# Rotation Rollback

When a General / IAM rotation is actioned, the gateway will attempt to rotate the password of the account on the target resource, then run post-rotation scripts if any. If scripts fail, the gateway does not automatically restore the account password to its initial value.

Rollback can be enabled by using custom fields outlined below.

### Important Notes

* In some cases, rotation rollback may be impossible. For example, if the target machine disallows the reuse of passwords, attempting to reset a password to its last value would fail.
* The custom fields below can be set on the following records:
  * pamUser
  * pamMachine | pamDirectory | pamDatabase
  * pamConfiguration
* The gateway will check for rollback fields in the order above (user then resource then configuration), and the value for the field is not overwritten. This means that if the rollback is enabled for a pamUser but disabled for a pamConfiguration, rotation of said user will have the feature enabled, but disabled for other resources of that pamConfiguration.

<table data-full-width="true"><thead><tr><th width="304">Label</th><th width="83">Type</th><th width="101">Default</th><th>Description</th></tr></thead><tbody><tr><td><code>Rollback On Private Key Fail</code></td><td>Text</td><td><code>TRUE</code></td><td>If the private key rotation fails, should everything be rolled back?</td></tr><tr><td><code>Rollback On Password Fail</code></td><td>Text</td><td><code>TRUE</code></td><td>If the password rotation fails, should everything be rolled back?</td></tr><tr><td><code>Rollback On Post Rotation Fail</code></td><td>Text</td><td><code>FALSE</code></td><td>If the post rotation fails, should everything be rolled back?</td></tr><tr><td><code>Rollback On SaaS Fail</code></td><td>Text</td><td><code>TRUE</code></td><td>If the Saas rotation fails, should everything be rolled back?</td></tr><tr><td><code>Re-run On Post Rotation Fail</code></td><td>Text</td><td><code>FALSE</code></td><td>If the post rotation fails, should the rollback re-run the post rotation script?</td></tr><tr><td><code>Reverse Params On Re-run</code></td><td>Text</td><td><code>TRUE</code></td><td>If re-running the post rotation script, should the new and old passwords be switched? </td></tr><tr><td><code>Rollback On Service Fail</code></td><td>Text</td><td><code>TRUE</code></td><td>If the service password rotation fails, should everything be rolled back?</td></tr><tr><td><code>Rollback On Service Restart Fail</code></td><td>Text</td><td><code>TRUE</code></td><td>If the service cannot be stopped or started, should everything be rolled back?</td></tr><tr><td><code>Rollback On Service Machine Down</code></td><td>Text</td><td><code>FALSE</code></td><td>If the machine running the service is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.</td></tr><tr><td><code>Rollback On Task Fail</code></td><td>Text</td><td><code>TRUE</code></td><td>If the task password rotation fails, should everything be rolled back?</td></tr><tr><td><code>Rollback On Task Machine Down</code></td><td>Text</td><td><code>FALSE</code></td><td>If the machine running the task is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.</td></tr><tr><td><code>Rollback On IIS Pool Fail</code></td><td>Text</td><td><code>TRUE</code></td><td>If the IIS pool password rotation fails, should everything be rolled back?</td></tr><tr><td><code>Rollback On IIS Pool Machine Down</code></td><td>Text</td><td><code>FALSE</code></td><td>If the machine running the IIS pool is down, should everything be rolled back? This includes the machine is down, the gateway can not reach, or the username or password are invalid.</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/post-rotation-scripts/rotation-rollback.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.