From 53e6ac06a6d41e2b3018c1c526bc3b1385db9044 Mon Sep 17 00:00:00 2001 From: sshrushanth-ks Date: Mon, 13 Apr 2026 14:30:10 +0530 Subject: [PATCH] Fix: EPM policy can not be created without name and mandatory fields. (#1940) * Made --policy-name a required argument in PedmPolicyAddCommand to prevent policies from being silently created with an empty name. * Replicated admin console behavior: adding a policy of type elevation, file_access, or command now requires at least one user, machine, and application collection via --user-filter, --machine-filter, and --app-filter. LeastPrivilege policies remain unrestricted. --- keepercommander/commands/pedm/pedm_admin.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/keepercommander/commands/pedm/pedm_admin.py b/keepercommander/commands/pedm/pedm_admin.py index 760482177..492fd0878 100644 --- a/keepercommander/commands/pedm/pedm_admin.py +++ b/keepercommander/commands/pedm/pedm_admin.py @@ -1335,7 +1335,7 @@ def __init__(self): parser.add_argument('--policy-type', dest='policy_type', action='store', default='elevation', choices=['elevation', 'file_access', 'command', 'least_privilege'], help='Policy type') - parser.add_argument('--policy-name', dest='policy_name', action='store', + parser.add_argument('--policy-name', dest='policy_name', action='store', required=True, help='Policy name') parser.add_argument('--control', dest='control', action='append', choices=['allow', 'deny', 'audit', 'notify', 'mfa', 'justify', 'approval'], @@ -1432,6 +1432,14 @@ def execute(self, context: KeeperParams, **kwargs) -> None: if policy_filter: policy_data.update(policy_filter) + if policy_type in ('PrivilegeElevation', 'FileAccess', 'CommandLine'): + missing = [name for name, key in (('user', 'UserCheck'), ('machine', 'MachineCheck'), ('application', 'ApplicationCheck')) + if not policy_filter.get(key)] + if missing: + raise base.CommandError( + f'At least one machine, application, and user collection required to save this policy type. ' + f'Missing: {", ".join(missing)}. Use --user-filter, --machine-filter, --app-filter.') + for filter_name in ('UserCheck', 'MachineCheck', 'ApplicationCheck', 'DateCheck', 'TimeCheck', 'DayCheck'): f = policy_data.get(filter_name) if f is None: