# KeeperPAM Commands
## Overview
KeeperPAM functionality including discovery, password rotation, PAM Configuration, Keeper Gateway configuration can be controlled and operated through Commander using the `pam` command and sub-commands.
{% hint style="info" %}
PAM Record types command reference and examples are on [this page](/en/keeperpam/commander-cli/command-reference/record-commands/creating-and-updating-records.md#pam-privileged-access-management-record-types)
{% endhint %}
## pam **Command**
**command:** `pam`
**Detail:** Perform KeeperPAM controls.
```
My Vault> pam
pam command [--options]
Command Description
---------- -----------------------------------------
gateway Manage Gateways
config Manage PAM Configurations
rotation Manage Rotations
action Execute action on the Gateway
tunnel Manage Tunnels
split Split credentials from legacy PAM Machine
legacy Switch to legacy PAM commands
connection Manage Connections
rbi Manage Remote Browser Isolation
project PAM Project Import/Export
launch Launch a connection to a PAM resource
workflow Manage PAM Workflows
```
**Sub Commands**
* [gateway](#sub-command-gateway)
* [config](#sub-command-config)
* [rotation](#sub-command-rotation)
* [action](#sub-command-action)
* [tunnel](#sub-command-tunnel)
* [split](#sub-command-split)
* [connection](#sub-command-connection)
* [rbi](#sub-command-rbi)
* [project](#sub-command-project)
* [launch](#sub-command-launch)
* [workflow](#sub-command-workflow)
***
### **Sub-Command: gateway**
**Detail:** View, create and remove Keeper Gateway services. To learn more about the Keeper Gateway [click here](/en/keeperpam/privileged-access-manager/getting-started/gateways.md).
```
My Vault> pam gateway help
pam command [--options]
Command Description
----------------- ------------------
list List Gateways
new Create new Gateway
edit Edit Gateway
remove Remove Gateway
set-max-instances Set maximum gateway instances
```
#### **list**
Lists all gateways accessible by the Commander user. This includes:
* Gateways directly accessible by the user in their vault.
* Gateways registered under any managed node from the user's role.
{% code overflow="wrap" %}
```
My Vault> pam gateway list -h
usage: pam [-h] [--force] [--verbose] [--format {table,json}]
options:
-h, --help show this help message and exit
--force, -f Force retrieval of gateways
--verbose, -v Verbose output
--format {table,json}
Output format (table, json)
```
{% endcode %}
#### **new**
```
My Vault> pam gateway new -h
usage: dr-create-gateway [-h] --name GATEWAY_NAME --application KSM_APP [--token-expires-in-min TOKEN_EXPIRE_IN_MIN]
[--return_value] [--config-init {json,b64}]
options:
-h, --help show this help message and exit
--name GATEWAY_NAME, -n GATEWAY_NAME
Name of the Gateway
--application KSM_APP, -a KSM_APP
KSM Application name or UID. Use command `sm app list` to view available KSM Applications.
--token-expires-in-min TOKEN_EXPIRE_IN_MIN, -e TOKEN_EXPIRE_IN_MIN
Time for the one time token to expire. Maximum 1440 minutes (24 hrs). Default: 60
--return_value, -r Return value from the command for automation purposes
--config-init {json,b64}, -c {json,b64}
Initialize client config and return configuration string.
```
#### edit
Allows updating the gateway's name or registered node. Equivalent actions can be performed in the Admin Console, under Secrets Manager → Gateways.
{% code overflow="wrap" %}
```
My Vault> pam gateway edit -h
usage: pam [-h] [--gateway GATEWAY] [--name GATEWAY_NAME] [--node-id NODE_ID]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway UID or Name
--name GATEWAY_NAME, -n GATEWAY_NAME
Name of the Gateway
--node-id NODE_ID, -i NODE_ID
Node ID
```
{% endcode %}
#### remove
Removes a gateway. The user executing this command must have admin rights on the gateway's parent application to perform this action.
{% code overflow="wrap" %}
```
My Vault> pam gateway remove -h
usage: pam [-h] --gateway GATEWAY
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
UID of the Gateway
```
{% endcode %}
#### set-max-instances
Defines maximum gateway pool instances. Used for [High Availability](/en/keeperpam/privileged-access-manager/getting-started/gateways/scaling-and-high-availability.md) integrations.
{% code overflow="wrap" %}
```
My Vault> pam gateway set-max-instances -h
usage: pam [-h] --gateway GATEWAY --max-instances MAX_INSTANCES
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway UID or Name
--max-instances MAX_INSTANCES, -m MAX_INSTANCES
Maximum number of gateway instances (must be >= 1)
```
{% endcode %}
***
### **Sub-Command: config**
**Detail:** View, create, edit and remove Keeper PAM Configurations. To learn more about PAM Configurations [click here](/en/keeperpam/privileged-access-manager/getting-started/pam-configuration.md).
```
My Vault> pam config help
pam command [--options]
Command Description
--------- -------------------------------------------------------------
new Create new PAM Configuration
edit Edit PAM Configuration
list List available PAM Configurations associated with the Gateway
remove Remove a PAM Configuration
```
#### new
My Vault> pam config new -h
usage: pam config new [-h] [--environment {local,aws,azure}] [--title TITLE] [--gateway GATEWAY_UID]
[--shared-folder SHARED_FOLDER_UID] [--schedule DEFAULT_SCHEDULE] [--port-mapping PORT_MAPPING]
[--network-id NETWORK_ID] [--network-cidr NETWORK_CIDR] [--aws-id AWS_ID]
[--access-key-id ACCESS_KEY_ID] [--access-secret-key ACCESS_SECRET_KEY] [--region-name REGION_NAMES]
[--azure-id AZURE_ID] [--client-id CLIENT_ID] [--client-secret CLIENT_SECRET]
[--subscription_id SUBSCRIPTION_ID] [--tenant-id TENANT_ID] [--resource-group RESOURCE_GROUP]
[--connections {on,off,default}] [--tunneling {on,off,default}] [--rotation {on,off,default}]
[--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}]
[--typescript-recording {on,off,default}]
options:
-h, --help show this help message and exit
--environment {local,aws,azure}, -env {local,aws,azure}
PAM Configuration Type
--title TITLE, -t TITLE
Title of the PAM Configuration
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID or Name
--shared-folder SHARED_FOLDER_UID, -sf SHARED_FOLDER_UID
Share Folder where this PAM Configuration is stored. Should be one of the folders to which the
gateway has access to.
