PAM User

Record Type Details for PAM User Record Type

Overview

A PAM User is a type of KeeperPAM resource that represents an account credential. The PAM User is typically linked from other resources.

PAM Record Type
Supported Assets

PAM User

Account credential, IAM user, password or SSH Key

What is a PAM User

KeeperPAM User records define a specific account inside another PAM resource. PAM Machines, PAM Databases, PAM Directories and PAM Remote Browser records link to a PAM User.

Features Available

The PAM User resource supports the following features:

  • On-demand and scheduled password rotation

  • PAM Scripts for privilege automation

  • Sharing with time-limited access

Creating a PAM User

Prior to creating a PAM User, make sure you have already created a PAM Configuration and a PAM Resource such as a Machine, Database, Directory or Browser.

To create a PAM User:

  • Click on Create New

  • Depending on your use case, click on "Rotation", "Tunnel", or "Connection"

  • On the prompted window:

    • Select "New Record"

    • Select the Shared Folder you want the record to be created in

    • Specify the Title

    • Select "User" for the Target

  • Click "Next" and complete all of the required information.

Creating a PAM User

PAM User Record Type Fields

The following table lists all the configurable fields on the PAM Remote Browser Record Type:

Field
Description
Notes

Login

Username; exact context and format depends on the associated resource. See Note (1) below.

Required Examples: username username@domain DOMAIN\username

Password

Password of the user

Can be rotated

Private PEM Key

PEM Key associated with user

Can be rotated

Distinguished Name

Distinguished name; used if associated with a PAM Directory

Required only when the User is managed by a directory Example: CN=Jeff Smith,OU=Sales,DC=demo,DC=COM

If left blank, defaults are attempted depending on the provider type

Managed User

Flag for accounts that are managed by the AWS or Azure IAM systems

Set by Keeper Discovery to indicate that the password cannot be rotated. For example, AWS token-based auth.

Connect Database

Used in certain scenarios if a database name is needed

Edge cases, e.g. using LDAP to connect to a MySQL database

Note(1)

When connecting to Windows machines that are domain-joined:

  • For domain-joined systems, always use the UPN format (user@domain.local) as it is more modern, DNS-reliant, and avoids NetBIOS issues.

  • Reserve DOMAIN\user for older systems or mixed environments where UPN isn't supported.

Configure rotation settings

On the "Rotation Settings" section of the PAM User vault record, you can configure how credential rotation is managed.

Password Rotation Settings

Field
Description
Required

Rotation Type

Specifies which type of rotation is being performed (and which protocol is utilized).

Required "General", "IAM User" or "Run PAM Scripts Only". See below for details.

PAM Resource

For General rotation type, specifies the PAM Resource record which can provide the necessary privilege. For IAM User rotation type, specifies the PAM Configuration utilizing cloud APIs.

Required only for "General" and "IAM User" rotation types

Rotation Schedule

Rotation can be performed on-demand or on a specific schedule.

For advanced scheduling, see the cron spec.

Password Complexity

Applies to password-based rotations, not PEM keys.

Select "Show More" to control special characters and symbols.

Rotation Type

Keeper supports 3 different types of rotation:

  • General: Uses native protocols for performing the rotation, such as LDAP, Databases, SSH keys, etc.

  • IAM User: Uses the cloud-specific APIs for performing rotation, such as AWS IAM users and Azure managed resources. In this case, only the PAM Configuration is required since it contains the necessary

  • Run PAM scripts only: Skips the standard rotation and only executes the attached PAM Scripts.

The rotation schedule can be set on a specific interval, or using a cron spec.

PAM Resource

To complete the Rotation setup, you need to select a resource, which depends on the rotation type.

For a "General" rotation, the Keeper Gateway uses a native protocol for performing the necessary rotation, and the rotation will be executed on the associated PAM Resource supplied. If necessary, the rotation will use the associated administrative credential on the PAM Resource.

In the example below, a Windows service account password is going to be rotated on the associated Windows Server.

For an "IAM User" rotation type, the Keeper Gateway will use the referenced PAM Configuration to determine which APIs and methods are used to perform the rotation. In the example below, an IAM user in AWS will use the "AWS (US-WEST-1)" configuration.

When using the IAM User rotation method, it is assumed that the Keeper Gateway either inherits its privilege from the instance role policy, or through explicit access keys that are provided on the PAM Configuration record.

In Summary:

  • The PAM User record holds the credential that is being rotated.

  • The Rotation Settings of the PAM User record references a specific PAM Machine, PAM Database or PAM Directory resource. This is the target resource where the rotation is performed.

  • The Keeper Gateway uses the Admin Credential associated to the PAM Machine, PAM Database or PAM Directory resource to perform the rotation with native protocols.

  • For AWS and Azure managed resources, Keeper uses Instance Role permission of the Gateway, or specific PAM Configuration secrets to perform the rotation with APIs.

Examples

Below are some examples of PAM User records.

  • Windows Domain Admin

  • Windows Domain User with post-rotation scripts

  • AWS IAM User

  • Database user

  • Azure AD User

PreviousPAM Remote BrowserNextSharing and Access Control

Last updated

Was this helpful?