# Workflow ## Overview {% hint style="info" %} Workflow can only be configured on PAM Machine, PAM Database, PAM Directory and PAM Browser {% endhint %} Workflow helps administrators manage how privileged access is requested, approved, and used, providing flexible JIT approval workflows with the security and oversight needed to control access safely and consistently. **Key Features:** * **Multi-Level Approvals** — Approval workflows can require sign-off from multiple approvers or delegated approval authority * **Single-User Mode (Check-in / Check-out)** — Only one user can access the resource at a time. Users must check out the resource before use and check it back in when finished. If not returned manually, access is automatically revoked when the time limit is reached. * **MFA Requirement** — Users must complete multi-factor authentication before access is granted. * **Access Time Limits** — Access is granted for a defined duration and automatically revoked when the time window expires. * **Real-Time Notifications** — Approvers receive notifications across all Keeper clients, including desktop, web, and mobile. An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers. * [KeeperPAM Homepage](https://www.keepersecurity.com/privileged-access-management/) * [Request a Demo](https://www.keepersecurity.com/contact.html?t=b\&r=sales) * [Contact Support](https://www.keepersecurity.com/support.html) In this guide, you will learn how to setup workflow on PAM Record types in your Keeper Vault. ## Prerequisites Prior to configuring Workflow, make sure to have the following: ### Workflow Enforcement Policy Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under **Admin** > **Roles** > **Enforcement Policies** > **Privileged Access Manager**. The following Enforcement Policies affect user's permissions to configure Workflow settings on PAM Record types and need to be enabled:

Enforcement Policy	Commander Enforcement Policy	Definition
Can manage workflow settings	`ALLOW_CONFIGURE_WORKFLOW_SETTINGS`	Allow users to configure Workflow settings on PAM Machine, PAM Directory, PAM Database, and PAM Browser

Workflow Enforcement Policy can also be enabled on the [Keeper Commander CLI](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/secrets-manager-commands#overview) using the `enterprise-role` command: ``` enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_WORKFLOW_SETTINGS":true ``` ### PAM Machine, PAM Database, PAM Directory, PAM Browser Configuring workflow allows you to manage how privileged access is requested, approved, and used on target endpoints. The target endpoint needs to be defined on one of the following PAM Record types:

PAM Record Type	Target Endpoint type
PAM Machine	Windows/MacOS/Linux Machines, EC2 Instances, Azure VMs
PAM Database	MySQL, PostgreSQL, SQL Server, MongoDB, MariaDB, Oracle
PAM Directory	Active Directory, OpenLDAP
PAM Remote Browser	Web-based applications

Depending on your target endpoint, visit the corresponding PAM Record Type page for more information on setup. ## PAM Settings - Configuring Workflow The workflow settings can be configured by any user with the "Can manage workflow settings" enforcement policy. To configure workflow: ### Navigate to Workflow Settings On a PAM Machine, PAM Database, PAM Directory, or PAM Browser record, navigate to the Workflow tab on the PAM Settings screen by: 1. Editing the PAM Record Type 2. Clicking on "Edit" in the PAM Settings section 3. Navigating to the "Workflow" section in the prompted window

### Configuring Workflow On the Workflow tab, The following fields can be configured

Field	Definition
Limit Access Time	When enabled, restricts when and for how long a resource can be accessed. Administrators can define an access schedule (e.g., Monday–Friday, 8:00 AM–5:00 PM) and a maximum access duration (e.g., 2 hours). Access outside the allowed schedule or beyond the time limit is automatically denied or revoked. Note: This is required when enabling Require Approval, Single-User Mode, and MFA
Require Approval	When enabled, users must request and receive approval before accessing the resource. The record owner is added as an approver by default. Additional users can be added to the list of approvers. Optionally, requiring a justification reason or a ticket/issue number with each request can be enabled.
Single-User Mode	When enabled, only one user can check out and use the resource at a time. Access must be checked back in before another user can access it.
Multi-Factor Authentication (MFA)	When enabled, users must complete multi-factor authentication before launching a connection or starting a tunnel. The MFA method configured on the user's Keeper account is used.

These options can be used individually or in combination to match your organization's access policies. Common combinations include: * **Limit Access Time + Require Approval** — The resource can only be accessed during a defined schedule and requires approval before each use. * **Require Approval + Single-User Mode** — Only one user can access the resource at a time, and approval is required before checking it out. * **Require Approval + MFA** — Users must receive approval and complete multi-factor authentication before accessing the resource. * **All Options Enabled** — The resource can only be accessed during a defined schedule, requires approval before use, restricts access to one user at a time, and enforces MFA before launching a connection. #### Limit Access Time Limit Access Time allows you to define when a user can access the resource. You can configure a time window for specific days and set how long access is allowed once granted.

#### Require Approval Require Approval allows you to select one or more approvers from a dropdown list. By default, the record owner is added as an approver. Additionally, any user or team that has access to the record can be selected as an approver. You can configure whether access requires approval from one approver or multiple approvers. You can also require the requester to provide a reason for access and/or an issue number as part of the request. Additionally, you can choose when the access window begins: * Upon approval - The access timer starts as soon as the request is approved. * Upon first connection to the resource - The access timer starts when the user launches their first connection after the request is approved.

Workflow Config with time-limited access and approvers set.

#### Single-User Mode When Single-User Mode is enabled, only one user at a time can be approved to access the resource. Once the resource is checked out, no other user can check it out until that user checks it back in or their access expires. Approvers also have the option to force check in a resource, immediately revoking the current user's access. #### Multi-Factor Authentication (MFA) When **Multi-Factor Authentication (MFA)** is enabled, the user must reauthenticate before launching a connection or starting a tunnel. ## Accessing a Record with Workflow Enabled When a record with Workflow enabled is shared with another user, the end user experience will vary depending on which workflow settings are configured. ### Single-User Mode If **Single-User Mode** is enabled, the record will display a **Check Out Record** button. Selecting this option checks out the record to you, enables the **Launch** button, and shows how much time remains before your access expires. You can also manually check the record back in when you are finished. While the record is checked out, no other user can access it.

### Approval Process and Justifications If the record requires approval, it will display a **Request Access** button.

After selecting **Request Access**, you may be required to provide a **reason** and/or an **issue number**, which the requester enters as part of the request, depending on how Workflow is configured. Once the request is submitted, you can track its status, send a reminder to approvers, or cancel the request.

Required reason and ticket number for approval

### Notifications Approvers will receive a notification prompting them to approve or deny the request. If the request is approved, the record status is updated in the requester’s Vault, and the requester is then allowed to launch the connection.

If multiple approvers are configured, access is granted based on the approval requirements defined for that record. This may require approval from only one approver or from multiple approvers before access is granted. ## Workflow and Ephemeral Accounts and Privilege Elevation To achieve full Just-In-Time access and Zero Standing Privilege, combine Workflow with ephemeral accounts and privilege elevation. Together, these features ensure that access is time-bound, approved, and uses temporary credentials and elevated permissions that are automatically removed when the session ends — leaving no persistent access behind. To get started, visit: [ephemeral-accounts-and-privilege-elevation](https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/ephemeral-accounts-and-privilege-elevation "mention") --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.