--schedule DEFAULT_SCHEDULE, -sc DEFAULT_SCHEDULE
Default Schedule: Use CRON syntax
--port-mapping PORT_MAPPING, -pm PORT_MAPPING
Port Mapping
--connections {on,off,default}, -c {on,off,default}
Set connections permissions
--tunneling {on,off,default}, -u {on,off,default}
Set tunneling permissions
--rotation {on,off,default}, -r {on,off,default}
Set rotation permissions
--remote-browser-isolation {on,off,default}, -rbi {on,off,default}
Set remote browser isolation permissions
--connections-recording {on,off,default}, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording {on,off,default}, -tr {on,off,default}
Set TypeScript recording permissions for the resource
network:
Local network configuration
--network-id NETWORK_ID
Network ID
--network-cidr NETWORK_CIDR
Network CIDR
aws:
AWS configuration
--aws-id AWS_ID AWS ID
--access-key-id ACCESS_KEY_ID
Access Key Id
--access-secret-key ACCESS_SECRET_KEY
Access Secret Key
--region-name REGION_NAMES
Region Names
azure:
Azure configuration
--azure-id AZURE_ID Azure Id
--client-id CLIENT_ID
Client Id
--client-secret CLIENT_SECRET
Client Secret
--subscription_id SUBSCRIPTION_ID
Subscription Id
--tenant-id TENANT_ID
Tenant Id
--resource-group RESOURCE_GROUP
Resource Group
#### edit
My Vault> pam config edit -h
usage: pam config edit [-h] [--environment {local,aws,azure,domain,oci}] [--title TITLE] [--gateway GATEWAY_UID] [--shared-folder SHARED_FOLDER_UID]
[--schedule DEFAULT_SCHEDULE] [--port-mapping PORT_MAPPING] [--network-id NETWORK_ID] [--network-cidr NETWORK_CIDR]
[--aws-id AWS_ID] [--access-key-id ACCESS_KEY_ID] [--access-secret-key ACCESS_SECRET_KEY] [--region-name REGION_NAMES]
[--azure-id AZURE_ID] [--client-id CLIENT_ID] [--client-secret CLIENT_SECRET] [--subscription_id SUBSCRIPTION_ID]
[--tenant-id TENANT_ID] [--resource-group RESOURCE_GROUPS] [--domain-id DOMAIN_ID] [--domain-hostname DOMAIN_HOSTNAME]
[--domain-port DOMAIN_PORT] [--domain-use-ssl {true,false}] [--domain-scan-dc-cidr {true,false}]
[--domain-network-cidr DOMAIN_NETWORK_CIDR] [--domain-admin DOMAIN_ADMINISTRATIVE_CREDENTIAL] [--oci-id OCI_ID]
[--oci-admin-id OCI_ADMIN_ID] [--oci-admin-public-key OCI_ADMIN_PUBLIC_KEY] [--oci-admin-private-key OCI_ADMIN_PRIVATE_KEY]
[--oci-tenancy OCI_TENANCY] [--oci-region OCI_REGION] [--remove-resource-record REMOVE_RECORDS]
[--connections {on,off,default}] [--tunneling {on,off,default}] [--rotation {on,off,default}]
[--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}]
[--typescript-recording {on,off,default}]
uid
positional arguments:
uid The Config UID to edit
options:
-h, --help show this help message and exit
--environment, -env {local,aws,azure,domain,oci}
PAM Configuration Type
--title, -t TITLE Title of the PAM Configuration
--gateway, -g GATEWAY_UID
Gateway UID or Name
--shared-folder, -sf SHARED_FOLDER_UID
Share Folder where this PAM Configuration is stored. Should be one of the folders to which the gateway has access to.
--schedule, -sc DEFAULT_SCHEDULE
Default Schedule: Use CRON syntax
--port-mapping, -pm PORT_MAPPING
Port Mapping
--remove-resource-record, -rrr REMOVE_RECORDS
Resource Record UID to remove
--connections, -c {on,off,default}
Set connections permissions
--tunneling, -u {on,off,default}
Set tunneling permissions
--rotation, -r {on,off,default}
Set rotation permissions
--remote-browser-isolation, -rbi {on,off,default}
Set remote browser isolation permissions
--connections-recording, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording, -tr {on,off,default}
Set TypeScript recording permissions for the resource
network:
Local network configuration
--network-id NETWORK_ID
Network ID
--network-cidr NETWORK_CIDR
Network CIDR
aws:
AWS configuration
--aws-id AWS_ID AWS ID
--access-key-id ACCESS_KEY_ID
Access Key Id
--access-secret-key ACCESS_SECRET_KEY
Access Secret Key
--region-name REGION_NAMES
Region Names
azure:
Azure configuration
--azure-id AZURE_ID Azure Id
--client-id CLIENT_ID
Client Id
--client-secret CLIENT_SECRET
Client Secret
--subscription_id SUBSCRIPTION_ID
Subscription Id
--tenant-id TENANT_ID
Tenant Id
--resource-group RESOURCE_GROUPS
Resource Group
domain:
Domain configuration
--domain-id DOMAIN_ID
Domain ID
--domain-hostname DOMAIN_HOSTNAME
Domain hostname
--domain-port DOMAIN_PORT
Domain port
--domain-use-ssl {true,false}
Domain use SSL flag
--domain-scan-dc-cidr {true,false}
Domain scan DC CIDR flag
--domain-network-cidr DOMAIN_NETWORK_CIDR
Domain Network CIDR
--domain-admin DOMAIN_ADMINISTRATIVE_CREDENTIAL
Domain administrative credential
oci:
OCI configuration
--oci-id OCI_ID OCI ID
--oci-admin-id OCI_ADMIN_ID
OCI Admin ID
--oci-admin-public-key OCI_ADMIN_PUBLIC_KEY
OCI admin public key
--oci-admin-private-key OCI_ADMIN_PRIVATE_KEY
OCI admin private key
--oci-tenancy OCI_TENANCY
OCI tenancy
--oci-region OCI_REGION
OCI region
#### list
My Vault> pam config list -h
usage: pam config list [-h] [--config PAM_CONFIGURATION] [--verbose] [--format {table,json}]
options:
-h, --help show this help message and exit
--config, -c PAM_CONFIGURATION
Specific PAM Configuration UID
--verbose, -v Verbose
--format {table,json}
Output format (table, json)
#### remove
My Vault> pam config remove -h
usage: pam config remove [-h] uid
positional arguments:
uid PAM Configuration UID. To view all rotation settings with their UIDs, use command `pam config list`
options:
-h, --help show this help message and exit
***
### Sub-Command: connection
This command will edit the connection parameters and user accounts that are attached to PAM Machine and PAM Database records. The process can also be done in bulk with the **run-batch** command. To launch the connection, use the Keeper vault or Desktop app.
**Prerequisites:** Ensure that the PAM user credential, PAM Machine or PAM Database records are staged in a shared folder. Also ensure that there is a gateway configured, and everything is tied together in a PAM Configuration.
