1 - Administrator Command Line Interface (CLI) Reference
Administrator CLI documentation.
admin
This section shows how to access help and provides examples for admin.
Usage: admin [OPTIONS] COMMAND [ARGS]...
Users, Roles, Permissions, Groups, SAML and Azure AD management commands.
Options:
--help Show this message and exit.
Commands:
create Create a resource.
delete Delete a resource.
get Display one resource.
list List resources.
set Update fields of a resource.
test Test various configurations and connections.
create
This section lists the create commands.
The following command shows how to access help and provides examples for create.
Usage: admin create [OPTIONS] COMMAND [ARGS]...
Create a resource.
Options:
--help Show this message and exit.
Commands:
entra-id Create Entra ID configuration.
entra-id-import-groups Import Entra ID groups with optional member...
entra-id-import-users Import Entra ID users with role assignments.
groups Create a new group.
roles Create a new role.
saml-mappers Create an attribute mapper for a SAML provider.
saml-providers Create a new SAML SSO provider.
users Create a new user.
create entra-id
The following command shows how to access help and provides examples for create entra-id.
admin create entra-id --help
Usage: admin create entra-id [OPTIONS]
Create Entra ID configuration.
Required Entra ID Setup:
1. Register an application in Entra ID
2. Grant Microsoft Graph API permissions:
- User.Read.All (Application)
- Group.Read.All (Application) - if importing groups
3. Create a client secret for the application
4. Note the Tenant ID, Application (Client) ID, and Client Secret
Examples:
admin create entra-id --tenant-id "12345678-1234-1234-1234-123456789012" --client-id "87654321-4321-4321-4321-210987654321" --client-secret "your-secret-here"
Options:
-t, --tenant-id TEXT Entra ID Tenant ID [required]
-c, --client-id TEXT Entra ID Application (Client) ID [required]
-s, --client-secret TEXT Entra ID Application Client Secret [required]
--enabled / --disabled Enable/disable configuration
--help Show this message and exit.
create entra-id-import-users
The following command shows how to access help and provides examples for create entra-id-import-users.
admin create entra-id-import-users --help
Usage: admin create entra-id-import-users [OPTIONS]
Import Entra ID users with role assignments.
Import users from Entra ID into the application with role assignments.
Users must be provided via JSON data.
JSON Format:
{
"users": [
{
"userPrincipalName": "john.doe@company.com",
"email": "john.doe@company.com",
"firstName": "John",
"lastName": "Doe",
"roles": ["admin", "user"],
"identityProviders": ["AWS-IDP", "AZURE-IDP"]
}
],
"dryRun": false
}
Examples:
# Direct JSON input with identity providers
admin create entra-id-import-users --json-data '{"users":[{"userPrincipalName":"john@company.com","email":"john@company.com","firstName":"John","lastName":"Doe","roles":["user"],"identityProviders":["AWS-IDP","AZURE-IDP"]}]}'
# Dry run with JSON
admin create entra-id-import-users --json-data '{"users":[...]}' --dry-run
Options:
--dry-run Validate import without creating users
-j, --json-data TEXT JSON string with users data to import directly
[required]
--help Show this message and exit.
create entra-id-import-groups
The following command shows how to access help and provides examples for create entra-id-import-groups.
admin create entra-id-import-groups --help
Usage: admin create entra-id-import-groups [OPTIONS]
Import Entra ID groups with optional member import.
Import groups from Entra ID into the system with role assignments for members.
Groups must be provided via JSON data.
JSON Format:
{
"groups": [
{
"id": "12345678-1234-1234-1234-123456789012",
"displayName": "Administrators",
"description": "Administrative users group",
"importMembers": true,
"memberRoles": ["admin", "user"],
"identityProviders": ["AWS-IDP", "AZURE-IDP"]
}
],
"dryRun": false
}
Examples:
# Direct JSON input with identity providers
admin create entra-id-import-groups --json-data '{"groups":[{"id":"12345678-1234-1234-1234-123456789012","displayName":"IT Admins","description":"IT department administrators","importMembers":true,"memberRoles":["admin"],"identityProviders":["AWS-IDP","AZURE-IDP"]}]}'
# Dry run with JSON
admin create entra-id-import-groups --json-data '{"groups":[...]}' --dry-run
Options:
--dry-run Validate import without creating groups
-j, --json-data TEXT JSON string with groups data to import directly
[required]
--help Show this message and exit.
create groups
The following command shows how to access help and provides examples for create groups.
admin create groups --help
Usage: admin create groups [OPTIONS]
Create a new group.
Examples:
admin create groups --name developers --description "Development team"
admin create groups --name admins --members "john,jane" --roles "admin,user_manager"
admin create groups --name operators --description "System operators" --members "user1,user2" --roles "operator"
Options:
-n, --name TEXT Group name [required]
-d, --description TEXT Group description
-m, --members TEXT Comma-separated list of usernames to add as members
-r, --roles TEXT Comma-separated list of role names to assign to
group
--help Show this message and exit.
create roles
The following command shows how to access help and provides examples for create roles.
admin create roles --help
Usage: admin create roles [OPTIONS]
Create a new role.
Examples:
admin create roles --name manager --description "Manager role"
admin create roles --name admin --permissions "security_officer"
admin create roles --name operator --description "System operator" --permissions "security_officer"
Options:
-n, --name TEXT Role name [required]
-d, --description TEXT Role description
-p, --permissions TEXT Comma-separated list of permission names
--help Show this message and exit.
create saml-mappers
The following command shows how to access help and provides examples for create saml-mappers.
admin create saml-mappers --help
Usage: admin create saml-mappers [OPTIONS] PROVIDER_ALIAS
Create an attribute mapper for a SAML provider.
Examples:
admin create saml-mappers azure-ad --name email-mapper --mapper-type saml-user-attribute-idp-mapper --attribute-name "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" --user-attribute email
admin create saml-mappers azure-ad --name role-mapper --mapper-type saml-role-idp-mapper --attribute-value admin --role admin
Options:
-n, --name TEXT Name of the attribute mapper [required]
--mapper-type [saml-user-attribute-idp-mapper|saml-role-idp-mapper|saml-advanced-group-idp-mapper|saml-username-idp-mapper]
Type of mapper [required]
--sync-mode TEXT Sync mode for the mapper
--attribute-name TEXT SAML attribute name to map from
--user-attribute TEXT User attribute to map to
--attribute-value TEXT SAML attribute value for role mapping
--role TEXT Role to assign
--group TEXT Group to assign users to
--template TEXT Username template
--attributes TEXT Key-value pairs for attribute mapping (JSON
format)
--help Show this message and exit.
create saml-providers
The following command shows how to access help and provides examples for create saml-providers.
admin create saml-providers --help
Usage: admin create saml-providers [OPTIONS]
Create a new SAML SSO provider.
Examples:
admin create saml-providers --alias azure-ad --display-name "Azure AD" --config-type metadataUrl --service-provider-entity-id "https://your-saml.com/realms/your-realm" --metadata-url "https://..."
admin create saml-providers --alias okta --display-name "Okta" --config-type metadataFile --service-provider-entity-id "https://your-saml.com/realms/your-realm" --metadata-file /path/to/metadata.xml
Options:
-a, --alias TEXT Unique alias for the SAML provider
[required]
-d, --display-name TEXT Display name shown in login pages
[required]
--config-type [metadataUrl|metadataFile]
Configuration type [required]
--service-provider-entity-id TEXT
Service Provider Entity ID [required]
--metadata-url TEXT URL to fetch SAML metadata (for metadataUrl
type)
--metadata-file FILENAME Path to SAML metadata XML file (for
metadataFile type)
--signing-certificate TEXT X.509 certificate for signing (PEM format
without headers)
--name-id-format TEXT NameID Policy Format
--force-authn / --no-force-authn
Force re-authentication
--validate-signature / --no-validate-signature
Validate SAML response signatures
--want-assertions-signed / --no-want-assertions-signed
Require signed assertions
--want-assertions-encrypted / --no-want-assertions-encrypted
Require encrypted assertions
--signature-algorithm TEXT Signature algorithm for SAML requests
--post-binding-response / --no-post-binding-response
Use POST binding for SAML responses
--post-binding-authn-request / --no-post-binding-authn-request
Use POST binding for SAML authentication
requests
--post-binding-logout / --no-post-binding-logout
Use POST binding for SAML logout requests
--want-authn-requests-signed / --no-want-authn-requests-signed
Sign SAML authentication requests
--attribute-mapping TEXT Attribute mapping as JSON string or
key=value pairs
--enabled / --disabled Enable/disable the provider
--store-token / --no-store-token
Store tokens returned by the identity
provider
--help Show this message and exit.
Note: The --metadata-file option is not supported. You cannot upload or copy the metadata file. Instead, use the --metadata-url option to configure SAML.
create users
The following command shows how to access help and provides examples for create users.
admin create users --help
Usage: admin create users [OPTIONS]
Create a new user.
Examples:
admin create users --username john.doe --email john@example.com --password "StrongPass123!"
admin create users --username jane --email jane@example.com --password "SecurePass123!" --first-name Jane --last-name Smith --roles "admin,user"
admin create users --username alpha --email alpha@example.com --password "AlphaPass123!" --identity-provider "AWS-IDP:alpha@example.com:alpha@example.com"
admin create users --username beta --password "BetaPass123!" --identity-provider "AWS-IDP:beta@example.com:beta@example.com" --identity-provider "AZURE-IDP:beta@azure.com:beta"
Options:
-u, --username TEXT Username [required]
-e, --email TEXT Email address
--first-name TEXT First name
--last-name TEXT Last name
-p, --password TEXT Password
--roles TEXT Comma-separated list of role names
--groups TEXT Comma-separated list of group names
--identity-provider TEXT Identity provider in format:
PROVIDER_NAME:userId:userName (can be specified
multiple times)
--help Show this message and exit.
delete
This section lists the delete commands.
The following command shows how to access help and provides examples for delete.
Usage: admin delete [OPTIONS] COMMAND [ARGS]...
Delete a resource.
Options:
--help Show this message and exit.
Commands:
entra-id Delete Entra ID configuration.
groups Delete a group.
roles Delete a role.
saml-mappers Delete an attribute mapper for a SAML provider.
saml-providers Delete a SAML SSO provider.
users Delete a user by ID.
delete entra-id
The following command shows how to access help and provides examples for delete entra-id.
admin delete entra-id --help
Usage: admin delete entra-id [OPTIONS]
Delete Entra ID configuration.
Warning: This action cannot be undone and will permanently remove
all stored Entra ID settings.
Examples:
admin delete entra-id
Options:
--help Show this message and exit.
delete groups
The following command shows how to access help and provides examples for delete groups.
admin delete groups --help
Usage: admin delete groups [OPTIONS] GROUP_ID
Delete a group.
Examples:
admin delete groups group-uuid-here
admin delete groups group-uuid-here --delete-members
Options:
-d, --delete-members Delete all members of the group along with the group
--help Show this message and exit.
delete roles
The following command shows how to access help and provides examples for delete roles.
admin delete roles --help
Usage: admin delete roles [OPTIONS] ROLE_NAME
Delete a role.
Examples:
admin delete roles admin
Options:
--help Show this message and exit.
delete saml-mappers
The following command shows how to access help and provides examples for delete saml-mappers.
admin delete saml-mappers --help
Usage: admin delete saml-mappers [OPTIONS] PROVIDER_ALIAS MAPPER_ID
Delete an attribute mapper for a SAML provider.
Examples:
admin delete saml-mappers azure-ad mapper-uuid
Options:
--help Show this message and exit.
delete saml-providers
The following command shows how to access help and provides examples for delete saml-providers.
admin delete saml-providers --help
Usage: admin delete saml-providers [OPTIONS] ALIAS
Delete a SAML SSO provider.
Examples:
admin delete saml-providers azure-ad
Options:
--help Show this message and exit.
delete users
The following command shows how to access help and provides examples for delete users.
admin delete users --help
Usage: admin delete users [OPTIONS] USER_ID
Delete a user by ID.
Examples:
admin delete users USER_ID
Options:
--help Show this message and exit.
get
This section lists the get commands.
The following command shows how to access help and provides examples for get.
Usage: admin get [OPTIONS] COMMAND [ARGS]...
Display one resource.
Options:
--help Show this message and exit.
Commands:
email Get current SMTP configuration.
email-health Get detailed health status of the email service.
email-log Get current log level.
email-version Get email version information.
entra-id Get current Entra ID configuration.
groups Get detailed information about a specific group.
log-level Get current log level from the backend.
password_policy Get current password policy configuration.
roles Get detailed information about a specific role.
saml-mappers Get detailed information about a SAML provider...
saml-providers Get detailed information about a specific SAML provider.
users Get detailed information about a specific user.
version Get application version information.
get email
The following command shows how to access help and provides examples for get email.
Usage: admin get email [OPTIONS]
Get current SMTP configuration.
Examples:
admin get email
Options:
--help Show this message and exit.
get email-health
The following command shows how to access help and provides examples for get email-health.
admin get email-health --help
Usage: admin get email-health [OPTIONS]
Get detailed health status of the email service.
Examples:
admin get email-health
Options:
--help Show this message and exit.
get email-log
The following command shows how to access help and provides examples for get email-log.
admin get email-log --help
Usage: admin get email-log [OPTIONS]
Get current log level.
Examples:
admin get email-log
Options:
--help Show this message and exit.
get email-version
The following command shows how to access help and provides examples for get email-version.
admin get email-version --help
Usage: admin get email-version [OPTIONS]
Get email version information.
Examples:
admin get email-version
Options:
--help Show this message and exit.
get entra-id
The following command shows how to access help and provides examples for get entra-id.
admin get entra-id --help
Usage: admin get entra-id [OPTIONS]
Get current Entra ID configuration.
Examples:
admin get entra-id
Options:
--help Show this message and exit.
get groups
The following command shows how to access help and provides examples for get groups.
Usage: admin get groups [OPTIONS] GROUP_ID
Get detailed information about a specific group.
Examples:
admin get groups group-uuid-here
admin get groups developers
Options:
--help Show this message and exit.
get password_policy
The following command shows how to access help and provides examples for get password_policy.
admin get password_policy --help
Usage: admin get password_policy [OPTIONS]
Get current password policy configuration.
Options:
--help Show this message and exit.
get roles
The following command shows how to access help and provides examples for get roles.
Usage: admin get roles [OPTIONS] ROLE_NAME
Get detailed information about a specific role.
Examples:
admin get roles admin
Options:
--help Show this message and exit.
get saml-mappers
The following command shows how to access help and provides examples for get saml-mappers.
admin get saml-mappers --help
Usage: admin get saml-mappers [OPTIONS] ALIAS
Get detailed information about a SAML provider including its mappers.
