Post-Rotation Scripts

Overview

Post-rotation scripts (PAM Scripts) are user-defined software programs that can perform privilege automation tasks. Scripts can be attached to any PAM resource records in the vault. Depending on the PAM record the script is attached to, the script will execute either on the Keeper Gateway, or the remote host where password rotation occurred.

The following table shows all the available PAM Records and where the attached script will execute:

Rotation Options

When setting up rotation on a record, you can select from one of the following methods:

• General

• IAM User

• Run PAM scripts only

When the "General" or "IAM User" methods are selected, Keeper will attempt to rotate the credentials using built-in capabilities based on the information stored in the record.

When the "Run PAM scripts only" option is selected, Keeper will skip the default rotation task and immediately run the attached PAM scripts instead.

Order of Execution

Scripts will be executed in the following order:

1. Scripts attached to PAM User records

2. Scripts attached to PAM Machine, PAM Database, or PAM Directory Record types

3. Scripts attached to PAM Configuration Record types

If multiple scripts are attached to a record, scripts will be executed in the order they appear on the PAM Record.

Common Use Cases

Here are some of the use cases made possible with Keeper Post-Rotation Scripts:

• Custom rotation scripts for any type of target

• Revoking access to a resource

• Sending notifications to team members

• Propagating the password change to other systems

• Any other custom privilege automation task

Documentation included

• Inputs and outputs

• Attaching scripts

• Code Examples