#### edit
```
usage: pam connection edit [-h] [--configuration CONFIG] [--admin-user ADMIN] [--launch-user LAUNCH_USER] [--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}] [--connections {on,off,default}]
[--connections-recording {on,off,default}] [--typescript-recording {on,off,default}] [--connections-override-port CONNECTIONS_OVERRIDE_PORT] [--key-events {on,off,default}] [--silent]
record
positional arguments:
record The record UID or path of the PAM resource record with network information to use for connections
options:
-h, --help show this help message and exit
--configuration, -c CONFIG
The PAM Configuration UID or path to use for connections. Use command `pam config list` to view available PAM Configurations.
--admin-user, -a ADMIN
The record path or UID of the PAM User record to configure the admin credential on the PAM Resource
--launch-user, -lu LAUNCH_USER
The record path or UID of the PAM User record to configure as the launch credential on the PAM Resource
--protocol, -p {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}
Set connection protocol
--connections, -cn {on,off,default}
Set connections permissions
--connections-recording, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording, -tr {on,off,default}
Set TypeScript recording permissions for the resource
--connections-override-port, -cop CONNECTIONS_OVERRIDE_PORT
Port to use for connections. If not provided, the port from the record will be used.
--key-events, -k {on,off,default}
Toggle Key Events settings
--silent, -s Silent mode - don't print PAM User, PAM Config etc.
```
#### examples:
```
1. My Vault> pam connection edit "/Share Folder Name/Record Name" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=rdp -cn=on -cr=on -cop=3389
2. My Vault> pam connection edit "/{{ Email }}/{{ Email }} SSH" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=ssh -cn=on -cr=on -cop=22 -s
3. My Vault> pam connection edit "/{{ Email }}/{{ Email }} MSSQL" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=sql-server -cn=on -tr=on -cop=1433
```
**example 1:** Creates an RDP connection and assigns an administrative credential and PAM configuration. Activates the connection and screen recording.
**example 2:** Creates an SSH connection and assigns and administrative credential and PAM configuration. Activates the connection and screen recording while running in silent mode without screen outputs.
**example 3:** Creates an MSSQL connection and assigns and administrative credential and PAM configuration. Activates the connection and typescript recording.
***
### **Sub-Command: rbi**
This command provides the ability to edit remote browser isolation settings for a record.
#### edit
```
usage: pam rbi edit [-h] --record RECORD [--configuration CONFIG] [--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}] [--key-events {on,off,default}] [--allow-url-navigation {on,off,default}]
[--ignore-server-cert {on,off,default}] [--allowed-urls ALLOWED_URLS] [--allowed-resource-urls ALLOWED_RESOURCE_URLS] [--autofill-credentials AUTOFILL] [--autofill-targets AUTOFILL_TARGETS]
[--allow-copy {on,off,default}] [--allow-paste {on,off,default}] [--disable-audio {on,off,default}] [--audio-channels AUDIO_CHANNELS] [--audio-bit-depth {8,16}] [--audio-sample-rate AUDIO_SAMPLE_RATE] [--silent]
options:
-h, --help show this help message and exit
--record, -r RECORD The record UID or path of the RBI record.
--configuration, -c CONFIG
The PAM Configuration UID or path to use for connections. Use command `pam config list` to view available PAM Configurations.
--remote-browser-isolation, -rbi {on,off,default}
Set RBI permissions
--connections-recording, -cr {on,off,default}
Set recording connections permissions for the resource
--key-events, -k {on,off,default}
Toggle Key Events settings
--allow-url-navigation, -nav {on,off,default}
Allow navigation via direct URL manipulation (on/off/default)
--ignore-server-cert, -isc {on,off,default}
Ignore server certificate errors (on/off/default)
--allowed-urls, -au ALLOWED_URLS
Allowed URL patterns (can specify multiple times)
--allowed-resource-urls, -aru ALLOWED_RESOURCE_URLS
Allowed resource URL patterns (can specify multiple times)
--autofill-credentials, -a AUTOFILL
The record UID or path of the RBI Autofill Credentials record.
--autofill-targets, -at AUTOFILL_TARGETS
Autofill target selectors (can specify multiple times)
--allow-copy, -cpy {on,off,default}
Allow copying to clipboard (on/off/default)
--allow-paste, -p {on,off,default}
Allow pasting from clipboard (on/off/default)
--disable-audio, -da {on,off,default}
Disable audio for RBI sessions (on/off/default)
--audio-channels, -ac AUDIO_CHANNELS
Number of audio channels (e.g., 1 for mono, 2 for stereo)
--audio-bit-depth, -bd {8,16}
Audio bit depth (8 or 16)
--audio-sample-rate, -sr AUDIO_SAMPLE_RATE
Audio sample rate in Hz (e.g., 44100, 48000)
--silent, -s Silent mode - don't print PAM User, PAM Config etc.
```
***
### **Sub-Command: rotation**
**Detail:** View and create Keeper Rotation configuration for records.
```
My Vault> pam rotation help
pam command [--options]
Command Description
--------- -----------------------------------
edit Edits Record Rotation configuration
list List Record Rotation configuration
info Get Rotation Info
script Add, delete, or edit script field
```
#### edit
```
My Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG]
[--iam-aad-config IAM_AAD_CONFIG_UID] [--resource RESOURCE] [--schedulejson SCHEDULE_JSON_DATA |
--schedulecron SCHEDULE_CRON_DATA | --on-demand | --schedule-config] [--complexity PWD_COMPLEXITY]
[--admin-user ADMIN] [--enable | --disable]
options:
-h, --help show this help message and exit
--record, -r RECORD_NAME
Record UID, name, or pattern to be rotated manually or via schedule
--folder, -fd FOLDER_NAME
Used for bulk rotation setup. The folder UID or name that holds records to be configured
--force, -f Do not ask for confirmation
--config, -c CONFIG UID or path of the configuration record.
--iam-aad-config, -iac IAM_AAD_CONFIG_UID
UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
--resource, -rs RESOURCE
UID or path of the resource record.
--schedulejson, -sj SCHEDULE_JSON_DATA
JSON of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY",
"intervalCount": 1}'
--schedulecron, -sc SCHEDULE_CRON_DATA
Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17
* * *"
--on-demand, -od Schedule On Demand
--schedule-config, -sf
Schedule from Configuration
--schedule-only, -so Only update the rotation schedule without changing other settings
--complexity, -x PWD_COMPLEXITY
Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5[,SPECIAL CHARS]
--admin-user, -a ADMIN
UID or path for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when
rotating
--enable, -e Enable rotation
--disable, -d Disable rotation
```
#### Example - Set the rotation schedule using JSON
The `--schedulejson` or `-sj` params are used to set the schedule via JSON.