Examples:
admin get saml-mappers azure-ad
Options:
--help Show this message and exit.
get saml-providers
The following command shows how to access help and provides examples for get saml-providers.
admin get saml-providers --help
Usage: admin get saml-providers [OPTIONS] ALIAS
Get detailed information about a specific SAML provider.
Examples:
admin get saml-providers tttt
admin get saml-providers azure-ad-saml
Options:
--help Show this message and exit.
get users
The following command shows how to access help and provides examples for get users.
Usage: admin get users [OPTIONS] USER_ID
Get detailed information about a specific user.
Examples:
admin get users USER_ID
admin get users 12345-uuid
Options:
--help Show this message and exit.
get version
The following command shows how to access help and provides examples for get version.
Usage: admin get version [OPTIONS]
Get application version information.
Examples:
admin get version
Options:
--help Show this message and exit.
get log-level
The following command shows how to access help and provides examples for get log-level.
admin get log-level --help
Usage: admin get log-level [OPTIONS]
Get current log level from the backend.
Examples:
admin get log-level
Options:
--help Show this message and exit.
list
This section lists the list commands.
The following command shows how to access help and provides examples for list.
Usage: admin list [OPTIONS] COMMAND [ARGS]...
List resources.
Options:
--help Show this message and exit.
Commands:
entra-id-group-members Search Entra ID group members.
entra-id-groups Search Entra ID groups.
entra-id-users Search Entra ID users.
groups List all groups with their members and roles.
permissions List all available permissions.
roles List all roles.
saml-mappers List all attribute mappers for a SAML provider.
saml-providers List all SAML SSO providers.
users List all users.
list entra-id-group-members
The following command shows how to access help and provides examples for list entra-id-group-members.
admin list entra-id-group-members --help
Usage: admin list entra-id-group-members [OPTIONS]
Search Entra ID group members.
Search for members of a specific Entra ID group.
Search Parameters:
- Group ID: Required group unique identifier (GUID) - case-sensitive
- Search Query: Optional filter for members (searches name and email fields)
Examples:
admin list entra-id-group-members --group-id "12345678-1234-1234-1234-123456789012"
admin list entra-id-group-members --group-id "87654321-4321-4321-4321-210987654321" --search "john"
admin list entra-id-group-members -g "group-guid-here" -s "admin"
Options:
-g, --group-id TEXT Group unique identifier (GUID) [required]
-s, --search TEXT Search query to filter group members
--help Show this message and exit.
list entra-id-groups
The following command shows how to access help and provides examples for list entra-id-groups.
admin list entra-id-groups --help
Usage: admin list entra-id-groups [OPTIONS]
Search Entra ID groups.
Search across displayName field.
If no search query provided, returns all groups.
Pagination:
- Use --max to control number of results per page (max: 999)
- Use --first to skip results (offset)
- Response shows if more results are available
Examples:
# Get first 100 groups (default)
admin list entra-id-groups
# Search with default pagination
admin list entra-id-groups --search "admin"
# Get first 500 groups
admin list entra-id-groups --max 500
# Get maximum groups per page (999)
admin list entra-id-groups --max 999
# Get next page of results
admin list entra-id-groups --max 999 --first 999
# Search with custom pagination
admin list entra-id-groups --search "IT" --max 500 --first 0
To fetch all groups:
# Loop through pages until no more results
admin list entra-id-groups --max 999 --first 0
admin list entra-id-groups --max 999 --first 999
admin list entra-id-groups --max 999 --first 1998
# ... continue until "More results available" is not shown
Options:
-s, --search TEXT Search query to find groups
-m, --max INTEGER Maximum number of groups to return (default: 100, max:
999)
-f, --first INTEGER Offset for pagination (default: 0)
--help Show this message and exit.
list entra-id-users
The following command shows how to access help and provides examples for list entra-id-users.
admin list entra-id-users --help
Usage: admin list entra-id-users [OPTIONS]
Search Entra ID users.
Search across userPrincipalName, givenName, surname, and mail fields.
If no search query provided, returns all enabled users.
Pagination:
- Use --max to control number of results per page (max: 999)
- Use --first to skip results (offset)
- Response shows if more results are available
Examples:
# Get first 100 users (default)
admin list entra-id-users
# Search with default pagination
admin list entra-id-users --search "john"
# Get first 500 users
admin list entra-id-users --max 500
# Get maximum users per page (999)
admin list entra-id-users --max 999
# Get next page of results
admin list entra-id-users --max 999 --first 999
# Search with custom pagination
admin list entra-id-users --search "smith" --max 500 --first 0
To fetch all users:
# Loop through pages until no more results
admin list entra-id-users --max 999 --first 0
admin list entra-id-users --max 999 --first 999
admin list entra-id-users --max 999 --first 1998
# ... continue until "More results available" is not shown
Options:
-s, --search TEXT Search query to find users
-m, --max INTEGER Maximum number of users to return (default: 100, max:
999)
-f, --first INTEGER Offset for pagination (default: 0)
--help Show this message and exit.
list groups
The following command shows how to access help and provides examples for list groups.
Usage: admin list groups [OPTIONS]
List all groups with their members and roles.
Examples:
admin list groups
admin list groups --max 10
admin list groups --max 5 --first 10
Options:
-m, --max INTEGER Maximum number of groups to return
-f, --first INTEGER Offset for pagination
--help Show this message and exit.
list permissions
The following command shows how to access help and provides examples for list permissions.
admin list permissions --help
Usage: admin list permissions [OPTIONS]
List all available permissions.
Examples:
admin list permissions
admin list permissions --filter "read*"
Options:
-f, --filter TEXT Filter permissions by name pattern
--help Show this message and exit.
list roles
The following command shows how to access help and provides examples for list roles.
Usage: admin list roles [OPTIONS]
List all roles.
Examples:
admin list roles
Options:
--help Show this message and exit.
list saml-mappers
The following command shows how to access help and provides examples for list saml-mappers.
admin list saml-mappers --help
Usage: admin list saml-mappers [OPTIONS] PROVIDER_ALIAS
List all attribute mappers for a SAML provider.
Examples:
admin list saml-mappers azure-ad
Options:
--help Show this message and exit.
list saml-providers
The following command shows how to access help and provides examples for list saml-providers.
admin list saml-providers --help
Usage: admin list saml-providers [OPTIONS]
List all SAML SSO providers.
Examples:
admin list saml-providers
Options:
--help Show this message and exit.
list users
The following command shows how to access help and provides examples for list users.
Usage: admin list users [OPTIONS]
List all users.
Examples:
admin list users
admin list users --max 10
admin list users --max 5 --first 10
Options:
-m, --max INTEGER Maximum number of users to return
-f, --first INTEGER Offset for pagination
--help Show this message and exit.
set
This section lists the set commands.
The following command shows how to access help and provides examples for set.
Usage: admin set [OPTIONS] COMMAND [ARGS]...
Update fields of a resource.
Options:
--help Show this message and exit.
Commands:
email Update SMTP configuration.
email-log Set application log level.
entra-id Update existing Entra ID configuration.
groups Update an existing group.
lock_user Lock a user account.
log-level Update the log level (critical, error, warning, info,...
password_policy Update password policy configuration.
roles Update an existing role.
saml-providers Update an existing SAML SSO provider.
token Update access token lifespan and SSO idle timeout.
unlock_user Unlock a user account and set a new password.
update_password Update user password.
users Update an existing user.
set email
The following command shows how to access help and provides examples for set email.
Usage: admin set email [OPTIONS]
Update SMTP configuration.
Examples:
admin set email -h "smtp.example.com" -p 587 --use-tls -u "app-user" -w "app-password"
Options:
-h, --smtp-host TEXT SMTP server hostname [required]
-p, --smtp-port INTEGER SMTP server port [required]
--use-tls / --no-tls Enable/disable TLS
-u, --username TEXT SMTP username
-w, --password TEXT SMTP password
--help Show this message and exit.
set email-log
The following command shows how to access help and provides examples for set email-log.
admin set email-log --help
Usage: admin set email-log [OPTIONS]
Set email application log level.
Examples:
admin set email-log -l debug
admin set email-log -l info
Options:
-l, --level [debug|info|warning|error|critical]
Log level to set [required]
--help Show this message and exit.
set entra-id
The following command shows how to access help and provides examples for set entra-id.
admin set entra-id --help
Usage: admin set entra-id [OPTIONS]
Update existing Entra ID configuration.
Only provided fields are updated. Configuration is tested if credentials are changed.
Examples:
admin set entra-id --enabled
admin set entra-id --client-secret "new-secret-here"
admin set entra-id --tenant-id "new-tenant-id" --client-id "new-client-id"
Options:
-t, --tenant-id TEXT Update Entra ID Tenant ID
-c, --client-id TEXT Update Entra ID Application (Client) ID
-s, --client-secret TEXT Update Entra ID Application Client Secret
--enabled / --disabled Enable/disable configuration
--help Show this message and exit.
set groups
The following command shows how to access help and provides examples for set groups.
Usage: admin set groups [OPTIONS] GROUP_ID
Update an existing group.
Examples:
admin set groups group-uuid --members "john,jane,bob"
admin set groups group-uuid --roles "admin,user_manager"
admin set groups group-uuid --members "user1,user2" --roles "operator,viewer"
admin set groups group-uuid --identity-providers "AWS-IDP,AZURE-IDP"
admin set groups group-uuid --members "john.doe,senior.dev" --roles "senior_admin,lead_developer" --identity-providers "AWS-IDP,AZURE-IDP"
Options:
-m, --members TEXT Comma-separated list of usernames (replaces
existing members)
-r, --roles TEXT Comma-separated list of role names (replaces
existing roles)
-i, --identity-providers TEXT Comma-separated list of identity provider
names (replaces existing providers)
--help Show this message and exit.
set lock_user
The following command shows how to access help and provides examples for set lock_user.
admin set lock_user --help
Usage: admin set lock_user [OPTIONS] USER_ID
Lock a user account.
Examples:
admin set lock_user USER_ID
Options:
--help Show this message and exit.
set log-level
The following command shows how to access help and provides examples for set log-level.
admin set log-level --help
Usage: admin set log-level [OPTIONS] {critical|error|warning|info|debug}
Update the log level (critical, error, warning, info, debug).
Examples:
admin set log-level info
admin set log-level debug
Options:
--help Show this message and exit.
set password_policy
The following command shows how to access help and provides examples for set password_policy.
admin set password_policy --help
Usage: admin set password_policy [OPTIONS]
Update password policy configuration.
Options:
--policy TEXT Password policy configuration as JSON string.
Common Keys:
- length: Minimum password length
- digits: Number of digits required
- lowerCase: Number of lowercase characters required
- upperCase: Number of uppercase characters required
- specialChars: Number of special characters required
- notUsername: Password cannot be same as username (0 or 1)
- passwordHistory: Number of previous passwords to remember
- maxLength: Maximum password length
Examples:
admin set password_policy --policy '{"length": 8, "digits": 1, "upperCase": 1, "specialChars": 1}'
admin set password_policy --policy '{"length": 12, "digits": 2, "lowerCase": 1, "upperCase": 1, "specialChars": 2, "notUsername": 1}'
admin set password_policy --policy '{"length": 10, "passwordHistory": 5, "maxLength": 128}' [required]
--help Show this message and exit.
set roles
The following command shows how to access help and provides examples for set roles.
Usage: admin set roles [OPTIONS] ROLE_NAME
Update an existing role.
Examples:
admin set roles admin --description "Updated admin role"
admin set roles manager --permissions "security_officer"
admin set roles operator --description "System operator" --permissions "security_officer"
Options:
-d, --description TEXT New role description
-p, --permissions TEXT Comma-separated list of permission names (replaces existing)
--help Show this message and exit.
Show this message and exit.
set saml-providers
The following command shows how to access help and provides examples for set saml-providers.
admin set saml-providers --help
Usage: admin set saml-providers [OPTIONS] ALIAS
Update an existing SAML SSO provider.
Only the parameters you explicitly provide will be updated.
Examples:
admin set saml-providers azure-ad --display-name "New Azure AD"
admin set saml-providers Test --enabled
admin set saml-providers Test --disabled
admin set saml-providers Test --force-authn
admin set saml-providers Test --no-validate-signature
admin set saml-providers Test --metadata-url "https://new-metadata-url.com"
admin set saml-providers Test --signature-algorithm "RSA_SHA512"
Options:
-d, --display-name TEXT Update display name for the provider
--config-type [metadataUrl|metadataFile]
Update configuration type
--service-provider-entity-id TEXT
Update Service Provider Entity ID
--metadata-url TEXT Update metadata URL
--metadata-file FILENAME Update metadata file content
--signing-certificate TEXT Update signing certificate
--name-id-policy-format TEXT Update NameID Policy Format
--force-authn Enable force authentication
--no-force-authn Disable force authentication
--validate-signature Enable signature validation
--no-validate-signature Disable signature validation
--want-assertions-signed Require signed assertions
--no-want-assertions-signed Don't require signed assertions
--want-assertions-encrypted Require encrypted assertions
--no-want-assertions-encrypted Don't require encrypted assertions
--signature-algorithm TEXT Update signature algorithm
--post-binding-response Enable POST binding for responses
--no-post-binding-response Disable POST binding for responses
--post-binding-authn-request Enable POST binding for auth requests
--no-post-binding-authn-request
Disable POST binding for auth requests
--post-binding-logout Enable POST binding for logout
--no-post-binding-logout Disable POST binding for logout
--want-authn-requests-signed Enable authentication request signing
--no-want-authn-requests-signed
Disable authentication request signing
--attribute-mapping TEXT Update attribute mapping (JSON format)
--enabled Enable the provider
--disabled Disable the provider
--store-token Enable token storage
--no-store-token Disable token storage
--help Show this message and exit.
Note: The --metadata-file option is not supported. You cannot upload or copy the metadata file. Instead, use the --metadata-url option to configure SAML.
set unlock_user
The following command shows how to access help and provides examples for set unlock_user.
admin set unlock_user --help
Usage: admin set unlock_user [OPTIONS] USER_ID
Unlock a user account and set a new password.
Examples:
admin set unlock_user USER_ID --password "NewPassword123!"
admin set unlock_user USER_ID -p "StrongPass123!"
Options:
-p, --password TEXT New password to set after unlocking [required]
--help Show this message and exit.
set update_password
The following command shows how to access help and provides examples for set update_password.
admin set update_password --help
Usage: admin set update_password [OPTIONS] USER_ID
Update user password.
