELETED_RECORDS_CLEARED_PERM
LONG
DAYS_BEFORE_DELETED_RECORDS_AUTO_CLEARED
LONG
ALLOW_ALTERNATE_PASSWORDS
BOOLEAN
DISABLE_SETUP_TOUR
BOOLEAN
RESTRICT_PERSONAL_LICENSE
BOOLEAN
DISABLE_ONBOARDING
BOOLEAN
DISALLOW_V2_CLIENTS
BOOLEAN
RESTRICT_IP_AUTOAPPROVAL
BOOLEAN
SEND_BREACH_WATCH_EVENTS
BOOLEAN
RESTRICT_BREACH_WATCH
BOOLEAN
RESEND_ENTERPRISE_INVITE_IN_X_DAYS
LONG
RESTRICT_ACCOUNT_RECOVERY
BOOLEAN
KEEPER_FILL_HOVER_LOCKS
TERNARY_DEN
KEEPER_FILL_AUTO_FILL
TERNARY_DEN
KEEPER_FILL_AUTO_SUBMIT
TERNARY_DEN
KEEPER_FILL_MATCH_ON_SUBDOMAIN
TERNARY_DEN
RESTRICT_PROMPT_TO_DISABLE
BOOLEAN
RESTRICT_HTTP_FILL_WARNING
BOOLEAN
RESTRICT_RECORD_TYPES
RECORD_TYPES
ALLOW_SECRETS_MANAGER
BOOLEAN
MAXIMUM_RECORD_SIZE
LONG
RESTRICT_SHARING_OUTSIDE_OF_ISOLATED_NODES
BOOLEAN
Examples for each value type
# command format
enterprise-role ROLE --enforcement "POLICY:VALUE"
​
# boolean (allow secrets manager)
enterprise-role Engineering --enforcement "ALLOW_SECRETS_MANAGER:True"
​
# string (restrict access to a domain)
er "Support Admin" --enforcement "RESTRICT_DOMAIN_ACCESS:https://www.baddomain.com"
​
# long (set minimum password length)
er users --enforcement "MASTER_PASSWORD_MINIMUM_LENGTH:10"
​
# ternary DEN (set auto fill to off)
er DB_Admin --enforcement "KEEPER_FILL_AUTO_FILL:d"
# ternary values: d:disable e:enable
​
# record types (restrict the ssh key record type)
er Finance --enforcement "RESTRICT_RECORD_TYPES:ssh_key"
# restrict all record types (other than legacy general type)
er Finance --enforcement "RESTRICT_RECORD_TYPES:all"
​
​
enterprise-team command
Command: enterprise-teamor et
Detail: Manage enterprise teams
Parameters:
Team name or id 
note: you can use the following command to see a list of teams in the enterprise:
ei --teams
Switches: 
--add add a new team to the enterprise
--delete delete the team
--add-user <USER NAME OR UID> add a user to the team
--remove-user <USER NAME OR UID> remove a user from the team
--node <NODE NAME OR UID> the node to add the team to
--name <NAME> name the team
--approve approve a queued team
--restrict-edit <{on,off}> decide if users in this team can edit records
--restrict-share <{on,off}> decide if users in this team can share records
--restrict-view <{on,off}> decide if users in this team can view record passwords
--hide-shared-folder, -hsf <{on,off}> decide if users in this team can see shared folders
--add-role, -ar <ROLE NAME> add a role to the given team
-v, --verbose show ids with output
Examples:
enterprise-team "Chicago Engineering"
et "Chicago Engineering" Legal 
et --add "Chicago Product" --node Chicago --restrict-edit on
et 20379619819524 --name "El Dorado Hills Engineering"
1.Show details of "Chicago Engineering" team
2.Show details for "Chicago Engineering" and "Legal" teams
3.Add a new team named "Chicago Product" in the "Chicago" node, and restrict users in the team from editing records
4.Change the name of the team with the given UID to "El Dorado Hills Engineering"
enterprise-node command
Command: enterprise-nodeor en
Detail: Manage enterprise nodes
Parameters:
Node name or id 
note: you can use the following command to see a list of nodes in the enterprise:
ei --nodes
Switches: 
--add add a new node to the enterprise
--delete delete the node
--parent <NODE NAME OR UID> make given node the parent of this node
--name <NAME> set node's display name
--wipe-out delete all nodes, roles, users, and teams under the node. Does not delete the node itself
--toggle-isolated make node visible or invisible to people in other nodes
--invite-email <FILE_NAME> Sets invite email template from file. Saves current template if file does not exist.   dash (-) use stdout