Rotate the PAM User record every month, on the 1st, at 4:00AM Chicago time.
pam rotation edit -r XXXX -sj '{"type": "MONTHLY_BY_DAY", "monthDay": 1, "time": "04:00", "tz": "America/Chicago"}'
Rotate the PAM User record every week on a Saturday, at 10:00PM New York time.
{% code overflow="wrap" %}
```
pam rotation edit -r XXXX -sj '{"type": "WEEKLY", "weekday": "SATURDAY", "time": "22:00", "tz": "America/New_York"}'
```
{% endcode %}
The following are the valid schedule types.
**ON DEMAND**
**The job is triggered manually on demand.**
```
pam rotation edit -r XXXX --on-demand
```
**DAILY**
**The job is triggered every day.**
* `type` - DAILY
* `time` - A 24 hours formatted time when the jobs should be triggered.
* `tz` - You local [IANA](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) time zone. (i.e., America/Chicago)
* `intervalCount` - Optional; The number of days between triggers. Allows ability to skip days.
#### WEEKLY
The job is triggered every week.
* `type` - WEEKLY
* `weekday` - Week day name. Must be the full name, all in uppercase.
* SUNDAY
* MONDAY
* TUESDAY
* WEDNESDAY
* THURSDAY
* FRIDAY
* SATURDAY
* `time` - A 24 hours formatted time when the jobs should be triggered.
* `tz` - You local [IANA](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) time zone. (i.e., America/Chicago)
* `intervalCount` - Optional; If set to a value greater than 1, `weekday` will be ignored. The job will be triggers the multiple times per week starting on Sunday. The day will be based on the value of `intervalCount` .
#### MONTHLY\_BY\_DAY
The job is triggered every month on a specific month day.
* `type` - MONTHLY\_BY\_DAY
* `monthDay` - Day of the month. Starts at 1 and goes to max number of days per month. Remeber that 29 can be a leap year day.
* `time` - A 24 hours formatted time when the jobs should be triggered.
* `tz` - You local [IANA](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) time zone. (i.e., America/Chicago)
* `intervalCount` - Optional; If set to a value greater than 1, the job will trigger on the `monthDay` and will re-trigger every `intervalCount` days.
#### MONTHLY\_BY\_WEEKDAY
The job is triggered every month on a specific week day and time.
* `type` - MONTHLY\_BY\_WEEKDAY
* `weekday` - Week day name. Must be the full name, in all uppercase.
* SUNDAY
* MONDAY
* TUESDAY
* WEDNESDAY
* THURSDAY
* FRIDAY
* SATURDAY
* `occurrence` - Which week to trigger. If fifth week, use `LAST`.
* FIRST
* SECOND
* THIRD
* FOURTH
* LAST
* `time` - A 24 hours formatted time when the jobs should be triggered.
* `tz` - You local [IANA](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) time zone. (i.e., America/Chicago)
* `intervalCount` - Optional; If set, and set to value other than 1, the trigger will start on the `weekday` and then trigger every `intervalCount` weeks.
#### YEARLY
The job is triggered yearly on a specific month, day and time.
* `type` - YEARLY
* `month` - Month name. Must be the full month name, in all uppercase.
* JANUARY
* FEBURARY
* MARCH
* APRIL
* MAY
* JUNE
* JULY
* AUGUST
* SEPTEMBER
* OCTOBER
* NOVEMBER
* DECEMBER
* `monthDay` - Day of the month. Starts at 1 and goes to max number of days per month. Remeber that 29 can be a leap year day.
* `time` - A 24 hours formatted time when the jobs should be triggered.
* `tz` - You local [IANA](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) time zone. (i.e., America/Chicago)
* `intervalCount` - Optional; If set, and set to value other than 1, every `intervalCount` year will be triggered.
#### Example - Set the password complexity for the PAM User
The `--complexity` or `-x` params are used to set the password complexity.
Set the password complexity to create a 20 character password with a minimum of 1 uppercase letter, 4 lowercase letters, 2 digits, and 2 symbols from the symbol set `.=+-` .
```
pam rotation edit -r XXXX -x 20,1,4,2,2,.=+-
```
The value is a comma separated value (CSV) style value with the following parts:
1. Overall password length
2. Minimum number of uppercase letters.
3. Minimum number of lowercase letters.
4. Minimum number of digits.
5. Minimum number of symbols.
6. Special set. After last comma, just type the special characters you would like. You are limited to symbols in the following set. If left blank, this symbol set will be used.
```
!@#$%^?();',.=+[]<>{}-_/\\*&:"`~|
```
#### **list**
Display a list of all resources configured for rotation
```
My Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]
optional arguments:
-h, --help show this help message and exit
--verbose, -v Verbose output
```
#### **info**
Display information about the rotation settings for a particular resource.
```
My Vault> pam rotation info --help
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotate
```
#### **script**
Manage post-rotation PAM scripts
```
My Vault> pam rotation script --help
pam command [--options]
Command Description
--------- ---------------------------------
list List script fields
add List Record Rotation Schedulers
edit Add, delete, or edit script field
delete Delete script field
```
***
### **Sub-Command: action**
**Detail:** Discovery, rotation and service account management of PAM Resources
```
My Vault> pam action help
pam command [--options]
Command Description
------------ ---------------------
gateway-info Info command
discover Discover command
rotate Rotate command
job-info View Job details
job-cancel View Job details
service Manage services and scheduled tasks
debug PAM debug information
```
#### gateway-info
Display information about the specific Keeper Gateway.
```
My Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID
--verbose, -v Verbose Output
```
#### discover
Manage Discovery jobs
```
My Vault> pam action discover --help
pam command [--options]
Command Description
--------- ----------------------------------
start Start a discovery process
status Status of discovery jobs
remove Cancel or remove of discovery jobs
process Process discovered items
rule Manage discovery rules
```
#### discover start
Start a discovery job
```
My Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
[--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
[--cred-file CREDENTIAL_FILE]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--resource RESOURCE_UID, -r RESOURCE_UID
UID of the resource record. Set to discover specific resource.
--lang LANGUAGE Language
--include-machine-dir-users
Include directory users found on the machine.
--inc-azure-aadds Include Azure Active Directory Domain Service.
--skip-rules Skip running the rule engine.
--skip-machines Skip discovering machines.
--skip-databases Skip discovering databases.
--skip-directories Skip discovering directories.
--skip-cloud-users Skip discovering cloud users.
--cred CREDENTIALS List resource credentials.
--cred-file CREDENTIAL_FILE
A JSON file containing list of credentials.
```
#### discover status
Display the status of a discovery job
```
My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Show only discovery jobs from a specific gateway.
--job-id JOB_ID, -j JOB_ID
Detailed information for a specific discovery job.