Examples:
admin set update_password USER_ID --new-password "NewPassword123!" --old-password "OldPass123!"
admin set update_password USER_ID -n "NewPass123!" -o "OldPass123!"
Options:
-n, --new-password TEXT New password [required]
-o, --old-password TEXT Current password for validation [required]
--help Show this message and exit.
set users
The following command shows how to access help and provides examples for set users.
Usage: admin set users [OPTIONS] USER_ID
Update an existing user.
Examples:
admin set users USER_ID --email newemail@example.com
admin set users USER_ID --roles "admin,manager"
admin set users USER_ID --identity-provider "AWS-IDP:alpha@example.com:alpha@example.com"
admin set users USER_ID --identity-provider "AWS-IDP:alpha@example.com:alpha@example.com" --identity-provider "AZURE-IDP:beta@azure.com:beta"
Options:
-e, --email TEXT New email address
--first-name TEXT New first name
--last-name TEXT New last name
--roles TEXT Comma-separated list of role names (replaces
existing)
--groups TEXT Comma-separated list of group names (replaces
existing)
--identity-provider TEXT Identity provider in format:
PROVIDER_NAME:userId:userName (can be specified
multiple times, replaces existing)
--help Show this message and exit.
set token
The following command shows how to access help and provides examples for set token.
Usage: admin set token [OPTIONS]
Update access token lifespan and SSO idle timeout.
Examples:
admin set token --lifespan 600
admin set token --lifespan 1200
Options:
--lifespan INTEGER RANGE Access token lifespan in seconds (minimum: 60,
maximum: 3600) [60<=x<=3600; required]
--help Show this message and exit.
test
This section lists the test commands.
The following command shows how to access help and provides examples for test.
Usage: admin test [OPTIONS] COMMAND [ARGS]...
Test various configurations and connections.
Options:
--help Show this message and exit.
Commands:
email Send an email.
entra-id Test Entra ID connection.
test email
The following command shows how to access help and provides examples for test email.
Usage: admin test email [OPTIONS]
Send an email.
Examples:
admin test email -f "sender@example.com" -t "recipient@example.com" -s "Test" -b "This is a test"
admin test email -f "sender@example.com" -t "recipient@example.com" -c "cc@example.com" --bcc-emails "bcc@example.com" -s "Test" -b "Message"
Options:
-f, --from-email TEXT Sender email address [required]
-t, --to-emails TEXT Recipient email address. For multiple recipients,
provide a comma-separated list [required]
-s, --subject TEXT Email subject [required]
-b, --body TEXT Email body content [required]
-c, --cc-emails TEXT CC email address. For multiple recipients, provide a
comma-separated list
--bcc-emails TEXT BCC email address. For multiple recipients, provide a
comma-separated list
--help Show this message and exit.
test entra-id
The following command shows how to access help and provides examples for test entra-id.
admin test entra-id --help
Usage: admin test entra-id [OPTIONS]
Test Entra ID connection.
Test Options:
1. Test stored configuration: --use-stored
2. Test provided credentials: --tenant-id, --client-id, --client-secret
Examples:
admin test entra-id --use-stored
admin test entra-id --tenant-id "tenant-id" --client-id "client-id" --client-secret "secret"
Options:
--use-stored Test stored configuration
-t, --tenant-id TEXT Entra ID Tenant ID (for direct test)
-c, --client-id TEXT Entra ID Application (Client) ID (for direct test)
-s, --client-secret TEXT Entra ID Application Client Secret (for direct
test)
--help Show this message and exit.
3 - Policy Management Command Line Interface (CLI) Reference
Policy Management CLI documentation.
Important: The Policy Management CLI will work only after you have installed the workbench.
Main Pim Command
The following command shows to access the help for the pim commands.
Usage: pim [OPTIONS] COMMAND [ARGS]...
Policy Information Management commands.
Options:
--help Show this message and exit.
Commands:
create Create a resource.
delete Delete a resource.
get Display one or many resources.
invoke Invoke resource by operation defined by the API.
set Update fields of a resource.
Invoke Commands
The following section lists the invoke commands.
Main Invoke Command
The following command shows how to access help for the invoke command.
Usage: pim invoke [OPTIONS] COMMAND [ARGS]...
Invoke resource by operation defined by the API.
Options:
--help Show this message and exit.
Commands:
datastores Commands for deploying datastore resources.
init Bootstrap PIM - Initialize the Policy Information system.
roles Commands for synchronizing role resources.
sources Commands for testing source resources.
Invoke Datastores
The following command shows how to access help for the invoke datastores command. It also provides examples on how to deploy datastore resources.
pim invoke datastores --help
Usage: pim invoke datastores [OPTIONS] COMMAND [ARGS]...
Commands for deploying datastore resources.
Options:
--help Show this message and exit.
Commands:
deploy Deploy policies and/or trusted applications to a specific datastore.
Invoke Datastores Types
The following commands show how to access help for the invoke datastores <type> command.
Invoke Datastores Deploy
The following command shows how to access help for the invoke datastores deploy command. It also provides examples on how to deploy policies or trusted applications or both to a specific datastore.
pim invoke datastores deploy --help
Usage: pim invoke datastores deploy [OPTIONS] DATASTORE_UID
Deploy policies and/or trusted applications to a specific datastore.
EXAMPLES:
# Deploy single policy to datastore
pim invoke datastores deploy 15 --policies 1
# Deploy multiple policies to datastore
pim invoke datastores deploy 15 --policies 1 --policies 2 --policies 3
# Deploy trusted applications to datastore
pim invoke datastores deploy 15 --applications 1 --applications 2
# Deploy both policies and applications together
pim invoke datastores deploy "<datastore-uid>" --policies 1 --policies 2 --applications 1 --applications 2
# Clear all deployments (deploy empty configuration)
pim invoke datastores deploy 42
WORKFLOW:
# Step 1: Verify datastore exists and is accessible
pim get datastores datastore <datastore-uid>
# Step 2: List available policies and applications
pim get policies policy
pim get applications application
# Step 3: Deploy to datastore
pim invoke datastores deploy <datastore-uid> --policies <policy-uid> --applications <app-uid>
Options:
--policies TEXT UIDs of policies to deploy (can be specified multiple
times).
--applications TEXT UIDs of trusted applications to deploy (can be
specified multiple times).
--help Show this message and exit.
Invoke Init
The following command shows how to access help for the invoke init command. It also provides examples on how to initialize the Policy Information Management system.
Usage: pim invoke init [OPTIONS]
Bootstrap PIM - Initialize the Policy Information Management system.
EXAMPLES:
# Initialize PIM system for first-time setup
pim invoke init
Options:
--help Show this message and exit.
Invoke Roles
The following command shows how to access help for the invoke roles command. It also provides examples on how to synchronize role resources.
Usage: pim invoke roles [OPTIONS] COMMAND [ARGS]...
Commands for synchronizing role resources.
Options:
--help Show this message and exit.
Commands:
sync Synchronize all group members for a role with external identity sources.
Roles Types
The following commands show how to access help for the invoke roles <type> command.
Invoke Roles Sync
The following command shows how to access help for the invoke roles sync command. It also provides examples on how to synchronize all group members for a role.
pim invoke roles sync --help
Usage: pim invoke roles sync [OPTIONS] ROLE_UID
Synchronize all group members for a role with external identity sources.
EXAMPLES:
# Synchronize role members with LDAP/AD source
pim invoke roles sync 15
Options:
--help Show this message and exit.
Invoke Sources
The following command shows how to access help for the invoke sources command. It also provides examples on how to test source resources.
pim invoke sources --help
Usage: pim invoke sources [OPTIONS] COMMAND [ARGS]...
Commands for testing source resources.
Options:
--help Show this message and exit.
Commands:
test Tests the connection and functionality of a source.
Invoke Sources Types
The following commands show how to access help for the invoke sources <type> command.
Invoke Sources Test
The following command shows how to access help for the invoke sources test command. It also provides examples on how to test the connection to a member source.
pim invoke sources test --help
Usage: pim invoke sources test [OPTIONS] UID
Tests the connection and functionality of a source.
EXAMPLES:
# Basic connectivity test
pim invoke sources test 15
Options:
--help Show this message and exit.
Create Commands
The following section lists the create commands.
Main Create Command
The following command shows how to access help for the create command.
Usage: pim create [OPTIONS] COMMAND [ARGS]...
Create a resource.
Options:
--help Show this message and exit.
Commands:
alphabets Creates a new alphabet.
applications Creates a new application.
dataelements Creates a new data element of a specific type.
datastores Commands for creating datastore resources.
deploy Deploys policies and/or trusted applications to a datastore.
masks Creates a new mask with specified masking pattern and configuration.
policies Creates a new policy or rule.
roles Creates a new role or adds members to a role.
sources Creates a new source.
Create Alphabets
The following command shows how to access help for the create alphabets command. It also provides examples on how to create an alphabet.
pim create alphabets --help
Usage: pim create alphabets [OPTIONS]
Creates a new alphabet.
EXAMPLES:
# Create alphabet combining existing alphabets (use numeric UIDs from 'pim get alphabets')
pim create alphabets --label "LatinExtended" --alphabets "1,2"
# Create alphabet with Unicode ranges (Basic Latin + punctuation)
pim create alphabets --label "ASCIIPrintable" --ranges '[{"from": "0020", "to": "007E"}]'
# Create alphabet with specific code points (more than 10 examples)
pim create alphabets --label "SpecialChars" --code-points "00A9,00AE,2122,2603,2615,20AC,00A3,00A5,00B5,00B6,2020,2021,2030,2665,2660"
# Create complex alphabet with multiple options (use numeric UIDs)
pim create alphabets --label "CompleteSet" --alphabets "1,3,5" --ranges '[{"from": "0100", "to": "017F"}, {"from": "1E00", "to": "1EFF"}]' --code-points "20AC,00A3,00A5"
# Create mathematical symbols alphabet
pim create alphabets --label "MathSymbols" --ranges '[{"from": "2200", "to": "22FF"}, {"from": "2190", "to": "21FF"}]'
Options:
--label TEXT The label for the custom alphabet. [required]
--alphabets TEXT Comma-separated list of alphabet UIDs.
--ranges TEXT JSON string of code point ranges. For example, '[{"from":
"0020", "to": "007E"}]'.
--code-points TEXT Comma-separated list of code points.
--help Show this message and exit.
Create Applications
The following command shows how to access help for the create applications command. It also provides examples on how to create a trusted application.
pim create applications --help
Usage: pim create applications [OPTIONS]
Creates a new application.
EXAMPLES:
# Create a basic application with required fields
pim create applications --name "WebApp" --application-name "mywebapp" --application-user "webuser"
# Create application with description
pim create applications --name "DatabaseApp" --description "Main database application" --application-name "dbapp" --application-user "dbuser"
Options:
--name TEXT Name of the application. [required]
--description TEXT Description of the application.
--application-name TEXT The application name or the application loading the
API jar file. [required]
--application-user TEXT The application user or the OS user. [required]
--help Show this message and exit.
Create Dataelements
The following command shows how to access help for the create dataelements command. It also provides examples on how to create a data element.
pim create dataelements --help
Usage: pim create dataelements [OPTIONS] COMMAND [ARGS]...
Creates a new data element of a specific type.
AVAILABLE PROTECTION TYPES:
# Encryption Methods:
- aes128-cbc-enc # AES-128 CBC encryption
- aes128-cusp-enc # AES-128 CUSP encryption
- aes256-cbc-enc # AES-256 CBC encryption
- aes256-cusp-enc # AES-256 CUSP encryption
- triple-des-cbc-enc # 3DES CBC encryption
- triple-des-cusp-enc # 3DES CUSP encryption
- sha1-hmac-enc # SHA1 HMAC encryption (deprecated)
- sha256-hmac-enc # SHA256 HMAC encryption
- no-enc # No encryption (clear text)
# Tokenization Methods:
- token numeric # Numeric tokens
- token alphabetic # Alphabetic tokens
- token alpha-numeric # Alphanumeric tokens
- token printable # Printable character tokens
- token unicode # Unicode tokens
- token credit-card # Credit card specific tokens
- token email # Email specific tokens
# Format Preserving Encryption (FPE):
- fpe numeric # Numeric FPE
- fpe alphabetic # Alphabetic FPE
- fpe alpha-numeric # Alphanumeric FPE
# Special Protection Types:
- masking # Data masking using NoEnc
- monitor # Data monitoring using NoEnc
Options:
--help Show this message and exit.
Commands:
aes128-cbc-enc Creates a new AES-128-CBC-ENC data element.
aes128-cusp-enc Creates a new AES-128-CUSP-ENC data element.
aes256-cbc-enc Creates a new AES-256-CBC-ENC data element.
aes256-cusp-enc Creates a new AES-256-CUSP-ENC data element.
fpe Creates a new FPE (Format Preserving Encryption)...
masking Creates a new masking data element using NoEnc...
monitor Creates a new monitoring data element using NoEnc...
no-enc Creates a new No-Enc data element.
sha1-hmac-enc Creates a new SHA1-HMAC-ENC data element...
sha256-hmac-enc Creates a new SHA256-HMAC-ENC data element.
token Creates a new token data element of a specific type.
triple-des-cbc-enc Creates a new 3DES-CBC-ENC data element.
triple-des-cusp-enc Creates a new 3DES-CUSP-ENC data element.
Create Dataelements Types
The following commands show how to access help for the create dataelements <type> command. It also provides examples on how to create a data element of a specific type.
Create Dataelements aes128 cbc enc
The following command shows how to access help for the create dataelements aes128-cbc-enc command. It also provides examples on how to create a AES-128-CBC-ENC data element.
pim create dataelements aes128-cbc-enc --help
Usage: pim create dataelements aes128-cbc-enc [OPTIONS]
Creates a new AES-128-CBC-ENC data element.
EXAMPLES:
# Create basic AES-128 encryption data element
pim create dataelements aes128-cbc-enc --name "BasicEncryption" --description "Basic data encryption"
# Create with all security features enabled
pim create dataelements aes128-cbc-enc --name "FullSecurityEnc" --description "Full security encryption" --iv-type "SYSTEM_APPEND" --checksum-type "CRC32" --cipher-format "INSERT_KEYID_V1"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--iv-type [NONE|SYSTEM_APPEND] Initialization Vector type.
--checksum-type [NONE|CRC32] Checksum type.
--cipher-format [NONE|INSERT_KEYID_V1] Cipher format.
--help Show this message and exit.
