Just-In-Time Workflow

Overview

KeeperPAM Workflow enforces just-in-time access for privileged resources. It reduces standing privilege and supports zero standing privilege across target infrastructure.

Workflow controls approvals, access windows, and check-in and check-out for protected resources in the Keeper Vault. It is available for any privileged resource protected in the Keeper Vault.

Key Features

• Multi-Level Approvals — Require sign-off from multiple approvers or delegate approval authority as needed.

• Single-User Mode (Check-in / Check-out) — Restricts access to one user at a time. Users check out the resource before use and check it back in when finished. Access is automatically revoked when the time limit expires.

• MFA Requirement — Requires users to complete multi-factor authentication before access is granted.

• Access Time Limits — Grants access for a defined duration and automatically revokes it when the time window expires.

• Real-Time Notifications — Notifies approvers instantly across all Keeper clients, including desktop, web, and mobile.

Getting Started

Before you begin:

• Use an active KeeperPAM trial or subscription

• Enable the Workflow role enforcement policy in the Admin Console

Role Enforcement Policy

To let users configure Workflow on PAM record types, enable Can manage workflow settings under Admin Console → Roles → Enforcement Policies → Privileged Access Manager:

You can also enable the policy with the Keeper Commander CLI:

Configure Workflow

Users with Can manage workflow settings can configure Workflow on PAM records.

To configure Workflow:

1. Open a PAM machine, database, directory, or browser record.

2. In PAM Settings, click Edit.

3. Open the Workflow section in the dialog.