--history Show history
```
#### discover remove
Stop a running discovery job
```
My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job id.
```
#### discover process
Process the findings of a discovery job
```
My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job to process.
--add-all Respond with ADD for all prompts.
--debug-gs-level DEBUG_LEVEL
GraphSync debug level. Default is 0
```
#### discover rule
Manage discovery rules
```
My Vault> pam action discover rule --help
pam command [--options]
Command Description
--------- --------------
add Add a rule
list List all rules
remove Remove a rule
update Update a rule
```
#### discover rule add
Add a discovery rule
```
My Vault> pam action discover rule add --help
usage: pam-action-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case]
[--shared-folder-uid SHARED_FOLDER_UID] --statement STATEMENT
options:
-h, --help show this help message and exit
--gateway, -g GATEWAY
Gateway name of UID.
--action, -a {add,ignore,prompt}
Action to take if rule matches
--priority, -p PRIORITY
Rule execute priority
--ignore-case Ignore value case. Rule value must be in lowercase.
--shared-folder-uid SHARED_FOLDER_UID
Folder to place record.
--statement, -s STATEMENT
Rule statement
```
#### rotate
Issue a credential rotation on the specific resource, folder of resources, or pattern in the resource title. Optionally send an email with a one-time share link through a [configured email provider](/en/keeperpam/commander-cli/command-reference/email-configuration-commands.md).
```
My Vault> pam action rotate --help
usage: pam action rotate [-h] [--record-uid RECORD_UID] [--folder FOLDER] [--dry-run]
options:
-h, --help show this help message and exit
--record-uid, -r RECORD_UID
Record UID to rotate
--folder, -f FOLDER Shared folder UID or title pattern to rotate
--dry-run, -n Enable dry-run mode
--email-config NAME Email configuration to use for sending (required with --send-email)
--send-email EMAIL Email address to send one-time share link after successful rotation
--email-message MESSAGE Custom message to include in notification email
```
#### job-info
Display information about the running job
```
My Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
```
#### job-cancel
Cancel a running job
```
My Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
```
#### service list
Display the services and scheduled tasks associated to a specific Keeper Gateway
```
My Vault> pam action service list -h
usage: pam-action-service-list [-h] --gateway GATEWAY
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
```
#### service add
Add an association for a service to a specific Keeper Gateway and PAM Machine. Once associated, Keeper will update the credentials for that service, on the specific PAM Machine, and restart the service (if running).
```
My Vault> pam action service add -h
usage: pam-action-service-add [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to add [service, task]
```
#### service remove
Remove an association for a service on a specific PAM Machine.
```
My Vault> pam action service remove -h
usage: pam-action-service-remove [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to remove [service, task]
```
***
### **Sub-Command: tunnel**
**Detail:** View and create Keeper Tunnels from the local machine to target infrastructure.
```
My Vault> pam tunnel help
pam command [--options]
Command Description
--------- -------------------------
start Start Tunnel
list List all Tunnels
stop Stop Tunnel to the server
tail View Tunnel Log
edit Edit Tunnel settings
```
#### start
Start a tunnel from the local device to the target resource
```
My Vault> pam tunnel start -h
usage: pam tunnel start [-h] [--host HOST] [--port PORT] uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--host HOST, -o HOST The address on which the server will be accepting connections. It could be an IP address or a
hostname. Ex. set to 127.0.0.1 as default so only connections from the same machine will be accepted.
--port PORT, -p PORT The port number on which the server will be listening for incoming connections. If not set, random
open port on the machine will be used.
```
#### list
Display a list of all available tunnels running
```
My Vault> pam tunnel list -h
usage: pam tunnel list [-h]
options:
-h, --help show this help message and exit
```
#### stop
Stop a tunnel that is currently running
```
My Vault> pam tunnel stop -h
usage: pam tunnel stop [-h] uid
positional arguments:
uid The Tunnel UID or Record UID
options:
-h, --help show this help message and exit
```
#### tail
Display information in the Keeper tunnel
```
My Vault> pam tunnel tail -h
usage: pam tunnel tail [-h] uid
positional arguments:
uid The Tunnel UID
options:
-h, --help show this help message and exit
```
#### edit
Edit the configuration of an existing Tunnel
```
usage: pam tunnel edit [-h] [--configuration CONFIG] [--enable-tunneling] [--tunneling-override-port TUNNELING_OVERRIDE_PORT] [--disable-tunneling] [--remove-tunneling-override-port] [--keeper-db-proxy {on,off,default}] record
positional arguments:
record The record path or UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--configuration, -c CONFIG
The PAM Configuration UID or path to use for tunneling. Use command `pam config list` to view available PAM Configurations.
--enable-tunneling, -et
Enable tunneling on the record
--tunneling-override-port, -top TUNNELING_OVERRIDE_PORT
Port to use for tunneling. If not provided, the port from the record will be used.
--disable-tunneling, -dt
Disable tunneling on the record
--remove-tunneling-override-port, -rtop
Remove tunneling override port
--keeper-db-proxy, -kdbp {on,off,default}
Enable/disable Keeper Database Proxy for pamDatabase records (on/off/default)
```
***
### Sub-command: split
Detail: Split a legacy PAM record into the new KeeperPAM format.
```
My Vault> pam split -h
usage: pam split [-h] [--configuration PAM_CONFIG] [--folder PAM_USER_FOLDER] pam_machine_record
positional arguments:
pam_machine_record The record UID or title of the legacy PAM Machine record with built-in PAM User credentials.
options:
-h, --help show this help message and exit
--configuration PAM_CONFIG, -c PAM_CONFIG
The PAM Configuration Name or UID - If the legacy record was configured for rotation this command
will try to autodetect PAM Configuration settings otherwise you'll be prompted to provide the PAM
Config.
--folder PAM_USER_FOLDER, -f PAM_USER_FOLDER
The folder where to store the new PAM User record - folder names/paths are case sensitive!(if skipped
- PAM User will be created into the same folder as PAM Machine)
```
***
### Sub-command: project
Detail: Create a KeeperPAM project (similar to the [Quick Start Sandbox](/en/keeperpam/privileged-access-manager/quick-start-sandbox.md) from the vault user interface).
The PAM Import command helps customers (such as MSPs) with thousands of managed companies to automate the creation of folders, gateways, machines, users, connections, tunnels and (optionally) rotations.
```
My Vault> pam project import -h
usage: pam project import [-h] [--name PROJECT_NAME] [--filename FILE_NAME] [--dry-run] [--sample-data] [--show-template]
[--output {token,base64,json}]
options:
-h, --help show this help message and exit
--name PROJECT_NAME, -n PROJECT_NAME
Project name.
--filename FILE_NAME, -f FILE_NAME
File to load import data from.
