All pages
Powered by GitBook
1 of 1

PAM Resource Sharing

Sharing access to servers, databases, workloads and web applications with Keeper

Managing PAM Resources with Sharing

Overview

Keeper Vault uses Shared Folders as the access control mechanism for all KeeperPAM-managed resources. These PAM resources can be organized within shared folders in the same way as standard Keeper records.

A significant advantage of the KeeperPAM architecture is that it enables resource access sharing without revealing the actual credentials to users. This zero-knowledge approach maintains security while providing necessary access.

Types of PAM Resources

Shared Folders can contain various types of PAM resources:

  • PAM Machine - For server and endpoint connections

  • PAM Database - For database system access

  • PAM Directory - For directory service management

  • PAM Remote Browser - For secure web application access

  • PAM User - For service credential management

Sharing a PAM Resource

The share receipient can then initiate a zero-trust privileged session to the target system, without having access to the underlying credentials.

Opening a Privileged Session to a Shared Resource

Implementing Least Privilege

For optimal security through least privilege principles, we suggest maintaining PAM Users in a dedicated shared folder separate from other resources. This separation helps limit access to sensitive underlying credentials.

The recommended configuration includes:

  1. A shared folder for infrastructure components (Machines, Databases, etc.)

  2. A separate shared folder specifically for PAM User credentials

When you utilize Keeper's Quick Start Sandbox or Gateway wizard, this separation happens automatically, establishing the recommended security structure from the beginning.

Security Benefits

This organizational approach provides several advantages:

  • Credentials remain protected even when resource access is shared

  • Administration is streamlined through the familiar Keeper interface

  • Access permissions can be precisely configured at the folder level

  • Complete audit trails track all resource access activity

  • The system integrates seamlessly with existing Keeper workflows

For more information: