PAM Extended Commands

The pam extended command group provides advanced management of PAM rotation schedules and discovery rules directly from Commander. These operations complement the web vault UI for automation, scripting, and CI/CD pipelines.

To get help on a particular subcommand, run:

pam extended schedule help
pam extended rule help

Command Reference

Schedule commands

Command

Description

pam extended schedule list

List all PAM rotation schedules visible to the authenticated user

pam extended schedule set

Create or update a rotation schedule for a PAM record

pam extended schedule delete

Remove a rotation schedule from a PAM record

Rule commands

Command

Description

pam extended rule list

List discovery rules associated with a PAM configuration

pam extended rule add

Add a new discovery rule to a PAM configuration

pam extended rule delete

Delete a discovery rule from a PAM configuration

pam extended schedule list

Lists all PAM rotation schedules the authenticated user can see. Optionally filter by PAM configuration UID.

Syntax

pam extended schedule list [--config-uid <uid>] [--format table|json]

Options

Option

Description

--config-uid <uid>

Filter results to a specific PAM configuration UID

--format table|json

Output format. Default: table

Example — list all schedules

My Vault> pam extended schedule list
  a1b2c3d4e5f6...  cron=0 3 * * *
  f6e5d4c3b2a1...  cron=0 */6 * * *

Example — JSON output

My Vault> pam extended schedule list --format json
[
  {
    "record_uid": "a1b2c3d4e5f6...",
    "no_schedule": false,
    "schedule": { "type": "cron", "cron": "0 3 * * *" }
  }
]

pam extended schedule set

Creates or updates a rotation schedule for a PAM record. The schedule is stored as a JSON cron expression inside PAMRotationSchedule.scheduleData and takes effect at the next rotation window.

Syntax

pam extended schedule set <uid_ref> --cron <expression> [--config-uid <uid>] [--notify <email> ...]

Parameters

Parameter

Required

Description

<uid_ref>

Yes

UID of the PAM record to schedule

--cron <expression>

Yes

5-field cron expression (minute hour day month weekday)

--config-uid <uid>

Associate schedule with a specific PAM configuration

--notify <email>

Email address to notify when the schedule fires. Repeatable.

Cron expression format

Keeper uses standard 5-field cron syntax:

┌───────────── minute (0–59)
│ ┌───────────── hour (0–23)
│ │ ┌───────────── day of month (1–31)
│ │ │ ┌───────────── month (1–12)
│ │ │ │ ┌───────────── day of week (0–7, 0 and 7 = Sunday)
│ │ │ │ │
* * * * *

Examples

Rotate every day at 03:00 UTC:

My Vault> pam extended schedule set a1b2c3d4 --cron "0 3 * * *"
Rotation schedule set for a1b2c3d4 (cron: 0 3 * * *)

Rotate every 6 hours and notify two recipients:

My Vault> pam extended schedule set a1b2c3d4 --cron "0 */6 * * *" \
    --notify [email protected] --notify [email protected]

Rotate at 02:30 on Mondays, scoped to a specific config:

My Vault> pam extended schedule set a1b2c3d4 \
    --cron "30 2 * * 1" \
    --config-uid f6e5d4c3

pam extended schedule delete

Removes the rotation schedule from a PAM record by setting noSchedule=True. The record will no longer be rotated on a schedule; it can still be rotated manually.

Syntax

pam extended schedule delete <uid_ref>

Parameters

Parameter

Required

Description

<uid_ref>

Yes

UID of the PAM record whose schedule should be removed

Example

My Vault> pam extended schedule delete a1b2c3d4
Rotation schedule removed for a1b2c3d4

pam extended rule list

Lists the discovery rules associated with a PAM configuration. Rules are stored in the PAM DAG under the DISCOVERY_RULES graph node.

Syntax

pam extended rule list --config-uid <uid> [--format table|json]

Parameters

Parameter

Required

Description

--config-uid <uid>

Yes

UID of the PAM configuration to query

--format table|json

Output format. Default: table

Example

My Vault> pam extended rule list --config-uid f6e5d4c3
  3a4b5c6d...  name=web-tier  type=machine  cidr=10.0.1.0/24
  7e8f9a0b...  name=db-tier   type=database cidr=10.0.2.0/24

pam extended rule add

Adds a new discovery rule to a PAM configuration. The rule is written to the PAM DAG via a PAMModifyRequest ADD operation on PAMElementData.

Syntax

pam extended rule add <name> --cidr <range> --config-uid <uid> \
    [--type machine|user|database] [--protocol ssh|rdp|database] \
    [--credential-uid <uid>]

Parameters

Parameter

Required

Description

<name>

Yes

Human-readable name for the rule

--cidr <range>

Yes

Target IP range in CIDR notation (e.g. 10.0.1.0/24)

--config-uid <uid>

Yes

UID of the PAM configuration to attach the rule to

--type

Target type: machine (default), user, or database

--protocol

Connection protocol: ssh (default), rdp, or database

--credential-uid <uid>

UID of a credential record to associate with the rule

Examples

Add a machine discovery rule for the web tier:

My Vault> pam extended rule add web-tier \
    --cidr 10.0.1.0/24 \
    --config-uid f6e5d4c3 \
    --type machine \
    --protocol ssh
Discovery rule 'web-tier' added to config f6e5d4c3

Add a database discovery rule with a linked credential:

My Vault> pam extended rule add db-prod \
    --cidr 10.0.2.0/24 \
    --config-uid f6e5d4c3 \
    --type database \
    --protocol database \
    --credential-uid 9a8b7c6d

pam extended rule delete

Deletes a discovery rule from a PAM configuration by its element UID (returned by pam extended rule list). The deletion is applied via a PAMModifyRequest DELETE operation.

Syntax

pam extended rule delete <uid> --config-uid <uid>

Parameters

Parameter

Required

Description

<uid>

Yes

Hex UID of the discovery rule element to delete

--config-uid <uid>

Yes

UID of the PAM configuration the rule belongs to

Example

My Vault> pam extended rule delete 3a4b5c6d7e8f9a0b --config-uid f6e5d4c3
Discovery rule 3a4b5c6d7e8f9a0b deleted from config f6e5d4c3

Notes

All pam extended commands require an active enterprise admin session.
Record and configuration UIDs can be found using pam config list or pam project list.
Schedule changes take effect at the next rotation window evaluated by the PAM gateway; there is no forced immediate rotation.
Discovery rules added via pam extended rule add are evaluated by the PAM gateway during the next discovery cycle. Existing discovered records are not affected retroactively.
Use --format json with any list command to pipe output into scripts or other tools.

PreviousKeeperPAM Commands NextPAM Launch JIT

Last updated 5 days ago

Was this helpful?

hashtagPAM Extended Commands

hashtagCommand Reference

hashtagSchedule commands

hashtagRule commands

hashtagpam extended schedule list

hashtagpam extended schedule set

hashtagpam extended schedule delete

hashtagpam extended rule list

hashtagpam extended rule add

hashtagpam extended rule delete

hashtagNotes