# Enforcement Policies

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FHAQZMfu5ZSg6QAGqOJiF%2FEnforcement%20Policies.jpg?alt=media&#x26;token=926aec64-b51a-4117-9f66-6e47da3f221b" alt=""><figcaption></figcaption></figure>

## Overview

Role-based Access Controls (RBAC) provide your organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. Prior to proceeding with this guide, familiarize yourself with roles and enforcement policies.

### Enable PAM Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies.

* Login to the Keeper Admin Console for your region.
* Under **Admin** > **Roles**, create a new role for PAM or modify an existing role.
* Go to **Enforcement Policies** and open the "**Privileged Access Manager**" section.
* Enable all the [PAM enforcement policies](/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies.md) to use the new features.

## Privileged Access Manager Policies

### Secrets Manager

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can create applications and manage secrets</td><td>Allow users to create and manage KSM application</td><td><pre data-overflow="wrap"><code>ALLOW_SECRETS_MANAGER
</code></pre></td></tr></tbody></table>

### Keeper Gateway

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can create, deploy, and manage Keeper Gateways</td><td>Allow users to create, setup, and manage Keeper Gateways</td><td><pre><code>ALLOW_PAM_GATEWAY
</code></pre></td></tr></tbody></table>

### Keeper Rotation

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can configure rotation settings</td><td>Allow users to configure Rotation settings on PAM User and PAM Configuration Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_ROTATION_SETTINGS
</code></pre></td></tr><tr><td>Can rotate credentials</td><td>Allow users to rotate credentials on PAM User Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_ROTATE_CREDENTIALS
</code></pre></td></tr></tbody></table>

### Keeper Connection Manager (KCM)

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can configure connection settings</td><td>Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS
</code></pre></td></tr><tr><td>Can launch connections</td><td>Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION
</code></pre></td></tr><tr><td>Can view session recordings</td><td>Allow users to view Session Recordings</td><td><pre data-overflow="wrap"><code>ALLOW_VIEW_KCM_RECORDINGS
</code></pre></td></tr></tbody></table>

### Keeper Tunnels

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can configure tunnel settings</td><td>Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS
</code></pre></td></tr><tr><td>Can start tunnels</td><td>Allow users to start tunnels on PAM Machine, PAM Directory, PAM Database Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_PAM_TUNNELS
</code></pre></td></tr></tbody></table>

### Remote Browser Isolation (RBI)

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can configure remote browsing</td><td>Allow users to configure Remote Browser and Session Recordings settings on PAM Remote Browsing and Configuration Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_RBI
</code></pre></td></tr><tr><td>Can launch remote browsing</td><td>Allow users to launch remote browsing on PAM Remote Browsing Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_RBI
</code></pre></td></tr><tr><td>Can view RBI session recordings</td><td>Allow users to view RBI Session Recordings</td><td><pre data-overflow="wrap"><code>ALLOW_VIEW_RBI_RECORDINGS
</code></pre></td></tr></tbody></table>

### Workflow

<table><thead><tr><th width="196">Enforcement Policy</th><th width="274">Commander Enforcement Policy</th><th>Definition</th></tr></thead><tbody><tr><td>Can manage workflow settings</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_WORKFLOW_SETTINGS
</code></pre></td><td>Allow users to configure Workflow settings on PAM Machine, PAM Directory, PAM Database, and PAM Browser</td></tr></tbody></table>

### Discovery

<table><thead><tr><th width="213">Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can run discovery</td><td>Allow users to run discovery</td><td><pre data-overflow="wrap"><code>ALLOW_PAM_DISCOVERY
</code></pre></td></tr></tbody></table>

### Legacy Policies

These policies are not required moving forward, but they exist for support of legacy features.

<table><thead><tr><th width="213">Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Legacy allow rotation</td><td>Allow users to perform password rotation</td><td><pre data-overflow="wrap"><code>ALLOW_PAM_ROTATION
</code></pre></td></tr></tbody></table>

### Commander CLI

The [Keeper Commander](/en/keeperpam/commander-cli/overview.md) CLI `enterprise-role` command can be used to set these policies through automation. The list of policies related to PAM functionality is listed below.

```
enterprise-role ROLE_ID --enforcement "ALLOW_SECRETS_MANAGER:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_ROTATION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_DISCOVERY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_GATEWAY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_ROTATE_CREDENTIALS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_TUNNELS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_KCM_RECORDINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_RBI_RECORDINGS:True"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.