Enforcement Policies
Role-based enforcement policy settings for KeeperPAM
Overview
Role-based Access Controls (RBAC) provide your organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. Prior to proceeding with this guide, familiarize yourself with roles and enforcement policies.
Enable PAM Policies
From the Admin Console, enable the corresponding PAM Enforcement Policies.
Login to the Keeper Admin Console for your region.
Under Admin > Roles, create a new role for PAM or modify an existing role.
Go to Enforcement Policies and open the "Privileged Access Manager" section.
Enable all the PAM enforcement policies to use the new features.
Privileged Access Manager Policies
Secrets Manager
Can create applications and manage secrets
Allow users to create and manage KSM application
ALLOW_SECRETS_MANAGERKeeper Gateway
Can create, deploy, and manage Keeper Gateways
Allow users to create, setup, and manage Keeper Gateways
ALLOW_PAM_GATEWAYKeeper Rotation
Can configure rotation settings
Allow users to configure Rotation settings on PAM User and PAM Configuration Record Types
ALLOW_CONFIGURE_ROTATION_SETTINGSCan rotate credentials
Allow users to rotate credentials on PAM User Record Types
ALLOW_ROTATE_CREDENTIALSKeeper Connection Manager (KCM)
Can configure connection settings
Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGSCan launch connections
Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types
ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTIONCan view session recordings
Allow users to view Session Recordings
ALLOW_VIEW_KCM_RECORDINGSKeeper Tunnels
Can configure tunnel settings
Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGSCan start tunnels
Allow users to start tunnels on PAM Machine, PAM Directory, PAM Database Record Types
ALLOW_LAUNCH_PAM_TUNNELSRemote Browser Isolation (RBI)
Can configure remote browsing
Allow users to configure Remote Browser and Session Recordings settings on PAM Remote Browsing and Configuration Record Types
ALLOW_CONFIGURE_RBICan launch remote browsing
Allow users to launch remote browsing on PAM Remote Browsing Record Types
ALLOW_LAUNCH_RBICan view RBI session recordings
Allow users to view RBI Session Recordings
ALLOW_VIEW_RBI_RECORDINGSDiscovery
Can run discovery
Allow users to run discovery
ALLOW_PAM_DISCOVERYLegacy Policies
These policies are not required moving forward, but they exist for support of legacy features.
Legacy allow rotation
Allow users to perform password rotation
ALLOW_PAM_ROTATIONCommander CLI
The Keeper Commander CLI enterprise-role command can be used to set these policies through automation. The list of policies related to PAM functionality is listed below.
enterprise-role ROLE_ID --enforcement "ALLOW_SECRETS_MANAGER:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_ROTATION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_DISCOVERY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_GATEWAY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_ROTATE_CREDENTIALS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_TUNNELS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_KCM_RECORDINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_RBI_RECORDINGS:True"Last updated
Was this helpful?