Examples:
enterprise-node Chicago
en Chicago "El Dorado Hills" 20379619819524 --parent NA
en --add Cork --parent EMEA
en APAC --wipe-out
en Chicago --toggle-isolated
en Chicago --invite-email=- 
1.Show details for the "Chicago" node
2.For the three nodes: "Chicago", "El Dorado Hills" and node with the given UID, change the parent node to node "NA"
3.Add a new node named "Cork" under the "EMEA" node
4.Delete all nodes, roles, users, and teams from under the "APAC" node
5.Make the "Chicago" node invisible (if currently visible) or visible (if currently invisible) to people in other nodes
enterprise-push command
Command: enterprise-push
Detail: Populate a vault with default records
Parameters:
File name of file with template records.  File must be json format.
Switches: 
--syntax-help show example file format and template parameters 
--team <TEAM NAME OR UID> team to assign records to
--email <USER EMAIL OR UID> user to assign records to
Examples:
enterprise-push office-codes.json --team "Chicago Office"
enterprise-push default.json --email [email protected]
enterprise=push --syntax-help
1.Send records templated in the "office-codes.json" file to every user in the "Chicago Office" team
2.Send records templated in the "default.json" file to user "[email protected]"
3.See the syntax help
File Format
The "push.json" file is structured an an array of password objects. For example:
[
    {
        "title": "Google",
        "login": "${user_email}",
        "password": "${generate_password}",
        "login_url": "https://google.com",
        "notes": "",
        "custom_fields": {
            "Name 1": "Value 1",
            "Name 2": "Value 2"
        }
    },
    {
        "title": "Admin Tool",
        "login": "${user_email}",
        "password": "",
        "login_url": "https://192.168.1.1",
        "notes": "",
        "custom_fields": {
        }
    }
]
Supported template parameters:
${user_email}          User email address
${generate_password}   Generate random password
${user_name}           User full name
enterprise-down command
Command: enterprise-down or ed
Detail: Download & decrypt enterprise data locally.
When there is an active instance of Commander running and a change is made on the admin console or another instance of commander, the enterprise-down command can be used to download & decrypt the latest enterprise data locally.
Example:
Suppose a new user is added on the Admin Console while an active commander session is running, executing the following command on the running commander session will download and decrypt the latest changes locally:
enterprise-down
team-approve command
Command: team-approve
Detail: Enable or disable automatic team approval or user approval to teams
When using a provisioning method such as Keeper Bridge or SCIM, new teams and users that have not yet activated their vault are queued for approval.  Use this command to enable or disable automatic approval of provisioned teams or users.
Switches: 
--team approve teams
--email approve team users 
--restrict-edit <{on, off}> restrict or allow editing records in approved teams
--restrict-share <{on, off}> restrict or allow sharing records in approved teams
--restrict-view <{on, off}>restrict or allow viewing record passwords in approved teams
Examples:
team-approve --team
team-approve --email
team-approve --team --restrict-edit on
1.Automatically approve queued provisioned teams
2.Automatically approve queued provisioned users
3.Automatically approve queued provisioned teams and don't allow users in those teams to edit records
device-approve command
Command: device-approve
Detail: Approve cloud SSO devices
Parameters:
User's email or device ID to approve or blank to see a list of pending devices
Switches: 
-r, --reload load current list of pending approvals
-a, --approve approve the device for the given user email or device id
-d, --deny deny the device for the given user email or device id
--trusted-ip approve devices from a trusted id address
--format <{table, csv, json}> format to show output in
--output <FILE NAME> file to send output to (must use json or csv format)
Examples:
device-approve
device-approve [email protected] --approve
device-approve --reload
device-approve --output device_approvals.csv --format csv
1.Show list of pending device approvals
2.Approve user "[email protected]"
3.Refresh list of pending device approvals
4.Write list of pending device approvals to a file in csv format
create-user command:
Command: create-user 
Detail
Create a new account and vault for the given email address and create a record for the new user in the current vault
To invite new users to an enterprise see the enterprise-user command​
Parameters:
User's email address
Switches:
    --name <Name> user's name
    --node <NODE> name or ID of node to add user to
    --record <RECORD UID> UID of record that holds password for the new account
    --folder <FOLDER NAME OR UID> folder to store created user credentials in
Examples:
create-user [email protected]
create-user [email protected] --name "John Doe" --node Chicago
1.Create a new user account and vault for [email protected]

