Ephemeral Accounts and Privilege Elevation

Configure temporary accounts and elevated permissions for zero standing privilege access.

Overview

PAM Machine, PAM Database, and PAM Directory record types can be configured to authenticate sessions using ephemeral accounts. Additionally, ephemeral accounts or existing accounts can be elevated to a specified group or role for the duration of the session. All ephemeral accounts and elevated permissions are automatically removed when the session expires, leaving nothing persistent on the target system to be compromised. This prevents lateral movement using stolen credentials, reduces administrative overhead, and creates clean audit trails.

Ephemeral Accounts

Keeper can create ephemeral accounts on any assigned target resource, such as:

Active Directory / LDAP Domain User
Windows User
Linux User
MySQL User
PostgreSQL User
Microsoft Server SQL User

An ephemeral account is a system-generated, time-limited account created specifically for a session. The Keeper Gateway creates the account on the target system when access is approved and automatically deletes it when the session ends. No persistent account remains on the target system.

Privilege Elevation

Privilege elevation temporarily assigns an ephemeral or existing account to a specified group or role on the target system for the duration of the session. Elevated permissions are automatically revoked when the session ends.

Supported Connection Protocols

RDP
Database connections (MySQL, PostgreSQL, SQL Server, Oracle, etc.)
SSH
VNC

In this guide, you will learn how to setup Ephemeral Accounts and Privilege Elevation on PAM Record types in your Keeper Vault.

PAM Settings - Configuring Ephemeral Accounts & Privilege Elevation

Navigate to JIT Settings

On a PAM Machine, PAM Database or PAM Directory record type navigate to the JIT tab on the PAM Settings screen by:

Editing the PAM Record Type
Clicking on "Edit" in the PAM Settings section
Navigating to the "JIT" section in the prompted window

On the JIT tab, The following fields can be configured

Field

Definition

Administrative Port

The port used for administrative operations such as creating ephemeral accounts. This value is inherited from the Rotation tab and cannot be modified from the JIT tab.

Create Ephemeral Account for connection

When enabled, a system-generated, time-limited account is created for the session. Ephemeral accounts are created using the naming convention keeper_<UID> The ephemeral account type depends on the record type: PAM Machine: Domain User or Local User (Windows, Linux, or Mac). PAM Database and PAM Directory: the account type is detected automatically.

Elevate account during connection

When enabled, the account used to authenticate the connection — including ephemeral accounts — is temporarily elevated to a specified group or role. Select Group for machines and directory users, or Role for databases. E.g. for Local Windows User this might be “Administrators” and for AWS this would be the full ARN (e.g. arn:aws:iam::12345:role/Admin).

Note: The following fields on the Record types must be configured in order to fully configure JIT:

Record Type

JIT Required Field

PAM Machine

Operating System Accepted Values: Windows, Linux, Mac

PAM Database

Database Type

PAM Directory

Directory Type

Configuring Elevation for Domain Users

Elevating Ephemeral Domain User to AD Group

When elevating an ephemeral Domain User to an Active Directory group, you must link the PAM Directory record and specify the group name in Distinguished Name (DN) format.

Example: If the group name is RemoteUsers, the DN would be:

CN=RemoteUsers,CN=Users,DC=example,DC=com

If your group name contains spaces, you must enclose the DN in quotes.

Example: If the group name is Remote Users, the DN would be:

"CN=Remote Users,CN=Users,DC=example,DC=com"

Elevating Ephemeral Domain User to Local Group

To elevate to a local group on the machine instead, specify the local group name directly (e.g., RemoteUsers). No DN format is required for local groups.

Elevating Existing Domain User to AD Group

Existing domain users are defined as PAM User records and can be used as the launch credential to targets defined on PAM Machine Record types.

To elevate an existing domain user to an Active Directory group:

On the PAM User record, configure the rotation settings and link it to a PAM Directory record.
On the PAM Machine record that uses this PAM User as the launch credential, navigate to the JIT tab and enable Elevate Account During Connection.
Specify the target group in Distinguished Name (DN) format.

The existing user will be temporarily elevated to the specified group in the directory service linked on the PAM User record. Elevation is removed when the session expires.

Ephemeral Account Propagation Delay

When using Domain ephemeral accounts, the Keeper Gateway creates a temporary Active Directory account and waits for it to propagate across Domain Controllers before initiating a session. The default propagation delay is 3 seconds.

In environments with multiple Domain Controllers or high replication latency, the default delay may not be sufficient, resulting in invalid credential errors during connection.

To adjust the propagation delay, set the following environment variable on the Gateway:

KEEPER_GATEWAY_JIT_ACCOUNT_CREATION_LOGIN_DELAY_SECS

This value is specified in seconds. For example, setting it to 10 will cause the Gateway to wait 10 seconds after account creation before attempting to authenticate.

When to use this: If you see invalid credential errors for ephemeral accounts and the Gateway logs show a message like waiting 3 seconds for ephemeral account [account-name] to propagate before login, increasing this value should resolve the issue.

Configuring Elevation for Database Users

Ephemeral and existing database users can be elevated to a specified role on the database server. On the PAM Database record, navigate to the JIT tab, enable Elevate Account During Connection, select Role, and enter the target role name.

For example, to grant read-only access during a session, specify the readonly role. The user will be assigned the readonly role for the duration of the session, and the role is automatically removed when the session expires.

Troubleshooting: MySQL Ephemeral Users Have No Privileges

In some cases, newly created MySQL users have no privileges. Because KeeperPAM creates ephemeral users dynamically, there is no opportunity to manually grant permissions to each one.

To resolve this, use mandatory roles in MySQL 8+. Mandatory roles are automatically assigned to every user created on the server, ensuring that ephemeral users receive the required permissions without manual intervention.

Setup Steps

Run the following commands as a MySQL admin (e.g. root):

-- Step 1: Create a role with the desired permissions
CREATE ROLE 'readonly';

-- Step 2: Grant read-only access to all schemas
GRANT SELECT ON *.* TO 'readonly';

-- Step 3: Make the role mandatory for all users (including future ephemeral users)
SET GLOBAL mandatory_roles = 'readonly';

-- Step 4: Ensure roles activate automatically at login
SET GLOBAL activate_all_roles_on_login = ON;

Step 4 is critical. Without it, mandatory roles are assigned but not activated — meaning ephemeral users will still appear to have no permissions when they connect.

Persist Across Restarts

To ensure these settings survive a MySQL restart, add the following to your MySQL configuration file (my.cnf or my.ini):

[mysqld]
mandatory_roles = 'readonly'
activate_all_roles_on_login = ON

Adjusting Permissions

To grant read/write access instead of read-only, adjust the privileges on the role:

GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO 'readonly';

Or create a separate role:

CREATE ROLE 'readwrite';
GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO 'readwrite';
SET GLOBAL mandatory_roles = 'readonly,readwrite';

Verifying the Configuration

You can confirm everything is set correctly by running:

SELECT @@mandatory_roles;
SELECT @@activate_all_roles_on_login;