Create Dataelements aes128 cusp enc
The following command shows how to access help for the create dataelements aes128-cusp-enc command. It also provides examples on how to create a AES-128-CUSP-ENC data element.
pim create dataelements aes128-cusp-enc --help
Usage: pim create dataelements aes128-cusp-enc [OPTIONS]
Creates a new AES-128-CUSP-ENC data element. EXAMPLES:
# Create with key rotation support
pim create dataelements aes128-cusp-enc --name "RotatingCUSP" --description "CUSP with key rotation" --cipher-format "INSERT_KEYID_V1"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--iv-type [NONE|SYSTEM_APPEND] Initialization Vector type.
--checksum-type [NONE|CRC32] Checksum type.
--cipher-format [NONE|INSERT_KEYID_V1] Cipher format.
--help Show this message and exit.
Create Dataelements aes256 cbc enc
The following command shows how to access help for the create dataelements aes256-cbc-enc command. It also provides examples on how to create a AES-256-CBC-ENC data element.
pim create dataelements aes256-cbc-enc --help
Usage: pim create dataelements aes256-cbc-enc [OPTIONS]
Creates a new AES-256-CBC-ENC data element.
EXAMPLES:
# Create with system-generated IV and CRC32 checksum
pim create dataelements aes256-cbc-enc --name "CreditCardEnc" --description "Credit card encryption" --iv-type "SYSTEM_APPEND" --checksum-type "CRC32"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--iv-type [NONE|SYSTEM_APPEND] Initialization Vector type.
--checksum-type [NONE|CRC32] Checksum type.
--cipher-format [NONE|INSERT_KEYID_V1] Cipher format.
--help Show this message and exit.
Create Dataelements aes256 cusp enc
The following command shows how to access help for the create dataelements aes256-cusp-enc command. It also provides examples on how to create a AES-256-CUSP-ENC data element.
pim create dataelements aes256-cusp-enc --help
Usage: pim create dataelements aes256-cusp-enc [OPTIONS]
Creates a new AES-256-CUSP-ENC data element.
EXAMPLES:
# Create basic AES-256 CUSP encryption
pim create dataelements aes256-cusp-enc --name "HighSecurityEnc" --description "High security data encryption"
# Create with key ID insertion for key management
pim create dataelements aes256-cusp-enc --name "EnterpriseEnc" --description "Enterprise encryption with key tracking" --cipher-format "INSERT_KEYID_V1"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--iv-type [NONE|SYSTEM_APPEND] Initialization Vector type.
--checksum-type [NONE|CRC32] Checksum type.
--cipher-format [NONE|INSERT_KEYID_V1] Cipher format.
--help Show this message and exit.
Create Dataelements triple des cbc enc
The following command shows how to access help for the create dataelements triple-des-cbc-enc command. It also provides examples on how to create a 3DES-CBC-ENC data element.
pim create dataelements triple-des-cbc-enc --help
Usage: pim create dataelements triple-des-cbc-enc [OPTIONS]
Creates a new 3DES-CBC-ENC data element.
EXAMPLES:
# Create basic 3DES-CBC encryption
pim create dataelements triple-des-cbc-enc --name "Legacy3DESEnc" --description "Legacy 3DES encryption for compatibility"
# Create with key ID insertion for key management
pim create dataelements triple-des-cbc-enc --name "Managed3DES" --description "3DES with key tracking" --cipher-format "INSERT_KEYID_V1"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--iv-type [NONE|SYSTEM_APPEND] Initialization Vector type.
--checksum-type [NONE|CRC32] Checksum type.
--cipher-format [NONE|INSERT_KEYID_V1]
Cipher format.
--help Show this message and exit.
Create Dataelements triple des cusp enc
The following command shows how to access help for the create dataelements triple-des-cusp-enc command. It also provides examples on how to create a 3DES-CUSP-ENC data element.
pim create dataelements triple-des-cusp-enc --help
Usage: pim create dataelements triple-des-cusp-enc [OPTIONS]
Creates a new 3DES-CUSP-ENC data element.
EXAMPLES:
# Create with system-generated IV and integrity checking
pim create dataelements triple-des-cusp-enc --name "Secure3DESCusp" --description "3DES CUSP with enhanced security" --iv-type "SYSTEM_APPEND" --checksum-type "CRC32"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--iv-type [NONE|SYSTEM_APPEND] Initialization Vector type.
--checksum-type [NONE|CRC32] Checksum type.
--cipher-format [NONE|INSERT_KEYID_V1]
Cipher format.
--help Show this message and exit.
Create Dataelements fpe
The following command shows how to access help for the create dataelements fpe command. It also provides examples on how to create a Format Preserving Encryption (FPE) data element.
pim create dataelements fpe --help
Usage: pim create dataelements fpe [OPTIONS] COMMAND [ARGS]...
Creates a new FPE (Format Preserving Encryption) data element of a specific
type.
AVAILABLE FPE TYPES:
- numeric # Numeric data (0-9)
- alphabetic # Alphabetic data (a-z, A-Z)
- alpha-numeric # Alphanumeric data (0-9, a-z, A-Z)
- unicode-basic-latin-alphabetic # Unicode Basic Latin alphabetic
- unicode-basic-latin-alpha-numeric # Unicode Basic Latin alphanumeric
Options:
--help Show this message and exit.
Commands:
alpha-numeric Creates a new Alpha Numeric FPE data element.
alphabetic Creates a new Alphabetic FPE data element.
numeric Creates a new Numeric FPE data element.
unicode-basic-latin-alpha-numeric Creates a new Unicode Basic Latin Alpha Numeric (Format Preserving Encryption) FPE data element.
unicode-basic-latin-alphabetic Creates a new Unicode Basic Latin Alphabetic FPE data element.
Create Dataelements fpe alpha numeric
The following command shows how to access help for the create dataelements fpe alpha numeric command. It also provides examples on how to create an alpha numeric (FPE) data element.
pim create dataelements fpe alpha-numeric --help
Usage: pim create dataelements fpe alpha-numeric [OPTIONS]
Creates a new Alpha Numeric FPE data element.
EXAMPLES:
# Create basic alphanumeric FPE for user IDs
pim create dataelements fpe alpha-numeric --name "UserIDFPE" --description "User ID alphanumeric format-preserving encryption"
# Create for product codes with flexible length handling
pim create dataelements fpe alpha-numeric --name "ProductCodeFPE" --description "Product code alphanumeric FPE" --from-left 2 --min-length 5 --allow-short "NOINPUTVALUE"
# Create for mixed case identifiers
pim create dataelements fpe alpha-numeric --name "MixedCaseIDFPE" --description "Mixed case identifier encryption" --from-left 1 --from-right 2 --min-length 7
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--plain-text-encoding TEXT Kept for backwards compatibility, will be
ignored if sent in. Removed in later
releases.
--from-left INTEGER Number of characters to retain in clear from
the left.
--from-right INTEGER Number of characters to retain in clear from
the right.
--min-length INTEGER The minimum supported input length is 2
bytes and is configurable up to 10 bytes.
--tweak-mode [EXT_API|EXT_INPUT]
The tweak input is derived from either the
API (EXT_API) or the input message
(EXT_INPUT).
--allow-short [NOWITHERROR|NOINPUTVALUE]
Specifies whether the short data must be
supported or not.
--help Show this message and exit.
Create Dataelements fpe alphabetic
The following command shows how to access help for the create dataelements fpe alphabetic command. It also provides examples on how to create an alphabetic (FPE) data element.
pim create dataelements fpe alphabetic --help
Usage: pim create dataelements fpe alphabetic [OPTIONS]
Creates a new Alphabetic FPE data element.
EXAMPLES:
# Create with partial clear text (preserve first 2 and last 2 chars)
pim create dataelements fpe alphabetic --name "PartialAlphaFPE" --description "Partial alphabetic FPE with clear boundaries" --from-left 2 --from-right 2
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--plain-text-encoding TEXT Kept for backwards compatibility, will be
ignored if sent in. Removed in later
releases.
--from-left INTEGER Number of characters to retain in clear from
the left.
--from-right INTEGER Number of characters to retain in clear from
the right.
--min-length INTEGER The minimum supported input length is 2
bytes and is configurable up to 10 bytes.
--allow-short [NOWITHERROR|NOINPUTVALUE]
Specifies whether the short data must be
supported or not.
--tweak-mode [EXT_API|EXT_INPUT]
The tweak input is derived from either the
API (EXT_API) or the input message
(EXT_INPUT).
--help Show this message and exit.
Create Dataelements fpe numeric
The following command shows how to access help for the create dataelements fpe numeric command. It also provides examples on how to create a numeric (FPE) data element.
pim create dataelements fpe numeric --help
Usage: pim create dataelements fpe numeric [OPTIONS]
Creates a new Numeric FPE data element.
EXAMPLES:
# Create basic numeric FPE for account numbers
pim create dataelements fpe numeric --name "AccountFPE" --description "Account number format-preserving encryption" --min-length 6
# Create FPE with partial masking (show first 4 digits)
pim create dataelements fpe numeric --name "PartialFPE" --description "Partial numeric FPE" --min-length 8 --from-left 4
# Create credit card FPE with BIN preservation
pim create dataelements fpe numeric --name "CreditCardFPE" --description "Credit card FPE with BIN visible" --min-length 8 --from-left 6 --from-right 4 --special-numeric-handling "CCN"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--plain-text-encoding TEXT Kept for backwards compatibility, will be
ignored if sent in. Removed in later
releases.
--from-left INTEGER Number of characters to retain in clear from
the left.
--from-right INTEGER Number of characters to retain in clear from
the right.
--min-length INTEGER The minimum supported input length is 2
bytes and is configurable up to 10 bytes.
The default minimum supported input length
for Credit Card Number (CCN) is 8 bytes and
is configurable up to 10 bytes.
--tweak-mode [EXT_API|EXT_INPUT]
The tweak input is derived from either the
API (EXT_API) or the input message
(EXT_INPUT).
--allow-short [NOWITHERROR|NOINPUTVALUE]
Specifies whether the short data must be
supported or not.
--special-numeric-handling [NONE|CCN]
The Format Preserving Encryption (FPE) for
Credit Card Number (CCN) is handled by
configuring numeric data type as the
plaintext alphabet.
--help Show this message and exit.
Create Dataelements fpe unicode basic latin alpha numeric
The following command shows how to access help for the create dataelements fpe unicode-basic-latin-alpha-numeric command. It also provides examples on how to create a unicode basic latin alpha numeric (FPE) data element.
pim create dataelements fpe unicode-basic-latin-alpha-numeric --help
Usage: pim create dataelements fpe unicode-basic-latin-alpha-numeric
[OPTIONS]
Creates a new Unicode Basic Latin Alpha Numeric (Format Preserving
Encryption) FPE data element.
EXAMPLES:
# Create basic Unicode Latin alphanumeric FPE
pim create dataelements fpe unicode-basic-latin-alpha-numeric --name "UnicodeLatinFPE" --description "Unicode Latin alphanumeric format-preserving encryption"
# Create with partial clear text for international IDs
pim create dataelements fpe unicode-basic-latin-alpha-numeric --name "IntlIDFPE" --description "International ID with clear prefix,suffix" --from-left 2 --from-right 2 --min-length 6
# Create for international user IDs with flexible length
pim create dataelements fpe unicode-basic-latin-alpha-numeric --name "GlobalUserIDFPE" --description "Global user ID format-preserving encryption" --min-length 4 --allow-short "NOINPUTVALUE"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--plain-text-encoding TEXT Kept for backwards compatibility, will be
ignored if sent in. Removed in later
releases.
--from-left INTEGER Number of characters to retain in clear from
the left.
--from-right INTEGER Number of characters to retain in clear from
the right.
--min-length INTEGER The minimum supported input length is 2
bytes and is configurable up to 10 bytes.
--tweak-mode [EXT_API|EXT_INPUT]
The tweak input is derived from either the
API (EXT_API) or the input message
(EXT_INPUT).
--allow-short [NOWITHERROR|NOINPUTVALUE]
Specifies whether the short data must be
supported or not.
--help Show this message and exit.
Create Dataelements fpe unicode basic latin alpha alphabetic
The following command shows how to access help for the create dataelements fpe unicode-basic-latin-alphabetic command. It also provides examples on how to create a unicode basic latin alphabetic (FPE) data element.
pim create dataelements fpe unicode-basic-latin-alphabetic --help
Usage: pim create dataelements fpe unicode-basic-latin-alphabetic
[OPTIONS]
Creates a new Unicode Basic Latin Alphabetic FPE data element.
EXAMPLES:
# Create basic Unicode Basic Latin alphabetic FPE
pim create dataelements fpe unicode-basic-latin-alphabetic --name "UnicodeAlphaFPE" --description "Unicode Basic Latin alphabetic FPE"
# Create for European customer names
pim create dataelements fpe unicode-basic-latin-alphabetic --name "EuropeanNameFPE" --description "European customer name FPE" --from-left 1 --min-length 3 --allow-short "NOWITHERROR"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--plain-text-encoding TEXT Kept for backwards compatibility, will be
ignored if sent in. Removed in later
releases.
--from-left INTEGER Number of characters to retain in clear from
the left.
--from-right INTEGER Number of characters to retain in clear from
the right.
--min-length INTEGER The minimum supported input length is 2
bytes and is configurable up to 10 bytes.
--tweak-mode [EXT_API|EXT_INPUT]
The tweak input is derived from either the
API (EXT_API) or the input message
(EXT_INPUT).
--allow-short [NOWITHERROR|NOINPUTVALUE]
Specifies whether the short data must be
supported or not.
--help Show this message and exit.
Create Dataelements masking
The following command shows how to access help for the create dataelements masking command. It also provides examples on how to create a masking data element using no encryption with masking enabled.
pim create dataelements masking --help
Usage: pim create dataelements masking [OPTIONS]
Creates a new masking data element using NoEnc with masking enabled.
EXAMPLES:
# Create basic data masking with a specific mask
pim create dataelements masking --name "SSNMasking" --description "Social Security Number masking" --mask-uid "1"
# Create email masking for development environment
pim create dataelements masking --name "EmailMasking" --description "Email masking for dev environment" --mask-uid "2"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--mask-uid TEXT The UID of the mask to apply for masking data.
[required]
--help Show this message and exit.
Create Dataelements monitor
The following command shows how to access help for the create dataelements monitor command. It also provides examples on how to create a monitoring data element using NoEnc with monitoring enabled.
pim create dataelements monitor --help
Usage: pim create dataelements monitor [OPTIONS]
Creates a new monitoring data element using no encryption with monitoring enabled.
EXAMPLES:
# Create basic monitoring for sensitive database fields
pim create dataelements monitor --name "CustomerDataMonitor" --description "Monitor customer data access"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--help Show this message and exit.