2.Send an invitation to John Doe to join Keeper, name the new user "John Doe" and add him to the "Chicago" node
Onboarding with create-user Command
When the create-user command is used to create a new user in the Keeper account, a record is created in the current logged in account with the new user's username and temporary password.  Once the new record is created, it can be shared with the new user with a one-time share URL.  
My Vault> create-user [email protected]
User "[email protected]" credentials are stored to record "Keeper Account: [email protected]"
​
My Vault> share create "Keeper Account: [email protected]" --expire 7d
https://keepersecurity.com/vault/share#-Rkzr6w[...]wMw3fQ3kM
​
The new user will follow this url to receive their temporary credentials and perform the first login.
transfer-user command:
Command: transfer-user
Detail: Transfer an account to another user
Parameter:
Email or user ID of account to transfer.  Can use several separated by spaces. 
Switches:
--target-user <USER EMAIL>  email address of user account to transfer the account to
--force, -f do not prompt for confirmation
​
To perform a bulk transfer of user accounts, use the command:
transfer-user @filename
This will look for the file named filename that contains a FROM and TO mapping.  For example:

[email protected] -> [email protected]
[email protected] -> [email protected]
​
automator command:
Command: automator
Detail: Configures SSO Cloud device automators.
An Automator is a program running at a customer site that can perform some Keeper administrative actions such as performing device approvals or team approvals.
When automatorcommand is executed without parameters it displays the list of available automators as well as a command help
automator command [target] [--options]
​
 Command            Description
=================================================================
 list               Displays the list of the available automators
 create             Creates automator
 init               Initializes automator
 view               Prints automator details
 edit               Changes automator configuration
 delete             Deletes automator
 reset              Resets automator configuration to the default
 enable             Enables automator
 disable            Disables automator
 log                Retrieves automator logs
 clear              Clears automator logs
 
 list, create:
 'target' parameter is ignored 
 
 init, view, edit, delete, reset, start, stop, log, clear:
 these commands require 'target' parameter: Automator Name or ID
​
 Option             Commands
==================================================================
 --node             create 
 --name             create, edit
 --url              edit : Webhook URL 
 --skill            edit : "device" and/or "team"
 --set              edit : KEY=VALUE
​
Examples:
Create automator with name "Cloud SSO Device Approval". 
My Vault> automator create --name="Cloud SSO Device Approval"     
​
        Automator ID: 888888888888        
                Name: Cloud SSO Device Approval
                 URL:                     
             Enabled: No                  
         Initialized: No                  
              Skills: Device Approval
Edit automator to set Webhook URL. Webhook URL is provided by the Automator application
My Vault> automator edit 888888888888 --url="https://automator.company.com:8089"     
​
        Automator ID: 888888888888        
                Name: Cloud SSO Device Approval
                 URL: https://automator.company.com:8089                    
             Enabled: No                  
         Initialized: No                  
              Skills: Device Approval       
Initialize automator instance. The backend verifies that the Automator is configured and ready to process requests.
My Vault> automator init 888888888888
​
        Automator ID: 888888888888        
                Name: Cloud SSO Device Approval
                 URL: https://automator.company.com:8089                    
             Enabled: No                  
         Initialized: Yes                  
              Skills: Device Approval     
Enable or Start posting requests to the Automator
My Vault> automator enable 888888888888
​
        Automator ID: 888888888888        
                Name: Cloud SSO Device Approval
                 URL: https://automator.company.com:8089                    
             Enabled: Yes                  
         Initialized: Yes                  
              Skills: Device Approval     
For more information about the Keeper Automator for SSO device approvals, see the Automator Service documentation.
scim command
Command: scim
Detail: Configures SCIM endpoints
When scimcommand is executed without parameters it displays the list of available SCIM endpoints as well as a command help
scim command [target] [--options]
 Command            Description
=================================================================
 list               Displays the list of SCIM endpoints
 create             Creates SCIM endpoint
 view               Prints SCIM endpoint details
 edit               Changes SCIM endpoint configuration
 delete             Deletes SCIM endpoint
 
 list, create
 'target' parameter is ignored 
 
 view, edit, delete
 these commands require 'target' parameter: SCIM endpoint ID
 
 Option             Commands
=================================================================
 --reload           all : Reloads SCIM configuration
 --node             create : Node ID or Name 
 --prefix           create, edit : Role prefix
 --unique-groups    create, edit : Unique groups 
 --force            delete : Do not ask for delete confirmation
​
Examples:
Create SCIM endpoint for node SCIM Node
My Vault> scim create --node="SCIM Node"                                                                                                                                                 
​
SCIM ID: 888888888888
SCIM URL: https://keepersecurity.com/api/rest/scim/v2/7777777777777
Provisioning Token: yIiq6Y4FnWtOPtqatUzZH7BI4FaUNhIbwEtDT5esL-g
​
Edit SCIM endpoint configuration. Editing SCIM endpoint generates a new provisioning token
My Vault> scim edit 888888888888 --prefix="Group_"                                                                                                                                   
​
SCIM ID: 888888888888
SCIM URL: https://keepersecurity.com/api/rest/scim/v2/7777777777777
Provisioning Token: 6oykLqC2-d20Sy3N2d-HKZtGzOt63U60rJz8CLagszY
​
Delete SCIM endpoint
My Vault> scim delete 820338837203                                                                                                                                                   
​