--dry-run, -d Test import without modifying vault.
--sample-data, -s Generate sample data.
--show-template, -t Print JSON template required for manual import.
--output {token,base64,json}, -o {token,base64,json}
Output format (token: one-time token, config: base64/json)
```
`pam project import --name=project1 --filename=/path/to/import.json --dry-run`
* `--name`, `-n` → Project name *(overrides `"project":""` from JSON)*
* `--filename`, `-f` → JSON file to load import data from.
* `--dry-run`, `-d` → Test import without modifying vault.
**Command Variation: "extend"**
The `pam project extend` command helps customers to create additional records after the initial import that will use same existing PAM Gateway and PAM Configuration.
```
My Vault> pam project extend -h
usage: pam project extend [-h] [--config PAM_CONFIG] [--filename FILE_NAME] [--dry-run]
options:
-h, --help show this help message and exit
--config PAM_CONFIG, -c PAM_CONFIG
PAM Configuration record UID or title.
--filename FILE_NAME, -f FILE_NAME
File to load import data from.
--dry-run, -d Test import without modifying vault.
```
#### Import/Extend JSON Documentation
* A step-by-step guide to importing Windows Servers as PAM Resources from a basic list of server hostnames can be found at this page: [Importing PAM Resources](/en/keeperpam/privileged-access-manager/references/importing-pam-resources.md)
* A more detailed specification for "pam project import" templates can be found at this [GitHub README Page](https://github.com/Keeper-Security/Commander/blob/master/keepercommander/commands/pam_import/README.md)
* If you require assistance, contact the Commander team ().
***
### Sub-Command: Launch
**Detail:** Launch a CLI-based KeeperPAM privileged session. This allows developers to use their preferred native terminal for connecting to a target. When "pam launch" is used, the session activity is recorded and monitored as configured by the resource.
{% code overflow="wrap" %}
```
My Vault> pam launch -h
usage: pam [-h] [--no-trickle-ice] [--credential LAUNCH_CREDENTIAL] [--host CUSTOM_HOST] [--host-record HOST_RECORD] [--stdin] [--normalize-crlf]
[--scale SCALE]
record
Launch a connection to a PAM resource
positional arguments:
record Record path or UID of the PAM resource to launch
options:
-h, --help show this help message and exit
--no-trickle-ice, -nti
Disable trickle ICE for WebRTC connections. By default, trickle ICE is enabled for real-time candidate exchange.
--credential LAUNCH_CREDENTIAL, -cr LAUNCH_CREDENTIAL
Record (UID, path, or title) for launch credentials
--host CUSTOM_HOST, -H CUSTOM_HOST
Host and port in format host:port (e.g. -H=192.168.1.1:22 or -H=[::1]:22 for IPv6). Requires allowSupplyHost. Mutually exclusive
with --host-record.
--host-record HOST_RECORD, -hr HOST_RECORD
Record (UID, path, or title) with a host or pamHostname field containing hostName and port. Requires allowSupplyHost. Mutually
exclusive with --host.
--stdin Send typed input via stdin pipe bytes (pipe/blob/end, kcm-cli style) instead of the default Guacamole key-event mode. Paste and
Ctrl+C double-tap behave the same in both modes.
--normalize-crlf, -n Normalize decoded Guacamole STDOUT: CRLF to LF and downstream LF cleanup. Use when you see double new lines from the remote. By
default we keep raw CR/LF on STDOUT (lower overhead). Alternatively, tune sending double newlines to the remote with environment
variable PAM_LAUNCH_CRLF_MERGE_DELAY_MS: [50..500] ms which controls local Enter coalescing (split CRLF across reads).
--scale SCALE, -s SCALE
Scale pixel width/height by this percentage (e.g. 50 = half canvas, 200 = double). Range: [40-400]. Helps when fullscreen TUI
programs show garbled layout.
```
{% endcode %}
***
### Sub-Command: workflow
**Detail:** Manage Just-In-Time (JIT) privileged access workflows for PAM resources. Workflows enforce approval-based access control with optional check-in/check-out, MFA verification and time-based access windows.
{% hint style="info" %}
Workflow configuration commands (create, update, delete, add-approver, remove-approver) require the **"Can manage workflow settings"** enforcement policy enabled for your role. Users without this enforcement will only see requester and approver commands.
{% endhint %}
{% hint style="info" %}
Users with **edit access** to a record **and** the "Can manage workflow settings" enforcement are exempt from workflow requirements on that record and can access the resource directly.
{% endhint %}
```
My Vault> pam workflow help
pam command [--options]
Command Description
--------------- ---------------------------------
create Create workflow configuration
read Read workflow configuration
update Update workflow configuration
delete Delete workflow configuration
add-approver Add approvers
remove-approver Remove approvers
pending Get pending approvals
approve Approve access request
deny Deny access request
request Request or escalate access
start Start workflow (check-out)
end End workflow (check-in)
state Get workflow state
my-access Get my access state
```
**Sub Commands**
* Configuration
* create
* read
* update
* delete
* add-approver
* remove-approver
* Approver Actions
* pending
* approve
* deny
* Requester Actions
* request
* start
* end
* State Inspection
* state
* my-access
***
**create**
Create a workflow configuration for a PAM record. The record owner is automatically added as the first approver.
{% code overflow="wrap" %}
```
My Vault> pam workflow create -h
usage: pam workflow create [-h] [-n APPROVALS_NEEDED] [-co] [-sa] [-rr] [-rt]
[-rm] [-d DURATION] [--allowed-days ALLOWED_DAYS]
[--time-range TIME_RANGE] [--timezone TIMEZONE]
[--format {table,json}]
record
positional arguments:
record Record UID or name to configure workflow for
options:
-h, --help show this help message and exit
-n APPROVALS_NEEDED, --approvals-needed APPROVALS_NEEDED
Number of approvals required (default: 1)
-co, --checkout Enable single-user check-in/check-out mode
-sa, --start-on-approval
Start access timer when approved (vs when checked out)
-rr, --require-reason
Require user to provide reason for access
-rt, --require-ticket
Require user to provide ticket number
-rm, --require-mfa Require MFA verification for access
-d DURATION, --duration DURATION
Access duration (e.g., "2h", "30m", "1d"). Default: 1d
--allowed-days ALLOWED_DAYS
Comma-separated allowed days (e.g., "mon,tue,wed,thu,fri")
--time-range TIME_RANGE
Allowed time range in HH:MM-HH:MM format (e.g., "09:00-17:00")
--timezone TIMEZONE Timezone for allowed times (e.g., "America/New_York")
--format {table,json}
Output format
```
{% endcode %}
**Examples**
Create a basic workflow requiring 1 approval with a 1 day access window:
```
My Vault> pam workflow create "Linux Server Prod"
```
Create a workflow with check-in/check-out, MFA, and reason required:
{% code overflow="wrap" %}
```
My Vault> pam workflow create aB1cD2eF3gH4 -n 2 -co -rm -rr -d 2h
```
{% endcode %}
Create a workflow with temporal access restrictions (weekdays only, business hours):
{% code overflow="wrap" %}
```
My Vault> pam workflow create aB1cD2eF3gH4 --allowed-days mon,tue,wed,thu,fri --time-range 09:00-17:00 --timezone America/New_York
```
{% endcode %}
***
**read**
Display the current workflow configuration for a record, including parameters, approvers and temporal access filters.