Create Dataelements no enc
The following command shows how to access help for the create dataelements no-enc command. It also provides examples on how to create a no encryption data element.
pim create dataelements no-enc --help
Usage: pim create dataelements no-enc [OPTIONS]
Creates a new No-Enc data element.
EXAMPLES:
# Create basic no-encryption element for testing
pim create dataelements no-enc --name "TestNoEnc" --description "Test data element with no encryption"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--help Show this message and exit.
Create Dataelements sha1 hmac enc
The following command shows how to access help for the create dataelements sha1-hmac-enc command. It also provides examples on how to create a SHA1-HMAC-ENC data element.
Note: The SHA1-HMAC-ENC data element is deprecated.
pim create dataelements sha1-hmac-enc --help
Usage: pim create dataelements sha1-hmac-enc [OPTIONS]
Creates a new SHA1-HMAC-ENC data element (deprecated).
EXAMPLES:
# Create basic SHA1-HMAC encryption (legacy support)
pim create dataelements sha1-hmac-enc --name "LegacyHashEnc" --description "SHA1 HMAC for legacy system compatibility"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--help Show this message and exit.
Create Dataelements sha256 hmac enc
The following command shows how to access help for the create dataelements sha256-hmac-enc command. It also provides examples on how to create a SHA256-HMAC-ENC data element.
pim create dataelements sha256-hmac-enc --help
Usage: pim create dataelements sha256-hmac-enc [OPTIONS]
Creates a new SHA256-HMAC-ENC data element.
EXAMPLES:
# Create basic SHA256-HMAC encryption
pim create dataelements sha256-hmac-enc --name "SecureHashEnc" --description "Strong SHA256 HMAC encryption"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--help Show this message and exit.
Create Dataelements token
The following command shows how to access help for the create dataelements token command. It also provides examples on how to create a token data element.
pim create dataelements token --help
Usage: pim create dataelements token [OPTIONS] COMMAND [ARGS]...
Creates a new token data element of a specific type.
AVAILABLE TOKEN TYPES:
- numeric # Numeric data tokenization (0-9)
- alphabetic # Alphabetic data tokenization (a-z, A-Z)
- alpha-numeric # Alphanumeric tokenization (0-9, a-z, A-Z)
- printable # Printable ASCII characters
- unicode # Unicode character tokenization
- unicode-base64 # Base64 encoded Unicode tokens
- unicode-gen2 # Generation 2 Unicode tokens with custom alphabets
- binary # Binary data tokenization
- lower-ascii # Lowercase ASCII tokenization
- upper-alphabetic # Uppercase alphabetic tokens
- upper-alpha-numeric # Uppercase alphanumeric tokens
# Specialized Token Types:
- credit-card # Credit card number tokenization
- email # Email address tokenization
- integer # Integer value tokenization
- decimal # Decimal number tokenization
- date-yyyymmdd # Date in YYYY-MM-DD format
- date-ddmmyyyy # Date in DD-MM-YYYY format
- date-mmddyyyy # Date in MM-DD-YYYY format
- date-time # Date and time tokenization
COMMON OPTIONS:
--tokenizer # Lookup table type (SLT_1_3, SLT_2_3, SLT_1_6, SLT_2_6)
--from-left # Characters to keep in clear from left
--from-right # Characters to keep in clear from right
--length-preserving # Maintain original data length
--allow-short # Handle short input data (YES, NO, ERROR)
Options:
--help Show this message and exit.
Commands:
alpha-numeric Creates a new Alpha Numeric Token data element.
alphabetic Creates a new Alphabetic Token data element.
binary Creates a new Binary Token data element.
credit-card Creates a new Credit Card Token data element.
date-ddmmyyyy Creates a new Date DDMMYYYY Token data element.
date-mmddyyyy Creates a new Date MMDDYYYY Token data element.
date-time Creates a new Date Time Token data element.
date-yyyymmdd Creates a new Date YYYYMMDD Token data element.
decimal Creates a new Decimal Token data element.
email Creates a new Email Token data element.
integer Creates a new Integer Token data element.
lower-ascii Creates a new Lower ASCII Token data element.
numeric Creates a new Numeric Token data element.
printable Creates a new Printable Token data element.
unicode Creates a new Unicode Token data element.
unicode-base64 Creates a new Unicode Base64 Token data element.
unicode-gen2 Creates a new Unicode Gen2 Token data element.
upper-alpha-numeric Creates a new Upper Alpha Numeric Token data element.
upper-alphabetic Creates a new Upper Alphabetic Token data element.
Create Dataelements token alpha numeric
The following command shows how to access help for the create dataelements token alpa-numeric command. It also provides examples on how to create an alpha-numeric token data element.
pim create dataelements token alpha-numeric --help
Usage: pim create dataelements token alpha-numeric [OPTIONS]
Creates a new Alpha Numeric Token data element.
EXAMPLES: # Create for reference codes pim create dataelements token
alpha-numeric --name "RefCodeToken" --description "Reference code
alphanumeric tokenization" --tokenizer "SLT_1_3" --from-left 2 --allow-short
NOWITHERROR
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3|SLT_1_6|SLT_2_6]
The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--help Show this message and exit.
Create Dataelements token alphabetic
The following command shows how to access help for the create dataelements token alpabetic command. It also provides examples on how to create an alphabetic token data element.
pim create dataelements token alphabetic --help
Usage: pim create dataelements token alphabetic [OPTIONS]
Creates a new Alphabetic Token data element.
EXAMPLES:
# Create length-preserving alphabetic token
pim create dataelements token alphabetic --name "ExactLengthAlpha" --description "Length-preserving alphabetic token" --tokenizer "SLT_2_3" --length-preserving
# Create for name tokenization with short value support
pim create dataelements token alphabetic --name "NameToken" --description "Name tokenization with short support" --tokenizer "SLT_2_3" --allow-short YES --length-preserving
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3] The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--help Show this message and exit.
Create Dataelements token binary
The following command shows how to access help for the create dataelements token binary command. It also provides examples on how to create a binary token data element.
pim create dataelements token binary --help
Usage: pim create dataelements token binary [OPTIONS]
Creates a new Binary Token data element.
EXAMPLES:
# Create basic binary tokenization
pim create dataelements token binary --name "BinaryToken" --description "Binary data tokenization" --tokenizer "SLT_1_3"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--tokenizer [SLT_1_3|SLT_2_3] The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--help Show this message and exit.
Create Dataelements token credit card
The following command shows how to access help for the create dataelements token credit-card command. It also provides examples on how to create a credit card token data element.
pim create dataelements token credit-card --help
Usage: pim create dataelements token credit-card [OPTIONS]
Creates a new Credit Card Token data element.
EXAMPLES:
# Create basic credit card tokenization
pim create dataelements token credit-card --name "CCTokenBasic" --description "Basic credit card tokenization" --tokenizer "SLT_1_6"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3|SLT_1_6|SLT_2_6]
The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--invalid-card-type Token values will not begin with digits that
real credit card numbers begin with.
--invalid-luhn-digit Validate Luhn checksum (requires valid
credit cards as input).
--alphabetic-indicator Include one alphabetic character in the
token.
--alphabetic-indicator-position INTEGER
Position for the alphabetic indicator
(required when alphabetic-indicator is
enabled).
--help Show this message and exit.
Create Dataelements token date ddmmyyyy
The following command shows how to access help for the create dataelements token date-ddmmyyyy command. It also provides examples on how to create a DDMMYYYY date token data element.
pim create dataelements token date-ddmmyyyy --help
Usage: pim create dataelements token date-ddmmyyyy [OPTIONS]
Creates a new Date DDMMYYYY Token data element.
EXAMPLES:
# Create basic DDMMYYYY date tokenization
pim create dataelements token date-ddmmyyyy --name "DateDDMMYYYY" --description "European date format DD-MM-YYYY tokenization" --tokenizer "SLT_1_3"
# Create for compliance reporting dates
pim create dataelements token date-ddmmyyyy --name "ComplianceDate" --description "Compliance reporting DD-MM-YYYY dates" --tokenizer "SLT_2_3"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3|SLT_1_6|SLT_2_6]
The lookup tables to be generated.
[required]
--help Show this message and exit.
Create Dataelements token date mmddyyyy
The following command shows how to access help for the create dataelements token date-mmddyyyy command. It also provides examples on how to create a MMDDYYYY date token data element.
pim create dataelements token date-mmddyyyy --help
Usage: pim create dataelements token date-mmddyyyy [OPTIONS]
Creates a new Date MMDDYYYY Token data element.
EXAMPLES:
# Create for financial reporting dates
pim create dataelements token date-mmddyyyy --name "FinancialReportDate" --description "Financial reporting MM-DD-YYYY format" --tokenizer "SLT_2_3"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3|SLT_1_6|SLT_2_6]
The lookup tables to be generated.
[required]
--help Show this message and exit.
Create Dataelements token date time
The following command shows how to access help for the create dataelements token date-time command. It also provides examples on how to create a date-time token data element.
pim create dataelements token date-time --help
Usage: pim create dataelements token date-time [OPTIONS]
Creates a new Date Time Token data element.
EXAMPLES:
# Create basic date-time tokenization
pim create dataelements token date-time --name "DateTimeToken" --description "Basic date-time tokenization" --tokenizer "SLT_8_DATETIME"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_8_DATETIME] The lookup tables to be generated.
[required]
--tokenize-time Whether to tokenize time (HH:MM:SS).
--distinguishable-date Whether date tokens should be
distinguishable from real dates.
--date-in-clear [NONE|YEAR|MONTH]
Which date parts to keep in clear.
--help Show this message and exit.
Create Dataelements token date yyyymmdd
The following command shows how to access help for the create dataelements token date-yyyymmdd command. It also provides examples on how to create a YYYYMMDD date token data element.
pim create dataelements token date-yyyymmdd --help
Usage: pim create dataelements token date-yyyymmdd [OPTIONS]
Creates a new Date YYYYMMDD Token data element.
EXAMPLES:
# Create basic YYYYMMDD date tokenization
pim create dataelements token date-yyyymmdd --name "DateYYYYMMDD" --description "Date tokenization in YYYY-MM-DD format" --tokenizer "SLT_1_3"
# Create for event date tracking
pim create dataelements token date-yyyymmdd --name "EventDateToken" --description "Event date in YYYY-MM-DD format" --tokenizer "SLT_2_3"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3|SLT_1_6|SLT_2_6]
The lookup tables to be generated.
[required]
--help Show this message and exit.
Create Dataelements token decimal
The following command shows how to access help for the create dataelements token decimal command. It also provides examples on how to create a decimal token data element.
pim create dataelements token decimal --help
Usage: pim create dataelements token decimal [OPTIONS]
Creates a new Decimal Token data element.
EXAMPLES:
# Create basic decimal tokenization for amounts
pim create dataelements token decimal --name "DecimalToken" --description "Financial decimal amount tokenization" --tokenizer "SLT_6_DECIMAL" --max-length 15
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data element.
--tokenizer [SLT_6_DECIMAL] The lookup tables to be generated. [required]
--min-length INTEGER Minimum length of the token element that can be
protected.
--max-length INTEGER Maximum length of the token element that can be
protected (max 38). [required]
--help Show this message and exit.
Create Dataelements token email
The following command shows how to access help for the create dataelements token email command. It also provides examples on how to create a email token data element.
pim create dataelements token email --help
Usage: pim create dataelements token email [OPTIONS]
Creates a new Email Token data element.
EXAMPLES:
# Create basic email tokenization
pim create dataelements token email --name "EmailTokenBasic" --description "Basic email tokenization" --tokenizer "SLT_1_3" --allow-short NOWITHERROR
# Create email tokenization with error on short input
pim create dataelements token email --name "EmailTokenError" --description "Email tokenization with short input errors" --tokenizer "SLT_1_3" --length-preserving --allow-short NOWITHERROR
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3] The lookup tables to be generated.
[required]
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--help Show this message and exit.
Create Dataelements token integer
The following command shows how to access help for the create dataelements token integer command. It also provides examples on how to create a integer token data element.
pim create dataelements token integer --help
Usage: pim create dataelements token integer [OPTIONS]
Creates a new Integer Token data element.
EXAMPLES:
# Create basic integer tokenization (default 4-byte)
pim create dataelements token integer --name "IntegerToken" --description "Basic integer tokenization" --tokenizer "SLT_1_3"
# Create short integer tokenization for small numbers
pim create dataelements token integer --name "ShortIntegerToken" --description "Short integer (2-byte) tokenization" --tokenizer "SLT_1_3" --integer-size "SHORT"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3] The lookup tables to be generated.
[required]
--integer-size [SHORT|INT|LONG]
Integer size: 2 bytes (SHORT), 4 bytes
(INT), or 8 bytes (LONG).
--help Show this message and exit.
Create Dataelements token lower ascii
The following command shows how to access help for the create dataelements token lower-ascii command. It also provides examples on how to create a lower-ascii token data element.
pim create dataelements token lower-ascii --help
Usage: pim create dataelements token lower-ascii [OPTIONS]
Creates a new Lower ASCII Token data element.
EXAMPLES:
# Create strict ASCII tokenization (error on short input)
pim create dataelements token lower-ascii --name "StrictAsciiToken" --description "Strict ASCII tokenization" --tokenizer "SLT_1_3" --allow-short "NOWITHERROR"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3] The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--help Show this message and exit.
Create Dataelements token numeric
The following command shows how to access help for the create dataelements token numeric command. It also provides examples on how to create a numeric token data element.
pim create dataelements token numeric --help
Usage: pim create dataelements token numeric [OPTIONS]
Creates a new Numeric Token data element.
EXAMPLES:
# Create basic numeric token for SSN
pim create dataelements token numeric --name "SSNToken" --description "Social Security Number tokenization" --tokenizer "SLT_1_6" --length-preserving
# Create high-security token for financial data
pim create dataelements token numeric --name "FinancialToken" --description "Financial account tokenization" --tokenizer "SLT_2_6" --length-preserving --allow-short "NOWITHERROR"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3|SLT_1_6|SLT_2_6]
The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--help Show this message and exit.
Create Dataelements token printable
The following command shows how to access help for the create dataelements token printable command. It also provides examples on how to create a printable token data element.
pim create dataelements token printable --help
Usage: pim create dataelements token printable [OPTIONS]
Creates a new Printable Token data element.
EXAMPLES:
# Create length-preserving printable token
pim create dataelements token printable --name "ExactLengthPrintable" --description "Length-preserving printable tokenization" --tokenizer "SLT_1_3" --length-preserving
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3] The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--help Show this message and exit.