Command	Explanation
`enterprise-info` or `ei`	Display enterprise information
`enterprise-user` or `eu`	Manage enterprise users
`enterprise-role` or `er`	Manage enterprise roles and policies
`enterprise-team` or `et`	Manage enterprise teams
`enterprise-node` or `en`	Manage enterprise nodes
`enterprise-push`	Populate user and team vaults with predetermined records
`enterprise-down` or `ed`	Download & decrypt enterprise data
`team-approve`	Approve queued teams and users provisioned by SCIM or Active Directory Bridge
`device-approve`	Approve SSO Cloud devices that are pending from end-users
`create-user`	Create a new user and vault, and add a record to the current vault with that user's credentials
`transfer-user`	Transfer an account to another user
`automator`	Manage SSO Cloud Automator for Device Approvals
`scim`	Manage SCIM endpoints

Enforcement Policy Key	Type
MASTER_PASSWORD_MINIMUM_LENGTH	`LONG`
MASTER_PASSWORD_MINIMUM_SPECIAL	`LONG`
MASTER_PASSWORD_MINIMUM_UPPER	`LONG`
MASTER_PASSWORD_MINIMUM_LOWER	`LONG`
MASTER_PASSWORD_MINIMUM_DIGITS	`LONG`
MASTER_PASSWORD_RESTRICT_DAYS_BEFORE_REUSE	`LONG`
REQUIRE_TWO_FACTOR	`BOOLEAN`
MASTER_PASSWORD_MAXIMUM_DAYS_BEFORE_CHANGE	`LONG`
MASTER_PASSWORD_EXPIRED_AS_OF	`LONG`
MINIMUM_PBKDF2_ITERATIONS	`LONG`
MAX_SESSION_LOGIN_TIME	`LONG`
RESTRICT_PERSISTENT_LOGIN	`BOOLEAN`
RESTRICT_SHARING_ALL	`BOOLEAN`
RESTRICT_SHARING_ENTERPRISE	`BOOLEAN`
RESTRICT_EXPORT	`BOOLEAN`
RESTRICT_FILE_UPLOAD	`BOOLEAN`
RESTRICT_SHARING_INCOMING_ALL	`BOOLEAN`
RESTRICT_SHARING_INCOMING_ENTERPRISE	`BOOLEAN`
RESTIRCT_SHARING_RECORD_AND_FOLDER	`BOOLEAN`
RESTRICT_SHARING_RECORD_WITH_ATTACHMENTS	`BOOLEAN`
RESTRICT_IP_ADDRESSES	`IP_WHITELIST`
REQUIRE_DEVICE_APPROVAL	`BOOLEAN`
REQUIRE_ACCOUNT_RECOVERY_APPROVAL	`BOOLEAN`
RESTRICT_VAULT_IP_ADDRESSES	`IP_WHITELIST`
TIP_ZONE_RESTRICT_ALLOWED_IP_RANGES	`IP_WHITELIST`
AUTOMATIC_BACKUP_EVERY_X_DAYS	`LONG`
RESTRICT_OFFLINE_ACCESS	`BOOLEAN`
SEND_INVITE_AT_REGISTRATION	`BOOLEAN`
RESTRICT_EMAIL_CHANGE	`BOOLEAN`
RESTRICT_IOS_FINGERPRINT	`BOOLEAN`
RESTRICT_MAC_FINGERPRINT	`BOOLEAN`
RESTRICT_ANDROID_FINGERPRINT	`BOOLEAN`
RESTRICT_WINDOWS_FINGERPRINT	`BOOLEAN`
LOGOUT_TIMER_WEB	`LONG`
LOGOUT_TIMER_MOBILE	`LONG`
LOGOUT_TIMER_DESKTOP	`LONG`
RESTRICT_WEB_VAULT_ACCESS	`BOOLEAN`