```
My Vault> pam workflow read -h
usage: pam workflow read [-h] [--format {table,json}] record
positional arguments:
record Record UID or name
options:
-h, --help show this help message and exit
--format {table,json}
Output format
```
**Example**
```
My Vault> pam workflow read "Linux Server Prod"
Workflow Configuration
Record: Linux Server Prod
Record UID: (aB1cD2eF3gH4)
Access Parameters:
Approvals needed: 2
Check-in/out required: No
Access duration: 1 day
Timer starts: On check-out
Requirements:
Reason required: No
Ticket required: No
MFA required: No
Approvers (2):
1. User: admin@company.com
2. Team: security-team (RpL1PYhMEh)
```
***
**update**
Update an existing workflow configuration. Only specified fields are changed; unspecified fields retain their current values.
{% code overflow="wrap" %}
```
My Vault> pam workflow update -h
usage: pam workflow update [-h] [-n APPROVALS_NEEDED] [-co CHECKOUT]
[-sa START_ON_APPROVAL] [-rr REQUIRE_REASON]
[-rt REQUIRE_TICKET] [-rm REQUIRE_MFA]
[-d DURATION] [--allowed-days ALLOWED_DAYS]
[--time-range TIME_RANGE] [--timezone TIMEZONE]
[--format {table,json}]
record
positional arguments:
record Record UID or name with workflow to update
options:
-h, --help show this help message and exit
-n APPROVALS_NEEDED, --approvals-needed APPROVALS_NEEDED
Number of approvals required
-co CHECKOUT, --checkout CHECKOUT
Enable/disable check-in/check-out (true/false)
-sa START_ON_APPROVAL, --start-on-approval START_ON_APPROVAL
Start timer on approval vs check-out (true/false)
-rr REQUIRE_REASON, --require-reason REQUIRE_REASON
Require reason (true/false)
-rt REQUIRE_TICKET, --require-ticket REQUIRE_TICKET
Require ticket (true/false)
-rm REQUIRE_MFA, --require-mfa REQUIRE_MFA
Require MFA (true/false)
-d DURATION, --duration DURATION
Access duration (e.g., "2h", "30m", "1d")
--allowed-days ALLOWED_DAYS
Comma-separated allowed days (e.g., "mon,tue,wed,thu,fri")
--time-range TIME_RANGE
Allowed time range in HH:MM-HH:MM format (e.g., "09:00-17:00")
--timezone TIMEZONE Timezone for allowed times (e.g., "America/New_York")
--format {table,json}
Output format
```
{% endcode %}
**Example**
Enable MFA and change the access duration to 4 hours:
```
My Vault> pam workflow update aB1cD2eF3gH4 -rm true -d 4h
```
***
**delete**
Delete the workflow configuration from a record. This removes all workflow requirements for the resource.
```
My Vault> pam workflow delete -h
usage: pam workflow delete [-h] [--format {table,json}] record
positional arguments:
record Record UID or name to remove workflow from
options:
-h, --help show this help message and exit
--format {table,json}
Output format
```
***
**add-approver**
Add users or teams as approvers to a workflow. Supports escalation approvers with an optional delay timer. Any user with at least **view-only access** to the record can be added as an approver.
{% code overflow="wrap" %}
```
My Vault> pam workflow add-approver -h
usage: pam workflow add-approver [-h] [-u USER] [-t TEAM] [-e]
[-ea ESCALATION_AFTER] [--format {table,json}]
record
positional arguments:
record Record UID or name
options:
-h, --help show this help message and exit
-u USER, --user USER User email to add as approver (can specify multiple times)
-t TEAM, --team TEAM Team name or UID to add as approver (can specify multiple times)
-e, --escalation Mark as escalation approver
-ea ESCALATION_AFTER, --escalation-after ESCALATION_AFTER
Time before escalating to this approver (e.g., "30m", "1h", "2h").
Only meaningful with --escalation
--format {table,json}
Output format
```
{% endcode %}
**Examples**
Add a user and a team as approvers:
```
My Vault> pam workflow add-approver aB1cD2eF3gH4 -u approver@company.com -t "Security Team"
```
Add an escalation approver that is notified after 1 hour:
{% code overflow="wrap" %}
```
My Vault> pam workflow add-approver aB1cD2eF3gH4 -u manager@company.com -e -ea 1h
```
{% endcode %}
***
**remove-approver**
Remove users or teams from a workflow's approver list.
```
My Vault> pam workflow remove-approver -h
usage: pam workflow remove-approver [-h] [-u USER] [-t TEAM]
[--format {table,json}]
record
positional arguments:
record Record UID or name
options:
-h, --help show this help message and exit
-u USER, --user USER User email to remove as approver
-t TEAM, --team TEAM Team name or UID to remove as approver
--format {table,json}
Output format
```
**Example**
```
My Vault> pam workflow remove-approver aB1cD2eF3gH4 -u approver@company.com
```
***
**pending**
List all pending workflow approval requests assigned to the current user. Duplicate entries (when the user is an approver via multiple paths) are automatically filtered.
```
My Vault> pam workflow pending -h
usage: pam workflow pending [-h] [--format {table,json}]
options:
-h, --help show this help message and exit
--format {table,json}
Output format
```
**Example**
```
My Vault> pam workflow pending
Pending Approval Requests
Flow UID Requester Resource Reason Ticket Escalated
-------------- ----------------- -------------------- --------- ------- ---------
xY9zA8bC7dE6 user@company.com Linux Server Prod Deploying INC-123 No
```
***
**approve**
Approve a pending workflow access request using the flow UID from the `pending` command.
```
My Vault> pam workflow approve -h
usage: pam workflow approve [-h] [--format {table,json}] flow_uid
positional arguments:
flow_uid Flow UID of the workflow to approve
options:
-h, --help show this help message and exit
--format {table,json}
Output format
```
**Example**
```
My Vault> pam workflow approve xY9zA8bC7dE6
```
***
**deny**
Deny a pending workflow access request. An optional reason can be provided which is encrypted with the requester's public key.
