Enforcement Policies

Role-based enforcement policy settings for KeeperPAM

Overview

Role-based Access Controls (RBAC) provide your organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. Prior to proceeding with this guide, familiarize yourself with roles and enforcement policies.

Enable PAM Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies.

  • Login to the Keeper Admin Console for your region.

  • Under Admin > Roles, create a new role for PAM or modify an existing role.

  • Go to Enforcement Policies and open the "Privileged Access Manager" section.

  • Enable all the PAM enforcement policies to use the new features.

Privileged Access Manager Policies

Secrets Manager

Policy
Definition
Commander CLI

Can create applications and manage secrets

Allow users to create and manage KSM application

ALLOW_SECRETS_MANAGER

Keeper Gateway

Policy
Definition
Commander CLI

Can create, deploy, and manage Keeper Gateways

Allow users to create, setup, and manage Keeper Gateways

ALLOW_PAM_GATEWAY

Keeper Rotation

Policy
Definition
Commander CLI

Can configure rotation settings

Allow users to configure Rotation settings on PAM User and PAM Configuration Record Types

ALLOW_CONFIGURE_ROTATION_SETTINGS

Can rotate credentials

Allow users to rotate credentials on PAM User Record Types

ALLOW_ROTATE_CREDENTIALS

Keeper Connection Manager (KCM)

Policy
Definition
Commander CLI

Can configure connection and session recording

Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types

ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS

Can launch connections

Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types

ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION

Can view session recordings

Allow users to view Session Recordings

ALLOW_VIEW_KCM_RECORDINGS

Keeper Tunnels

Policy
Definition
Commander CLI

Can configure tunnel settings

Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types

ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS

Can start tunnels

Allow users to start tunnels on PAM Machine, PAM Directory, PAM Database Record Types

ALLOW_LAUNCH_PAM_TUNNELS

Remote Browser Isolation (RBI)

Policy
Definition
Commander CLI

Can configure remote browsing and session recording

Allow users to configure Remote Browser and Session Recordings settings on PAM Remote Browsing and Configuration Record Types

ALLOW_CONFIGURE_RBI

Can launch remote browsing

Allow users to launch remote browsing on PAM Remote Browsing Record Types

ALLOW_LAUNCH_RBI

Can view RBI session recordings

Allow users to view RBI Session Recordings

ALLOW_VIEW_RBI_RECORDINGS

Discovery

Discovery is currently only available on Keeper Commander. The UI is coming soon.

Policy
Definition
Commander CLI

Can run discovery

Allow users to run discovery 

ALLOW_PAM_DISCOVERY

Legacy Policies

These policies are not required moving forward, but they exist for support of legacy features.

Policy
Definition
Commander CLI

Legacy allow rotation

Allow users to perform password rotation 

ALLOW_PAM_ROTATION

Commander CLI

The Keeper Commander CLI enterprise-role command can be used to set these policies through automation. The list of policies related to PAM functionality is listed below.

enterprise-role ROLE_ID --enforcement "ALLOW_SECRETS_MANAGER:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_ROTATION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_DISCOVERY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_GATEWAY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_ROTATE_CREDENTIALS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_TUNNELS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_KCM_RECORDINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_RBI_RECORDINGS:True"

PreviousKeeperPAM LicensingNextVault Structure

Last updated

Was this helpful?