RESTRICT_EXTENSIONS_ACCESS	`BOOLEAN`
RESTRICT_MOBILE_ACCESS	`BOOLEAN`
RESTRICT_DESKTOP_ACCESS	`BOOLEAN`
RESTRICT_MOBILE_IOS_ACCESS	`BOOLEAN`
RESTRICT_MOBILE_ANDROID_ACCESS	`BOOLEAN`
RESTRICT_MOBILE_WINDOWS_PHONE_ACCESS	`BOOLEAN`
RESTRICT_DESKTOP_WIN_ACCESS	`BOOLEAN`
RESTRICT_DESKTOP_MAC_ACCESS	`BOOLEAN`
RESTRICT_CHAT_DESKTOP_ACCESS	`BOOLEAN`
RESTRICT_CHAT_MOBILE_ACCESS	`BOOLEAN`
RESTRICT_COMMANDER_ACCESS	`BOOLEAN`
RESTRICT_TWO_FACTOR_CHANNEL_TEXT	`BOOLEAN`
RESTRICT_TWO_FACTOR_CHANNEL_GOOGLE	`BOOLEAN`
RESTRICT_TWO_FACTOR_CHANNEL_DNA	`BOOLEAN`
RESTRICT_TWO_FACTOR_CHANNEL_DUO	`BOOLEAN`
RESTRICT_TWO_FACTOR_CHANNEL_RSA	`BOOLEAN`
TWO_FACTOR_DURATION_WEB	`TWO_FACTOR_DURATION`
TWO_FACTOR_DURATION_MOBILE	`TWO_FACTOR_DURATION`
TWO_FACTOR_DURATION_DESKTOP	`TWO_FACTOR_DURATION`
RESTRICT_TWO_FACTOR_CHANNEL_SECURITY_KEYS	`BOOLEAN`
RESTRICT_DOMAIN_ACCESS	`STRING`
RESTRICT_DOMAIN_CREATE	`STRING`
RESTRICT_HOVER_LOCKS	`BOOLEAN`
RESTRICT_PROMPT_TO_LOGIN	`BOOLEAN`
RESTRICT_PROMPT_TO_FILL	`BOOLEAN`
RESTRICT_AUTO_SUBMIT	`BOOLEAN`
RESTRICT_PROMPT_TO_SAVE	`BOOLEAN`
RESTRICT_PROMPT_TO_CHANGE	`BOOLEAN`
RESTRICT_AUTO_FILL	`BOOLEAN`
RESTRICT_CREATE_FOLDER	`BOOLEAN`
RESTRICT_CREATE_IDENTITY_PAYMENT_RECORDS	`BOOLEAN`
MASK_CUSTOM_FIELDS	`BOOLEAN`
MASK_NOTES	`BOOLEAN`
MASK_PASSWORDS_WHILE_EDITING	`BOOLEAN`
GENERATED_PASSWORD_COMPLEXITY	`STRING`
GENERATED_SECURITY_QUESTION_COMPLEXITY	`STRING`
RESTRICT_IMPORT	`BOOLEAN`
DAYS_BEFORE_DELETED_RECORDS_CLEARED_PERM	`LONG`
DAYS_BEFORE_DELETED_RECORDS_AUTO_CLEARED	`LONG`
ALLOW_ALTERNATE_PASSWORDS	`BOOLEAN`
DISABLE_SETUP_TOUR	`BOOLEAN`
RESTRICT_PERSONAL_LICENSE	`BOOLEAN`
DISABLE_ONBOARDING	`BOOLEAN`
DISALLOW_V2_CLIENTS	`BOOLEAN`
RESTRICT_IP_AUTOAPPROVAL	`BOOLEAN`
SEND_BREACH_WATCH_EVENTS	`BOOLEAN`
RESTRICT_BREACH_WATCH	`BOOLEAN`
RESEND_ENTERPRISE_INVITE_IN_X_DAYS	`LONG`
RESTRICT_ACCOUNT_RECOVERY	`BOOLEAN`
KEEPER_FILL_HOVER_LOCKS	`TERNARY_DEN`
KEEPER_FILL_AUTO_FILL	`TERNARY_DEN`
KEEPER_FILL_AUTO_SUBMIT	`TERNARY_DEN`
KEEPER_FILL_MATCH_ON_SUBDOMAIN	`TERNARY_DEN`
RESTRICT_PROMPT_TO_DISABLE	`BOOLEAN`
RESTRICT_HTTP_FILL_WARNING	`BOOLEAN`
RESTRICT_RECORD_TYPES	`RECORD_TYPES`
ALLOW_SECRETS_MANAGER	`BOOLEAN`
MAXIMUM_RECORD_SIZE	`LONG`
RESTRICT_SHARING_OUTSIDE_OF_ISOLATED_NODES	`BOOLEAN`