# Post-Rotation Scripts

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F1IIpWqyy3YBRyPlZ8uSs%2FPost-Rotation%20Scripts.jpg?alt=media&#x26;token=aeafb80f-c4ef-4d72-8394-bea06da0c329" alt=""><figcaption></figcaption></figure>

## Overview

Post-rotation scripts (PAM Scripts) are user-defined software programs that can perform privilege automation tasks. Scripts can be attached to any PAM resource records in the vault. Depending on the PAM record the script is attached to, the script will execute either on the Keeper Gateway, or the remote host where password rotation occurred.

The following table shows all the available PAM Records and where the attached script will execute:

<table><thead><tr><th width="271">Record Type</th><th>Attached Post Execution Script will execute on</th></tr></thead><tbody><tr><td>PAM Configuration</td><td>Gateway</td></tr><tr><td>PAM Machine</td><td>The Machine specified in the record</td></tr><tr><td>PAM Database</td><td>Gateway</td></tr><tr><td>PAM Directory</td><td>Gateway</td></tr><tr><td>PAM User</td><td>Gateway</td></tr></tbody></table>

### Rotation Options on PAM User Records

When setting up rotation on a record on a PAM User record, you can select from one of the following methods:

* General
* IAM User
* Run PAM scripts only

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FTPj7yEYRzOmWBGlJkkKG%2FScreenshot%202025-02-09%20at%202.15.24%E2%80%AFPM.png?alt=media&#x26;token=2626efe8-c87a-46b1-b78c-b45e3ead532f" alt=""><figcaption></figcaption></figure>

When the "General" or "IAM User" methods are selected, Keeper will attempt to rotate the credentials using built-in capabilities based on the information stored in the record.

When the "Run PAM scripts only" option is selected, Keeper will skip the default rotation task and immediately run the attached PAM scripts on the gateway.&#x20;

### Order of Execution

Scripts will be executed in the following order:

1. Scripts attached on PAM User records
2. Scripts attached on PAM Machine, PAM Database, or PAM Directory Record types
3. Scripts attached on PAM Configuration Record types&#x20;

If multiple scripts are attached to a record, scripts will be executed in the order they appear on the PAM Record.

### Common Use Cases

Here are some of the use cases made possible with Keeper Post-Rotation Scripts:

* Custom rotation scripts for any type of target
* Revoking access to a resource
* Sending notifications to team members
* Propagating the password change to other systems
* Any other custom privilege automation task

### Documentation included

* [Inputs and outputs](https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/post-rotation-scripts/parameters)
* [Attaching scripts](https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/post-rotation-scripts/attaching-post-rotation-scripts-to-records)
* [Code Examples](https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/post-rotation-scripts/accessing-parameters)