```
My Vault> pam workflow deny -h
usage: pam workflow deny [-h] [-r REASON] [--format {table,json}] flow_uid
positional arguments:
flow_uid Flow UID of the workflow to deny
options:
-h, --help show this help message and exit
-r REASON, --reason REASON
Reason for denial
--format {table,json}
Output format
```
**Example**
```
My Vault> pam workflow deny xY9zA8bC7dE6 -r "Access not justified for this environment"
```
***
**request**
Request access to a workflow-protected PAM resource. Supports escalation of pending requests and cancellation of active requests.
{% code overflow="wrap" %}
```
My Vault> pam workflow request -h
usage: pam workflow request [-h] [-r REASON] [-t TICKET] [-e] [-c]
[--format {table,json}]
record
positional arguments:
record Record UID or name
options:
-h, --help show this help message and exit
-r REASON, --reason REASON
Reason for access request
-t TICKET, --ticket TICKET
External ticket/reference number
-e, --escalate Escalate a pending request to escalation approvers
-c, --cancel Cancel a pending or active workflow request
--format {table,json}
Output format
```
{% endcode %}
{% hint style="warning" %}
The `--cancel` flag cannot be used with `--escalate`, `--reason`, or `--ticket`.
{% endhint %}
**Examples**
Request access with a reason and ticket number:
```
My Vault> pam workflow request "Linux Server Prod" -r "Emergency deployment" -t "INC-456"
```
Escalate a pending request to escalation approvers:
```
My Vault> pam workflow request "Linux Server Prod" -e
```
Cancel a pending or active request:
```
My Vault> pam workflow request "Linux Server Prod" -c
```
***
**start**
Start a workflow session (check-out). This is required before connecting to the resource when check-in/check-out is enabled. Accepts either a record UID/name or a flow UID.
```
My Vault> pam workflow start -h
usage: pam workflow start [-h] [--format {table,json}] uid
positional arguments:
uid Record UID, record name, or Flow UID
options:
-h, --help show this help message and exit
--format {table,json}
Output format
```
**Example**
```
My Vault> pam workflow start "Linux Server Prod"
```
***
**end**
End a workflow session (check-in). Credentials may be rotated after check-in. The `--force` flag allows approvers to terminate another user's active session when single-user checkout is enabled.
{% code overflow="wrap" %}
```
My Vault> pam workflow end -h
usage: pam workflow end [-h] [-f] [--format {table,json}] uid
positional arguments:
uid Record UID, record name, or Flow UID
options:
-h, --help show this help message and exit
-f, --force Force check-in: approvers can terminate another user's
active session when single-user checkout is enabled.
--format {table,json}
Output format
```
{% endcode %}
**Examples**
End your own workflow session:
```
My Vault> pam workflow end "Linux Server Prod"
```
Force check-in another user's session (approver only):
```
My Vault> pam workflow end aB1cD2eF3gH4 --force
```
***
**state**
View the current workflow state for a record or a specific flow. Use `--record` to query by record, or `--flow-uid` to query a specific workflow instance.
```
My Vault> pam workflow state -h
usage: pam workflow state [-h] (-r RECORD | -f FLOW_UID) [--format {table,json}]
options:
-h, --help show this help message and exit
-r RECORD, --record RECORD
Record UID or name
-f FLOW_UID, --flow-uid FLOW_UID
Flow UID of active workflow
--format {table,json}
Output format
```
**Examples**
Check workflow state by record:
```
My Vault> pam workflow state -r "Linux Server Prod"
Workflow State
Record: Linux Server Prod (aB1cD2eF3gH4)
Stage: Started
Conditions: Approval, Check-in
Checked out by: user@company.com
Started: 2026-02-05 10:30:00
Expires: 2026-02-05 12:30:00
Approved by:
- admin@company.com at 2026-02-05 10:28:00
```
Check workflow state by flow UID:
```
My Vault> pam workflow state -f xY9zA8bC7dE6
```
***
**my-access**
List all active workflow sessions for the current user across all resources.
```
My Vault> pam workflow my-access -h
usage: pam workflow my-access [-h] [--format {table,json}]
options:
-h, --help show this help message and exit
--format {table,json}
Output format
```
**Example**
```
My Vault> pam workflow my-access
My Active Workflows
Flow UID Resource Stage Started Expires
-------------- -------------------- -------- ------------------- -------------------
xY9zA8bC7dE6 Linux Server Prod Started 2026-02-05 10:30:00 2026-02-05 12:30:00
aB2cD3eF4gH5 Database Staging Approved 2026-02-05 09:00:00 2026-02-05 17:00:00
```
***
**Single-User Check-In / Check-Out Mode**
When a workflow is created with the `--checkout` (`-co`) flag, the resource operates in **single-user check-in/check-out mode**. This enforces exclusive access - only one user can have the resource checked out at a time.
**How it works:**
* After a request is approved, the user must explicitly **check out** the resource with `pam workflow start` before they can connect via `pam tunnel` or `pam launch`.
* While the resource is checked out, no other user can check it out until the current session ends.
* When the user is done, they **check in** with `pam workflow end`, which releases the resource and may trigger credential rotation.
* If a user's session needs to be terminated, an approver can use `pam workflow end --force` to forcibly check in the resource.
**Without single-user check-out mode:** After approval, the user must still run `pam workflow start` to begin the access session, unless `--start-on-approval` was set (which starts the access timer automatically upon approval). Multiple users can have concurrent approved access to the same resource.
**Visibility:** When a resource is checked out, the `pam workflow state -r ` command shows the **Checked out by** field with the current user's email.
{% hint style="info" %}
Force check-in (`--force`) is only available when single-user checkout is active. It allows approvers to revoke a user's session - for example, if the user is unresponsive or the session has been left open.
{% endhint %}
***
**Typical Workflow Lifecycle**
The following describes a typical end-to-end JIT access workflow:
1. **Administrator** creates a workflow on a PAM record:\
`pam workflow create "Prod Server" -n 1 -co -rm -d 2h`
2. **Administrator** adds approvers:\
`pam workflow add-approver "Prod Server" -u approver@company.com`
3. **User** requests access:\
`pam workflow request "Prod Server" -r "Deploy hotfix" -t "INC-789"`
4. **Approver** reviews pending requests:\
`pam workflow pending`
5. **Approver** approves the request:\
`pam workflow approve xY9zA8bC7dE6`
6. **User** checks out the resource:\
`pam workflow start "Prod Server"`
7. **User** is prompted for MFA (if `--require-mfa` was set), then connects via tunnel or launch:\
`pam tunnel start "Prod Server"` or `pam launch "Prod Server"`
8. **User** checks in after completing work:\
`pam workflow end "Prod Server"`
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/keeperpam-commands.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.