Create Dataelements token unicode
The following command shows how to access help for the create dataelements token unicode command. It also provides examples on how to create a Unicode token data element.
pim create dataelements token unicode --help
Usage: pim create dataelements token unicode [OPTIONS]
Creates a new Unicode Token data element.
EXAMPLES:
# Create with short value support for names
pim create dataelements token unicode --name "IntlNameToken" --description "International name tokenization" --tokenizer "SLT_2_3" --allow-short "YES"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3] The lookup tables to be generated.
[required]
--allow-short [NOWITHERROR|YES|NOINPUTVALUE]
Allow short tokens.
--help Show this message and exit.
Create Dataelements token unicode base64
The following command shows how to access help for the create dataelements token unicode-base64 command. It also provides examples on how to create a Unicode Base64 token data element.
pim create dataelements token unicode-base64 --help
Usage: pim create dataelements token unicode-base64 [OPTIONS]
Creates a new Unicode Base64 Token data element.
EXAMPLES:
# Create basic Unicode Base64 tokenization
pim create dataelements token unicode-base64 --name "UnicodeBase64Token" --description "Base64 encoded Unicode tokenization" --tokenizer "SLT_1_3"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3|SLT_1_6|SLT_2_6]
The lookup tables to be generated.
[required]
--help Show this message and exit.
Create Dataelements token unicode gen2
The following command shows how to access help for the create dataelements token unicode-gen2 command. It also provides examples on how to create a Unicode Gen2 token data element.
pim create dataelements token unicode-gen2 --help
Usage: pim create dataelements token unicode-gen2 [OPTIONS]
Creates a new Unicode Gen2 Token data element.
EXAMPLES:
# Create basic Unicode Gen2 token with custom alphabet
pim create dataelements token unicode-gen2 --name "UnicodeGen2Token" --description "Unicode Gen2 with custom alphabet" --tokenizer "SLT_1_3" --alphabet-uid "1"
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_X_1] The lookup tables to be generated.
[required]
--alphabet-uid TEXT The UID of the alphabet to use for
tokenization. [required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--default-encoding TEXT Default encoding (kept for backwards
compatibility).
--help Show this message and exit.
Create Dataelements token upper alpha numeric
The following command shows how to access help for the create dataelements token upper-alpha-numeric command. It also provides examples on how to create an upper alpha-numeic token data element.
pim create dataelements token upper-alpha-numeric --help
Usage: pim create dataelements token upper-alpha-numeric
[OPTIONS]
Creates a new Upper Alpha Numeric Token data element.
EXAMPLES:
# Create for product codes
pim create dataelements token upper-alpha-numeric --name "ProductCodeToken" --description "Product code uppercase tokenization" --tokenizer "SLT_1_3" --from-left 2 --length-preserving
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3] The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--help Show this message and exit.
Create Dataelements token upper alphabetic
he following command shows how to access help for the create dataelements token upper-alphabetic command. It also provides examples on how to create an upper alphabetic token data element.
pim create dataelements token upper-alphabetic --help
Usage: pim create dataelements token upper-alphabetic [OPTIONS]
Creates a new Upper Alphabetic Token data element.
EXAMPLES:
# Create for organization names with short support
pim create dataelements token upper-alphabetic --name "OrgNameToken" --description "Organization name tokenization" --tokenizer "SLT_2_3" --allow-short "NOINPUTVALUE" --length-preserving
Options:
--name TEXT The name for the data element. [required]
--description TEXT An optional description for the data
element.
--tokenizer [SLT_1_3|SLT_2_3] The lookup tables to be generated.
[required]
--from-left INTEGER Number of characters to keep in clear from
the left.
--from-right INTEGER Number of characters to keep in clear from
the right.
--length-preserving Specifies whether the output must be of the
same length as the input.
--allow-short [YES|NOINPUTVALUE|NOWITHERROR]
Allow short tokens.
--help Show this message and exit.
Create Datastores
The following command shows how to access help for the create datastores command. It also provides examples on how to create a datastore resource.
pim create datastores --help
Usage: pim create datastores [OPTIONS] COMMAND [ARGS]...
Commands for creating datastore resources.
Options:
--help Show this message and exit.
Commands:
datastore Creates a new datastore with the specified name and configuration.
key Creates and exports a datastore key for secure data operations.
range Adds an IP address range to a datastore for network access control.
Create Datastores Types
The following commands show how to access help for the create datastores <type> command. It also provides examples on how to manage datastore resources.
Create Datastores Datastore
The following command shows how to access help for the create datastores datastore command. It also provides examples on how to create a datastore.
pim create datastores datastore --help
Usage: pim create datastores datastore [OPTIONS]
Creates a new datastore with the specified name and configuration.
Datastores represent physical or logical storage systems that host protected
data. They define where data protection policies are applied and provide the
foundation for implementing encryption, tokenization, and access controls.
EXAMPLES:
# Create a simple datastore for development
pim create datastores datastore --name "dev-database" --description "Development PostgreSQL database"
# Create production datastore with detailed description
pim create datastores datastore --name "prod-customer-db" --description "Production customer data warehouse with PII protection"
# Create datastore and set as default
pim create datastores datastore --name "primary-db" --description "Primary application database" --default
WORKFLOW:
# Step 1: Plan your datastore configuration
# - Choose descriptive name for identification
# - Decide if this should be the default datastore
# Step 2: Create the datastore
pim create datastores datastore --name <name> --description <description> [--default]
# Step 3: Configure IP ranges and access controls
pim create datastores range <datastore-uid> --from-ip <start> --to <end>
# Step 4: Set up encryption keys if needed
pim create datastores key <datastore-uid> --name <key-name>
Options:
--name TEXT Name of the datastore. [required]
--description TEXT Description for the datastore.
--default Set this datastore as the default.
--help Show this message and exit.
Create Datastores Key
The following command shows how to access help for the create datastores key command. It also provides examples on how to export a datastore key.
pim create datastores key --help
Usage: pim create datastores key [OPTIONS] DATASTORE_UID
Creates and exports a datastore key for secure data operations.
EXAMPLES:
# Create RSA export key for datastore
pim create datastores key 15 --algorithm "RSA-OAEP-512" --description "export key" --pem "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ...\n-----END PUBLIC KEY-----"
WORKFLOW:
# Step 1: Generate a key pair (outside of PIM)
openssl genrsa -out private_key.pem 2048
openssl rsa -in private_key.pem -pubout -out public_key.pem
# Step 2: Prepare the PEM content (escape newlines for command line)
awk 'NF {sub(/
/, ""); printf "%s\n",$0;}' public_key.pem
# Step 3: Create the export key in PIM
pim create datastores key <datastore-uid> --algorithm <algorithm> --description <description> --pem <pem-content>
# Step 4: Verify the key was created
pim get datastores keys <datastore-uid>
Options:
--algorithm [RSA-OAEP-256|RSA-OAEP-512]
Algorithm for the key. [required]
--description TEXT Description of the key.
--pem TEXT PEM formatted public key. [required]
--help Show this message and exit.
Create Datastores Range
The following command shows how to access help for the create datastores range command. It also provides examples on how to add a range of IP addresses to a datastore.
pim create datastores range --help
Usage: pim create datastores range [OPTIONS] DATASTORE_UID
Adds an IP address range to a datastore for network access control.
IP ranges define which network addresses are allowed to access the
datastore. This provides network-level security by restricting datastore
access to specific IP addresses or CIDR blocks.
EXAMPLES:
# Add single IP address access
pim create datastores range 15 --from "192.168.1.100" --to "192.168.1.100"
# Add corporate network access range
pim create datastores range <datastore-uid> --from "10.0.0.1" --to "10.0.255.255"
WORKFLOW:
# Step 1: Get datastore UID
pim get datastores datastore
# Step 2: Plan your IP range requirements
# - Identify source networks that need access
# - Define start and end IP addresses
# Step 3: Create the IP range
pim create datastores range <datastore-uid> --from <start-ip> --to <end-ip>
# Step 4: Verify the range was created
pim get datastores ranges <datastore-uid>
Options:
--from TEXT Start IP address of the range. [required]
--to TEXT End IP address of the range. [required]
--help Show this message and exit.
Create Deploy
The following command shows how to access help for the create deploy command. It also provides examples on how to deploy policies or trusted applications or both to a datastore.
Usage: pim create deploy [OPTIONS]
Deploys policies and/or trusted applications to a data store.
Creates a deployment that pushes data protection policies and trusted
application configurations to the specified datastore.
EXAMPLES:
# Deploy single policy to a datastore
pim create deploy --data-store-uid 15 --policy-uids 1
# Deploy multiple policies to a datastore
pim create deploy --data-store-uid 15 --policy-uids 1 --policy-uids 2 --policy-uids 3
# Deploy trusted applications to grant access
pim create deploy --data-store-uid 15 --trusted-application-uids 1 --trusted-application-uids 2
# Deploy both policies and applications together
pim create deploy --data-store-uid 15 --policy-uids 1 --policy-uids 2 --trusted-application-uids 1 --trusted-application-uids 2
WORKFLOW:
# Step 1: Verify datastore exists and is accessible
pim get datastores datastore <data-store-uid>
# Step 2: List available policies and applications
pim get policies policy
pim get applications application
# Step 3: Deploy to a datastore
pim create deploy --data-store-uid <datastore-uid> --policy-uids <policy-uid> --trusted-application-uids <app-uid>
# Step 4: Verify deployment was successful
pim get deploy
Options:
--data-store-uid TEXT UID of the data store to deploy. [required]
--policy-uids TEXT UIDs of the policies to deploy.
--trusted-application-uids TEXT UIDs of the trusted applications to deploy.
--help Show this message and exit.
Create Masks
The following command shows how to access help for the create masks command. It also provides examples on how to create a mask.
Usage: pim create masks [OPTIONS]
Creates a new mask with specified masking pattern and configuration.
EXAMPLES:
# Create mask for credit card numbers (show last 4 digits)
pim create masks --name "credit-card-mask" --description "Mask credit card showing last 4 digits" --from-left 0 --from-right 4 --character "*"
MASKING PATTERNS:
Credit Card Masking (****-****-****-1234):
--from-left 0 --from-right 4 --character "*"
Email Masking (j***@example.com):
--from-left 1 --from-right 0 --character "*"
Full Masking (***********):
--from-left 0 --from-right 0 --character "*" --masked
Options:
--name TEXT The name for the mask. [required]
--description TEXT An optional description for the mask.
--from-left INTEGER Number of characters to be masked or kept in clear
from the left. [required]
--from-right INTEGER Number of characters to be masked or kept in clear
from the right. [required]
--masked Specifies whether the left and right characters should
be masked or kept in clear.
--character TEXT Specifies the mask character (*,#,-,0,1,2,3,4,5,6,7,8,
or 9). [required]
--help Show this message and exit.
Create Policies
The following command shows how to access help for the create policies command. It also provides examples on how to create a policy.
pim create policies --help
Usage: pim create policies [OPTIONS] COMMAND [ARGS]...
Creates a new policy or rule.
Options:
--help Show this message and exit.
Commands:
policy Creates a new data protection policy with specified access permissions.
rules Creates multiple rules and adds them to a policy in bulk.
Create Policies Types
The following commands show how to access help for the create policies <type> command. It also provides examples on how to manage policy resources.
Create Policies Policy
The following command shows how to access help for the create policies policy command. It also provides examples on how to create a policy.
Important: Ensure that you mandatorily add a description while creating a policy. If you do not add the description, then the pim get policies command fails.
pim create policies policy --help
Usage: pim create policies policy [OPTIONS]
Creates a new data protection policy with specified access permissions.
EXAMPLES:
# Create basic policy with all protection operations enabled
pim create policies policy --name "full-protection-policy" --description "Complete data protection with all operations" --protect --re-protect --un-protect
# Create read-only policy (no protection operations)
pim create policies policy --name "read-only-policy" --description "Read-only access without protection operations"
Options:
--name TEXT Name of the policy. [required]
--description TEXT Description of the policy. [required]
--protect Allow protect operation.
--re-protect Allow re-protect operation.
--un-protect Allow un-protect operation.
--help Show this message and exit.
Create Policies Rules
The following command shows how to access help for the create policies rules command. It also provides examples on how to create multiple rules and them to a policy.
pim create policies rules --help
Usage: pim create policies rules [OPTIONS] POLICY_UID
Creates multiple rules and adds them to a policy in bulk.
Rules define the mapping between roles and data elements with specific
protection methods and access permissions. Each rule specifies how a role
can access a data element, what masking to apply, and which protection
operations are allowed.
RULE FORMAT: role_uid,data_element_uid[,mask][,no_access_operation][,protect
][,re_protect][,un_protect]
EXAMPLES:
# Create rules for different roles accessing PII data elements
pim create policies rules 15 --rule "1,3,1,NULL_VALUE,true,true,true" --rule "3,3,1,PROTECTED_VALUE,false,false,false" --rule "4,2,,NULL_VALUE,true,false,false"
WORKFLOW:
# Step 1: Verify policy exists and review its configuration
pim get policies <policy-uid>
# Step 2: Identify required roles and data elements
pim get applications application # for roles
pim get data_elements data_element # for data elements
pim get masks # for available masks
# Step 3: Create rules in bulk
pim create policies rules <policy-uid> --rule "..." --rule "..." --rule "..."
# Step 4: Verify rules were created successfully
pim get policies <policy-uid> --rules
PARAMETER DESCRIPTIONS:
role_uid (Required): UID of the role/application that will access data
- References trusted applications or user roles
- Must exist in the system before creating rules
- Determines who can perform operations on data elements
data_element_uid (Required): UID of the data element
- References specific data fields or columns
- Must exist before creating rules
- Defines what data is being protected
mask (Optional): UID of mask to apply for data obfuscation
- Empty/omitted: No masking applied
- Must reference existing mask configuration
- Controls how data appears when accessed
no_access_operation (Optional, Default: NULL_VALUE):
- NULL_VALUE: Return null when access denied
- PROTECTED_VALUE: Return masked/protected format
- EXCEPTION: Throw exception when access denied
protect (Optional, Default: false): Allow data protection operations
- true: Role can encrypt/tokenize/mask data
- false: Role cannot perform protection operations
re_protect (Optional, Default: false): Allow data re-protection
- true: Role can change protection methods/keys
- false: Role cannot re-protect data
un_protect (Optional, Default: false): Allow data un-protection
- true: Role can decrypt/detokenize/unmask data
- false: Role cannot remove protection
Examples: --rule "role1,de1,mask1,NULL_VALUE,true,false,false" --rule
"role2,de2,,EXCEPTION,false,true,true" --rule "role3,de3"
Options:
--rule TEXT Rule specification in format: "role_uid,data_element_uid[,mask]
[,no_access_operation][,protect][,re_protect][,un_protect]".
