# Adding PAM Resources to an Existing Model After creating your PAM content - either manually or with the `pam project import` command - you can add additional content with the `pam project extend` command. {% hint style="info" %} The `pam project extend` command is available from Keeper Commander 17.2.8. {% endhint %} ## JSON Template The process requires a similar `pam_import.json` template as the one generated in [Importing PAM Resources](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/importing-pam-resources), with a few notable changes: * Only the `pam_data` object is included in the template. Since this is an `extend` action, we do not need any project information (although including it would not fail the process). * The PAM Directory record will not be re-created, but still needs to be included so we can reference the AD Domain Admin from administrative credentials. * The new pamMachine and pamUser titles need to be unique in the file and the existing PAM model to avoid any conflicts. ```json { "pam_data": { "resources": [ { "type": "pamDirectory", "title": "My Domain Controller", "directory_type": "active_directory", "host": "lureydemo.local", "port": "636", "use_ssl": true, "domain_name": "lureydemo.local", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "3389", "security": "any", "ignore_server_cert": true, "administrative_credentials": "My Domain Admin" } }, "users": [ { "type": "pamUser", "title": "My Domain Admin", "login": "administrator@lureydemo.local", "password": "YourExistingDomainPassword", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] }, { "type": "pamMachine", "title": "extended_machine_1", "host": "desktop-machine1", "port": "5986", "ssl_verification": true, "operating_system": "Windows", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "3389", "security": "any", "ignore_server_cert": true, "administrative_credentials": "My Domain Controller.My Domain Admin" } }, "users": [ { "type": "pamUser", "title": "user_extended_machine_1", "login": "extended_user", "password": "LocalAdminPassword123", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] } ] } } ``` This template will import one new pamMachine and pamUser record to the existing model. This guide assumes that you are familiar with the template structure outlined in [Importing PAM Resources](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/importing-pam-resources). In the interest of clarity, comments have been removed and the same values have been populated as in our example run. ## Folder Management By adding a `folder_path` attribute to your JSON objects (resources and users), you can define shared folder and personal folder location for your new imported records: ```json ... { "type": "pamDirectory", "title": "My Domain Controller", "folder_path": "Extend Shared Folder/AD", ... { "type": "pamUser", "title": "My Domain Admin", "folder_path": "Extend Shared Folder/AD", ... { "type": "pamMachine", "title": "extended_machine_1", "folder_path": "Extend Shared Folder/Resources", ... { "type": "pamUser", "title": "user_extended_machine_1", "folder_path": "Extend Shared Folder/Users", ```
Folder Management with pam project extend
Additional notes: * If your PAM model has more than the default two shared folders - specifying `folder_path` for your records is required. * The shared folder must exist. * If a nested personal folders doesn't exist, it will be created automatically. ## Running the Import With the JSON template file above ready, the last requirement is to retrieve the PAM Configuration UID from the vault / Commander, which will be the link to the existing PAM model to extend from. * Get the PAM Configuration UID from the vault:
Vault PAM Configuration UID
* Get the PAM Configuration UID from Commander: ```bash # List all configurations pam config list ``` In Commander, you can then run the new import with `pam project extend`: ```bash pam project extend --config PWJhchL7sRKeMZFWCVvPrg --filename "path/to/pam_import.json" ``` ### Dry Run Before running the import, you can add the `--dry-run` flag to see what records and folders would be created: ```bash pam project extend -c PWJhchL7sRKeMZFWCVvPrg -f "path/to/pam_import.json" --dry-run [DRY RUN] No changes will be made. This is a simulation only. [DRY RUN] Will use PAM Configuration: PWJhchL7sRKeMZFWCVvPrg "Import Demo Project" Configuration [DRY RUN] Will use PAM Gateway: dbYL-PiETJ2vpyhIo7dexQ "Import Demo Project" Gateway [DRY RUN] Will use KSM Application: vt8rk_CVNOPpCHb4llPuzQ "Import Demo Project" Application [DRY RUN] Total shared folders found for the KSM App: 2 [DRY RUN] Found shared folder: aJqCPub1pEqgsG5-STORsQ "Import Demo Project - Users" (Editable) [DRY RUN] Found shared folder: lTQFgRx8u5nu3OOa9-6FlA "Import Demo Project - Resources" (Editable) [DRY RUN] Processed 0 folder paths: [DRY RUN] - Good paths: 0 [DRY RUN] - Bad paths: 0 [DRY RUN] 0 existing folders, 0 new folders to be created [DRY RUN] [existing] folder=autodetect record=pamDirectory: "My Domain Controller" uid=1uml7drZ4QrpCBDvvJ7idQ [DRY RUN] [new] folder=autodetect record=pamMachine: extended_machine_2 [DRY RUN] [existing] folder=autodetect record=pamUser: "My Domain Admin" (nested on "My Domain Controller") uid=rTk2mdsnhbAaDZEp948_AQ [DRY RUN] [new] folder=autodetect record=pamUser: user_extended_machine_2 (nested on extended_machine_2) [DRY RUN] 2 existing records (skipped), 2 new records to be created [DRY RUN COMPLETE] No changes were made. All actions were validated but not executed. ```