SaaS Rotation via Commander

Performing SaaS Rotation using the Commander CLI

Overview

This guide covers how to configure, manage, and execute SaaS rotation through Keeper Commander.

Configuring SaaS Rotation

Step 1: Create a SaaS Configuration Record

SaaS rotation configurations are stored as records with custom fields that define the configuration parameters.

Using Keeper Commander CLI

The fastest way to create a SaaS configuration is using the Commander CLI pam action saas config command:

# Login to your vault
keeper shell

# List available SaaS types for your gateway
pam action saas config --gateway "My Gateway" --list

# Create a new SaaS configuration (example for Okta)
pam action saas config --gateway "My Gateway" --plugin "Okta" --shared-folder-uid FOLDER_UID --create

The command will prompt you for the required configuration values specific to your chosen SaaS type. Each of the configuration values is documented in the section below, for built-in and catalog plugins.

You can also just create a Login record with custom fields as defined below.

Step 2: Associate SaaS Rotation with PAM Users

Once your SaaS configuration record is created, associate that record with one or more PAM User records in the vault.

Create the PAM User record either in the vault, or using the Commander CLI
Add rotation settings to the PAM User (Rotation Profile: Run PAM scripts only, use Profile: General only if plugin needs a Resource)
Using Commander, run the below commands to create the association:

# Add SaaS rotation to a user
pam action saas set --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID

# Optionally attach to a specific resource
pam action saas set --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID --resource-uid RESOURCE_UID

Step 3: Verify Configuration

Check that your SaaS rotation is properly configured on the PAM User record:

# View all SaaS rotations for the PAM User
pam action saas user -u USER_RECORD_UID

This will display all configured SaaS rotations for the specified PAM User, including their current settings.

Running SaaS Rotations

To perform the rotation from the Commander CLI, use the pam action rotate command:

pam action rotate -r USER_RECORD_UID

Managing SaaS Rotations

Remove SaaS Rotation

To remove a SaaS rotation from a PAM User record:

pam action saas remove --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID

Activate/Deactivate Rotations

You can control whether a SaaS rotation is active by setting the Active custom field:

Set to any value (e.g., "true", "yes", "1") to activate
Remove the field or set to empty/false to deactivate

PreviousSaaS Configuration Field Reference NextCustom and Community Plugins

Last updated 5 days ago

Was this helpful?

hashtagOverview

hashtagConfiguring SaaS Rotation

hashtagStep 1: Create a SaaS Configuration Record

hashtagStep 2: Associate SaaS Rotation with PAM Users

hashtagStep 3: Verify Configuration

hashtagRunning SaaS Rotations

hashtagManaging SaaS Rotations

hashtagRemove SaaS Rotation

hashtagActivate/Deactivate Rotations