Can be specified multiple times. [required]
--help Show this message and exit.
Create Roles
The following command shows how to access help for the create roles command. It also provides examples on how to create a role.
Usage: pim create roles [OPTIONS] COMMAND [ARGS]...
Creates a new role or adds members to a role.
Options:
--help Show this message and exit.
Commands:
members Adds members to a role in bulk.
role Creates a new role with specified configuration and access mode.
Create Roles Types
The following commands show how to access help for the create roles <type> command. It also provides examples on how to manage roles.
Create Roles Members
The following command shows how to access help for the create roles members command. It also provides examples on how to add members to a role.
pim create roles members --help
Usage: pim create roles members [OPTIONS] ROLE_UID
Adds members to a role in bulk.
Members can be individual users or groups from various identity sources.
This command allows adding multiple members at once with proper validation
and error handling for each member specification.
MEMBER FORMAT: name,source,sync_id,type OR name,source,type (sync_id
optional)
EXAMPLES:
# Add individual users from LDAP
pim create roles members 15 --member "john.doe,1,12345,USER" --member "jane.smith,1,67890,USER"
Examples: --member "john.doe,ldap,12345,USER" --member
"admin_group,ldap,67890,GROUP" --member "jane.smith,ad,USER" (sync_id
omitted)
Options:
--member TEXT Member specification in format: "name,source,sync_id,type" or
"name,source,type". Can be specified multiple times. Where
name is the member name (required, min_length=1), source is
the source of the member (required), sync_id is the
synchronization ID (optional), and type is the member type
(required: USER or GROUP).
--help Show this message and exit.
Create Roles Role
The following command shows how to access help for the create roles role command. It also provides examples on how to create a role.
pim create roles role --help
Usage: pim create roles role [OPTIONS]
Creates a new role with specified configuration and access mode.
EXAMPLES:
# Create semiautomatic role for project team
pim create roles role --name "project-alpha-team" --description "Project Alpha mixed access" --mode "SEMIAUTOMATIC"
Options:
--name TEXT Name of the role. [required]
--description TEXT Description of the role.
--mode [MANUAL|SEMIAUTOMATIC|AUTOMATIC] Role mode. [required]
--allow-all Allow access to all users for this role.
--help Show this message and exit.
Create Sources
The following command shows how to access help for the create sources command. It also provides examples on how to create a member source.
pim create sources --help
Usage: pim create sources [OPTIONS] COMMAND [ARGS]...
Creates a new source.
Options:
--help Show this message and exit.
Commands:
ad Creates a new Active Directory source for Windows domain integration.
azure Creates a new AZURE AD source for Microsoft cloud identity integration.
database Creates a new DATABASE source for relational database user repositories.
file Creates a new FILE source for static user and group management.
ldap Creates a new LDAP source for directory-based authentication and user management.
posix Creates a new POSIX source for Unix/Linux system account integration.
Create Sources Types
The following commands show how to access help for the create source <type> command. It also provides examples on how to create a member source of a specific type.
Create Source Ad
The following command shows how to access help for the create source ad command. It also provides examples on how to create an active directory member source.
pim create sources ad --help
Usage: pim create sources ad [OPTIONS]
Creates a new Active Directory source for Windows domain integration.
EXAMPLES:
Note: The following commands use line continuation (\) for readability.
In practice, run each command as a single line or use your shell's
line continuation syntax
# Create basic AD source with domain controller
pim create sources ad --name "corporate-ad" --description "Corporate Active Directory" \
--host "dc1.company.com" --port 389 \
--user-name "service@company.com" --pass-word "password123" \
--base-dn "dc=company,dc=com"
Options:
--name TEXT Name of the source. [required]
--description TEXT Description of the source.
--user-name TEXT Authentication user.
--pass-word TEXT Authentication password.
--host TEXT The Fully Qualified Domain Name (FQDN) or IP address of
the directory server.
--port INTEGER The network port on the directory server where the
service is listening.
--tls The TLS protocol is enabled to create a secure
communication to the directory server.
--base-dn TEXT The Base DN for the server to search for users.
--recursive Enables recursive search for active directory or Azure
AD.
--ldaps Use LDAPS instead of startTLS.
--help Show this message and exit.
Create Source Azure
The following command shows how to access help for the create source azure command. It also provides examples on how to create an Azure member source.
pim create sources azure --help
Usage: pim create sources azure [OPTIONS]
Creates a new AZURE AD source for Microsoft cloud identity integration.
EXAMPLES:
Note: The following commands use line continuation (\) for readability.
In practice, run each command as a single line or use your shell's
line continuation syntax.
# Create basic Azure AD source for corporate tenant
pim create sources azure --name "corporate-azure" --description "Corporate Azure AD" \
--client-id "12345678-1234-1234-1234-123456789012" \
--tenant-id "87654321-4321-4321-4321-210987654321" \
--environment "PUBLIC"
# Create Azure AD source with service principal authentication
pim create sources azure --name "sp-azure" --description "Service Principal Azure AD" \
--user-name "service-principal@company.onmicrosoft.com" \
--pass-word "sp-secret-key" \
--client-id "app-registration-id" \
--tenant-id "company-tenant-id" \
--environment "PUBLIC" --recursive
# Create Azure Government cloud source
pim create sources azure --name "gov-azure" --description "Azure Government Cloud" \
--client-id "gov-app-id" \
--tenant-id "gov-tenant-id" \
--environment "USGOVERNMENT" \
--user-attribute "userPrincipalName" \
--group-attribute "displayName"
# Create Azure China cloud source
pim create sources azure --name "china-azure" --description "Azure China Cloud" \
--client-id "china-app-id" \
--tenant-id "china-tenant-id" \
--environment "CHINA" \
--recursive
# Create Azure AD with custom attributes
pim create sources azure --name "custom-azure" --description "Custom Azure AD Configuration" \
--client-id "custom-app-id" \
--tenant-id "custom-tenant-id" \
--environment "PUBLIC" \
--user-attribute "mail" \
--group-attribute "displayName" \
--group-members-attribute "members" \
--recursive
# Create multi-tenant Azure AD source
pim create sources azure --name "partner-azure" --description "Partner Tenant Azure AD" \
--client-id "partner-app-id" \
--tenant-id "partner-tenant-id" \
--environment "PUBLIC" \
--user-name "guest@partner.onmicrosoft.com" \
--pass-word "guest-credentials"
Options:
--name TEXT Name of the source. [required]
--description TEXT Description of the source.
--user-name TEXT Authentication user.
--pass-word TEXT Authentication password.
--recursive Enables recursive search for active
directory or Azure AD.
--user-attribute TEXT The Relative Distinguished Name (RDN)
attribute of the user distinguished name.
--group-attribute TEXT The Relative Distinguished Name (RDN)
attribute of the group distinguished name.
--group-members-attribute TEXT The attribute that enumerates members of the
group.
--client-id TEXT The client id for AZURE AD.
--tenant-id TEXT The tenant id for the AZURE AD.
--environment [CHINA|CANARY|PUBLIC|USGOVERNMENT|USGOVERNMENTL5]
The AZURE AD environment that should be used.
--help Show this message and exit.
Create Source Database
The following command shows how to access help for the create source database command. It also provides examples on how to create a database member source.
pim create sources database --help
Usage: pim create sources database [OPTIONS]
Creates a new DATABASE source for relational database user repositories.
EXAMPLES:
Note: The following commands use line continuation (\) for readability.
In practice, run each command as a single line or use your shell's
line continuation syntax
# Create Oracle database source with DSN
pim create sources database --name "oracle-hr" --description "Oracle HR Database" \
--user-name "pim_service" --pass-word "oracle123" \
--host "oracle.company.com" --port 1521 \
--dsn "XE" --vendor "ORACLE"
Options:
--name TEXT Name of the source. [required]
--description TEXT Description of the source.
--user-name TEXT Authentication user.
--pass-word TEXT Authentication password.
--host TEXT The Fully Qualified Domain Name (FQDN) or IP
address of the database server.
--port INTEGER The network port on the directory server
where the service is listening.
--dsn TEXT The Data Source Name (DSN) for ODBC
connection.
--vendor [TERADATA|ORACLE|DATABASE|SQLSERVER|DB2|POSTGRESQLX]
The vendor of the ODBC driver.
--help Show this message and exit.
Create Source File
The following command shows how to access help for the create source file command. It also provides examples on how to create a file member source.
pim create sources file --help
Usage: pim create sources file [OPTIONS]
Creates a new FILE source for static user and group management.
EXAMPLES:
# Create basic file source with user list
pim create sources file --name "dev-users" --description "environment users" --user-file exampleusers.txt --group-file examplegroups.txt
Options:
--name TEXT Name of the source. [required]
--description TEXT Description of the source.
--user-file TEXT A sample file that contains a list of individual
members.
--group-file TEXT A sample file that contains groups of members.
--help Show this message and exit.
Create Source Ldap
The following command shows how to access help for the create source ldap command. It also provides examples on how to create an LDAP member source.
pim create sources ldap --help
Usage: pim create sources ldap [OPTIONS]
Creates a new LDAP source for directory-based authentication and user
management.
EXAMPLES:
Note: The following commands use line continuation (\) for readability.
In practice, run each command as a single line or use your shell's
line continuation syntax
# Create basic LDAP source with minimal configuration
pim create sources ldap --name "company-ldap" --description "Company LDAP directory" \
--host "ldap.company.com" --port 389 \
--user-name "cn=admin,dc=company,dc=com" --pass-word "password123" \
--user-base-dn "ou=users,dc=company,dc=com" \
--group-base-dn "ou=groups,dc=company,dc=com"
# Create OpenLDAP source with detailed configuration
pim create sources ldap --name "openldap-prod" --description "Production OpenLDAP" \
--host "openldap.company.com" --port 389 \
--user-name "cn=readonly,dc=company,dc=com" --pass-word "readonly123" \
--user-base-dn "ou=employees,dc=company,dc=com" \
--user-attribute "uid" --user-object-class "posixAccount" \
--user-login-attribute "uid" \
--group-base-dn "ou=departments,dc=company,dc=com" \
--group-attribute "cn" --group-object-class "posixGroup" \
--group-members-attribute "memberUid" --timeout 60
Options:
--name TEXT Name of the source. [required]
--description TEXT Description of the source.
--user-name TEXT Authentication user.
--pass-word TEXT Authentication password.
--host TEXT The Fully Qualified Domain Name (FQDN) or IP
address of the directory server.
--port INTEGER The network port on the directory server
where the service is listening.
--tls The TLS protocol is enabled to create a
secure communication to the directory
server.
--user-base-dn TEXT The base distinguished name where users can
be found in the directory.
--user-attribute TEXT The Relative Distinguished Name (RDN)
attribute of the user distinguished name.
--user-object-class TEXT The object class of entries where user
objects are stored.
--user-login-attribute TEXT The attribute intended for authentication or
login.
--group-base-dn TEXT The base distinguished name where groups can
be found in the directory.
--group-attribute TEXT The Relative Distinguished Name (RDN)
attribute of the group distinguished name.
--group-object-class TEXT The object class of entries where group
objects are stored.
--group-members-attribute TEXT The attribute that enumerates members of the
group.
--group-member-is-dn The members may be listed using their fully
qualified name.
--timeout INTEGER The timeout value when waiting for a
response from the directory server.
--help Show this message and exit.
Delete Commands
The following section lists the delete commands.
Main Delete Command
The following command shows how to access help for the delete command.
Usage: pim delete [OPTIONS] COMMAND [ARGS]...
Delete a resource.
Options:
--help Show this message and exit.
Commands:
alphabets Deletes a specific alphabet by UID.
applications Deletes a specific application by UID.
dataelements Deletes a specific data element by UID.
datastores Commands for deleting datastore resources.
masks Deletes a specific mask by its UID.
policies Deletes a policy, a rule from a policy, or a data element from a policy.
roles Commands for deleting role resources.
sources Permanently deletes a source from the system.
Delete Alphabets
The following command shows how to access help for the delete alphabets command. It also provides examples on how to delete an alphabet.
pim delete alphabets --help
Usage: pim delete alphabets [OPTIONS] UID
Deletes a specific alphabet by UID.
WORKFLOW:
# Step 1: First, list all alphabets to find the UID you want to delete
pim get alphabets
# Step 2: Copy the UID from the list and use it to delete the alphabet
pim delete alphabets <uid-from-list>
EXAMPLES:
# Complete workflow example:
# 1. List all alphabets to see available UIDs
pim get alphabets
# 2. Delete a specific alphabet using UID from the list above
pim delete alphabets 14
Options:
--help Show this message and exit.
Delete Applications
The following command shows how to access help for the delete applications command. It also provides examples on how to delete a trusted application.
pim delete applications --help
Usage: pim delete applications [OPTIONS] UID
Deletes a specific application by UID.
WORKFLOW:
# Step 1: First, list all applications to find the UID you want to delete
pim get applications
# Step 2: Copy the UID from the list and use it to delete the application
pim delete applications <uid-from-list>
EXAMPLES:
# 1. List all applications to see available UIDs
pim get applications
# 2. Delete a specific application using numeric UID from the list above
pim delete applications 42
Options:
--help Show this message and exit.
Delete Dataelements
The following command shows how to access help for the delete dataelements command. It also provides examples on how to delete a dataelement.
pim delete dataelements --help
Usage: pim delete dataelements [OPTIONS] UID
Deletes a specific data element by UID.
WORKFLOW:
# Step 1: First, list all data elements to find the UID you want to delete
pim get dataelements
# Step 2: Copy the UID from the list and use it to delete the data element
pim delete dataelements <uid-from-list>
EXAMPLES:
# Complete workflow example: # 1. List all data elements to see available
UIDs pim get dataelements
# 2. Delete a specific data element using numeric UID from the list above
pim delete dataelements 42
Options:
--help Show this message and exit.
Delete Datastores
The following command shows how to access help for the delete datastores command. It also provides examples on how to delete a datastore.
pim delete datastores --help
Usage: pim delete datastores [OPTIONS] COMMAND [ARGS]...
Commands for deleting datastore resources.
Options:
--help Show this message and exit.
Commands:
datastore Deletes a datastore by UID.
key Deletes an export key from a datastore.
range Deletes an IP address range from a datastore.
Delete Datastores Types
The following commands show how to access help for the delete datastores <type> command. It also provides examples on how to delete a datastore of a specific type.
Delete Datastores Datastore
The following command shows how to access help for the delete datastores datastore command. It also provides examples on how to delete a datastore by the UID.
pim delete datastores datastore --help
Usage: pim delete datastores datastore [OPTIONS] UID
Deletes a datastore by UID.
EXAMPLES:
# Delete datastore by numeric UID
pim delete datastores datastore 15
Options:
--help Show this message and exit.
Delete Datastores Key
The following command shows how to access help for the delete datastores key command. It also provides examples on how to delete a key from a datastore.
pim delete datastores key --help
Usage: pim delete datastores key [OPTIONS] DATASTORE_UID KEY_UID
Deletes an export key from a datastore.
EXAMPLES:
# Remove specific export key from datastore
pim delete datastores key 1 2
WORKFLOW:
# Step 1: List current keys to identify the key UID
pim get datastores keys <datastore-uid>
# Step 2: Verify which processes use this key
# - Check backup and migration schedules
# - Verify no active export operations
# Step 3: Delete the key
pim delete datastores key <datastore-uid> <key-uid>
# Step 4: Verify deletion
pim get datastores keys <datastore-uid>
Options:
--help Show this message and exit.
Delete Datastores Range
The following command shows how to access help for the delete datastores range command. It also provides examples on how to delete a range of IP addresses from a datastore.
pim delete datastores range --help
Usage: pim delete datastores range [OPTIONS] DATASTORE_UID RANGE_UID
Deletes an IP address range from a datastore.
EXAMPLES:
# Remove specific IP range from datastore
pim delete datastores range 15 1
WORKFLOW:
# Step 1: List current ranges to identify the range UID
pim get datastores ranges <datastore-uid>
# Step 2: Verify which systems use this range
# - Check with network administrators
# - Verify no active connections from this range
# Step 3: Delete the range
pim delete datastores range <datastore-uid> <range-uid>
# Step 4: Verify deletion
pim get datastores ranges <datastore-uid>
Options:
--help Show this message and exit.
Delete Masks
The following command shows how to access help for the delete masks command. It also provides examples on how to delete a mask.
Usage: pim delete masks [OPTIONS] UID
Deletes a specific mask by its UID.
EXAMPLES:
# Delete mask by UID
pim delete masks 15
Options:
--help Show this message and exit.
Delete Policies
The following command shows how to access help for the delete policies command. It also provides examples on how to delete a policy, a rule from a policy, or a data element from a policy.
pim delete policies --help
Usage: pim delete policies [OPTIONS] UID
Deletes a policy, a rule from a policy, or a data element from a policy.
EXAMPLES:
# Delete entire policy (removes all rules and deployments)
pim delete policies 15
# Remove specific rule from policy
pim delete policies 15 --rule-uid 23
# Remove all rules for specific data element from policy
pim delete policies 42 --data-element-uid 67
Options:
--rule-uid TEXT UID of the rule to remove.
--data-element-uid TEXT UID of the data element to remove from a policy.
--help Show this message and exit.
Delete Roles
The following command shows how to access help for the delete roles command. It also provides examples on how to delete a role.
Usage: pim delete roles [OPTIONS] COMMAND [ARGS]...
Commands for deleting role resources.
Options:
--help Show this message and exit.
Commands:
members Removes a specific member from a role.
role Permanently deletes a role from the system.
Delete Roles Types
The following commands show how to access help for the delete roles <type> command.
Delete Roles Members
The following command shows how to access help for the delete roles members command. It also provides examples on how to remove a member from a role.
pim delete roles members --help
Usage: pim delete roles members [OPTIONS] ROLE_UID MEMBER_UID
Removes a specific member from a role.
EXAMPLES:
# Remove specific user from role
pim delete roles members 15 42
pim delete roles members <role_uuid> <member_uuid>
Options:
--help Show this message and exit.
Delete Roles Role
The following command shows how to access help for the delete roles role command. It also provides examples on how to remove a role by the UID.
pim delete roles role --help
Usage: pim delete roles role [OPTIONS] UID
Permanently deletes a role from the system.
EXAMPLES:
# Remove specific role
pim delete roles role 15
Options:
--help Show this message and exit.
Delete Sources
The following command shows how to access help for the delete source command. It also provides examples on how to delete a member source by the UID.
pim delete sources --help
Usage: pim delete sources [OPTIONS] UID
Permanently deletes a source from the system.
EXAMPLES:
# Interactive source deletion with confirmation
pim delete sources 15
Options:
--help Show this message and exit.
Get Commands
The following section lists the get commands.
Main Get Command
The following command shows how to access help for the get command.
Usage: pim get [OPTIONS] COMMAND [ARGS]...
Display one or many resources.
Options:
--help Show this message and exit.
Commands:
alphabets Gets a specific alphabet by UID, or lists all alphabets if no UID is provided.
applications Gets a specific application by UID, or lists all applications if no UID is provided.
dataelements Gets a specific data element by UID, or lists all data elements if no UID is provided.
datastores Commands for getting datastore resources.
deploy List deployment history across all datastores.
health Displays the server health information and status.
log Gets the current log level configuration.
masks Gets a specific mask by UID, or lists all masks if no UID is provided.
policies Gets a specific policy by UID, lists all policies, or lists rules of a policy.
ready Displays the server readiness information and operational status.
roles Commands for getting role resources.
sources Gets source information by UID, lists all sources, or lists source members.
version Displays the server version information.
Get Alphabets
The following command shows how to access help for the get alphabets command. It also provides examples on how to retrieve all the alphabets or a specific alphabet.
Usage: pim get alphabets [OPTIONS] [UID]
Gets a specific alphabet by UID, or lists all alphabets if no UID is
provided.
EXAMPLES:
# List all available alphabets
pim get alphabets
# Get details for a specific alphabet by UID
pim get alphabets 29
Options:
--help Show this message and exit.
Get Applications
The following command shows how to access help for the get applications command. It also provides examples on how to retrieve all trusted applications or a specific trusted application.
pim get applications --help
Usage: pim get applications [OPTIONS] [UID]
Gets a specific application by UID, or lists all applications if no UID is
provided.
EXAMPLES:
# List all available applications
pim get applications
# Get details for a specific application by UID
pim get applications 1
Options:
--help Show this message and exit.
Get Dataelements
The following command shows how to access help for the get dataelements command. It also provides examples on how to retrieve all the data elements or a specific data element.
pim get dataelements --help
Usage: pim get dataelements [OPTIONS] [UID]
Gets a specific data element by UID, or lists all data elements if no UID is
provided.
EXAMPLES:
# List all available data elements pim get dataelements
# Get details for a specific data element by UID pim get dataelements 15
Options:
--help Show this message and exit.
Get Datastores
The following command shows how to access help for the get datastores command. It also provides examples on how to retreive the datastore resources.
pim get datastores --help
Usage: pim get datastores [OPTIONS] COMMAND [ARGS]...
Commands for getting datastore resources.
Options:
--help Show this message and exit.
Commands:
datastore Gets a specific datastore by UID, or lists all datastores if no UID is provided.
keys Gets a specific key by UID, or lists all keys for a datastore.
ranges Gets a specific range by UID, or lists all ranges for a datastore.
Get Datastores Types
The following commands show how to access help for the get datastores <type> command. It also provides examples on how to retrieve specific datastores.
Get Datastores Datastore
The following command shows how to access help for the get datastores datastore command. It also provides examples on how to retrieve all datastores or a specific datastore.
pim get datastores datastore --help
Usage: pim get datastores datastore [OPTIONS] [UID]
Gets a specific datastore by UID, or lists all datastores if no UID is
provided.
Datastores represent the physical or logical storage systems where protected
data is stored. They contain policies, applications, and IP ranges that
define access control.
EXAMPLES:
# List all available datastores
pim get datastores datastore
# Get details for a specific datastore by UID
pim get datastores datastore 15
Options:
--help Show this message and exit.
Get Datastores Keys
The following command shows how to access help for the get datastores key command. It also provides examples on how to retrieve all keys for a datastore or a specific key.
pim get datastores keys --help
Usage: pim get datastores keys [OPTIONS] DATASTORE_UID
Gets a specific key by UID, or lists all keys for a datastore.
Datastore keys manage encryption and access credentials for secure data
operations. Keys can be export keys for data migration or operational keys
for ongoing protection services. Key management is critical for data
security.
EXAMPLES:
# List all keys for a specific datastore
pim get datastores keys <datastore-uid>
# Get details for a specific key within a datastore
pim get datastores keys 15 --key-uid <key-uid>
WORKFLOW:
# Step 1: List all datastores to find the datastore UID
pim get datastores datastore
# Step 2: List keys for the specific datastore
pim get datastores keys <datastore-uid>
# Step 3: Get specific key details if needed
pim get datastores keys <datastore-uid> --key-uid <key-uid>
Options:
--key-uid TEXT UID of the specific key to get.
--help Show this message and exit.
Get Datastores Ranges
The following command shows how to access help for the get datastores ranges command. It also provides examples on how to retrieve all the IP address range for a datastore or a specific range.
pim get datastores ranges --help
Usage: pim get datastores ranges [OPTIONS] DATASTORE_UID
Gets a specific range by UID, or lists all ranges for a datastore.
IP ranges define which network addresses are allowed to access the
datastore. Ranges provide network-level security by restricting datastore
access to specific IP addresses or CIDR blocks.
EXAMPLES:
# List all IP ranges for a specific datastore
pim get datastores ranges 15
# Get details for a specific range within a datastore
pim get datastores ranges 15 --range-uid 1
WORKFLOW:
# Step 1: List all datastores to find the datastore UID
pim get datastores datastore
# Step 2: List ranges for the specific datastore
pim get datastores ranges <datastore-uid>
# Step 3: Get specific range details if needed
pim get datastores ranges <datastore-uid> --range-uid <range-uid>
Options:
--range-uid TEXT UID of the range to get.
--help Show this message and exit.
Get Deploy
The following command shows how to access help for the get deploy command. It also provides examples on how to list the deployment history.
Usage: pim get deploy [OPTIONS]
List deployment history across all datastores.
EXAMPLES:
# List all deployment history
pim get deploy
Options:
--help Show this message and exit.
Get Health
The following command shows how to access help for the get health command. It also provides examples on how to display the server health information.
Usage: pim get health [OPTIONS]
Displays the server health information and status.
EXAMPLES:
# Check current server health status
pim get health
Options:
--help Show this message and exit.
Get Log
The following command shows how to access help for the get log command. It also provides examples on how to retrieve the current log level.
Usage: pim get log [OPTIONS]
Gets the current log level configuration.
EXAMPLES:
# Check current log level setting
pim get log
Options:
--help Show this message and exit.
Get Masks
The following command shows how to access help for the get masks command. It also provides examples on how to retrieve all masks or a specific mask.
Usage: pim get masks [OPTIONS] [UID]
Gets a specific mask by UID, or lists all masks if no UID is provided.
EXAMPLES:
# List all available masks
pim get masks
# Get details for a specific mask by UID
pim get masks 15
Options:
--help Show this message and exit.
Get Policies
The following command shows how to access help for the get policies command. It also provides examples on how to retrieve all policies, a specific policy, or all rules of a policy.
Usage: pim get policies [OPTIONS] [UID]
Gets a specific policy by UID, lists all policies, or lists rules of a
policy.
EXAMPLES:
# List all available policies
pim get policies
# Get details for a specific policy by UID
pim get policies 15
# List all rules within a specific policy
pim get policies 15 --rules
Options:
--rules List rules of the policy.
--help Show this message and exit.
Get Ready
The following command shows how to access help for the get ready command. It also provides examples on how to display the server readiness information.
Usage: pim get ready [OPTIONS]
Displays the server readiness information and operational status.
EXAMPLES:
# Check if server is ready for requests
pim get ready
Options:
--help Show this message and exit.
Get Roles
The following command shows how to access help for the get roles command. It also provides examples on how to retrieve the resources for a role.
Usage: pim get roles [OPTIONS] COMMAND [ARGS]...
Commands for getting role resources.
Options:
--help Show this message and exit.
Commands:
members Lists all members of a specific role.
role Gets a specific role by UID, or lists all roles if no UID is provided.
users Lists users of a specific member in a role.
Get Roles Types
The following commands show how to access help for the get roles <type> command.
Get Roles Members
The following command shows how to access help for the get roles members command. It also provides examples on how to list all members of a role.
pim get roles members --help
Usage: pim get roles members [OPTIONS] ROLE_UID
Lists all members of a specific role.
EXAMPLES:
# List all members of a specific role
pim get roles members 15
Options:
--help Show this message and exit.
Get Roles Role
The following command shows how to access help for the get roles role command. It also provides examples on how to retrieve all roles or a specific role.
pim get roles role --help
Usage: pim get roles role [OPTIONS] [UID]
Gets a specific role by UID, or lists all roles if no UID is provided.
EXAMPLES:
# List all available roles
pim get roles role
# Get details for a specific role by UID
pim get roles role 15
Options:
--help Show this message and exit.
Get Roles Users
The following command shows how to access help for the get roles users command. It also provides examples on how to retrieve users of a specific member in a role.
pim get roles users --help
Usage: pim get roles users [OPTIONS] ROLE_UID MEMBER_UID
Lists users of a specific member in a role.
EXAMPLES:
# List users in a specific group member of a role
pim get roles users 15 23
pim get roles users "<role-uuid>" "<member-uuid>"
Options:
--help Show this message and exit.
Get Sources
The following command shows how to access help for the get sources command. It also provides examples on how to retrieve all source, a specific source, or members of a source.
Usage: pim get sources [OPTIONS] [UID]
Gets source information by UID, lists all sources, or lists source members.
EXAMPLES:
# List all configured sources
pim get sources
# Get detailed information about a specific source
pim get sources 15
# List all members of a specific source
pim get sources 23 --members
Options:
--members List members of the source.
--help Show this message and exit.
Get Version
The following command shows how to access help for the get version command. It also provides examples on how to display the version information of the server.
Usage: pim get version [OPTIONS]
Displays the server version information.
EXAMPLES:
# Display server version information
pim get version
Options:
--help Show this message and exit.
Set Commands
The following section lists the set commands.
Main Set Command
The following command shows how to access help for the set command.
Usage: pim set [OPTIONS] COMMAND [ARGS]...
Update fields of a resource.
Options:
--help Show this message and exit.
Commands:
log Sets the log level for the PIM server.
Set Log
The following command shows how to access help for the set log command. It also provides examples on how to set the log level.
Usage: pim set log [OPTIONS] {ERROR|WARN|INFO|DEBUG|TRACE}
Sets the log level for the PIM server.
Higher levels include all lower levels (TRACE includes DEBUG, INFO, WARN,
ERROR).
EXAMPLES:
# Enable debug logging for troubleshooting
pim set log DEBUG
Options:
--help Show this message and exit.