Adding PAM Resources to an Existing Model

Add Content to an Existing PAM Setup instead of creating a New Model

After creating your PAM content - either manually or with the pam project import command - you can add additional content with the pam project extend command.

The pam project extend command is available from Keeper Commander 17.2.8.

JSON Template

The process requires a similar pam_import.json template as the one generated in Importing PAM Resources, with a few notable changes:

Only the pam_data object is included in the template. Since this is an extend action, we do not need any project information (although including it would not fail the process).
The PAM Directory record will not be re-created, but still needs to be included so we can reference the AD Domain Admin from administrative credentials.
The new pamMachine and pamUser titles need to be unique in the file and the existing PAM model to avoid any conflicts.

{
  "pam_data": {
    "resources": [
      {
        "type": "pamDirectory",
        "title": "My Domain Controller",
        "directory_type": "active_directory",
        "host": "lureydemo.local",
        "port": "636",
        "use_ssl": true,
        "domain_name": "lureydemo.local",
        "pam_settings": {
          "options": {
            "rotation": "on",
            "connections": "on",
            "tunneling": "on",
            "graphical_session_recording": "on"
          },
          "connection": {
            "protocol": "rdp",
            "port": "3389",
            "security": "any",
            "ignore_server_cert": true,
            "administrative_credentials": "My Domain Admin"
          }
        },
        "users": [
          {
            "type": "pamUser",
            "title": "My Domain Admin",
            "login": "[email protected]",
            "password": "YourExistingDomainPassword",
            "rotation_settings": {
              "rotation": "general",
              "enabled": "on",
              "schedule": {
                "type": "on-demand"
              }
            }
          }
        ]
      },
      {
        "type": "pamMachine",
        "title": "extended_machine_1",
        "host": "desktop-machine1",
        "port": "5986",
        "ssl_verification": true,
        "operating_system": "Windows",
        "pam_settings": {
          "options": {
            "rotation": "on",
            "connections": "on",
            "tunneling": "on",
            "graphical_session_recording": "on"
          },
          "connection": {
            "protocol": "rdp",
            "port": "3389",
            "security": "any",
            "ignore_server_cert": true,
            "administrative_credentials": "My Domain Controller.My Domain Admin"
          }
        },
        "users": [
          {
            "type": "pamUser",
            "title": "user_extended_machine_1",
            "login": "extended_user",
            "password": "LocalAdminPassword123",
            "rotation_settings": {
              "rotation": "general",
              "enabled": "on",
              "schedule": {
                "type": "on-demand"
              }
            }
          }
        ]
      }
    ]
  }
}

This template will import one new pamMachine and pamUser record to the existing model. This guide assumes that you are familiar with the template structure outlined in Importing PAM Resources. In the interest of clarity, comments have been removed and the same values have been populated as in our example run.

Folder Management

By adding a folder_path attribute to your JSON objects (resources and users), you can define shared folder and personal folder location for your new imported records:

...
{
    "type": "pamDirectory",
    "title": "My Domain Controller",
    "folder_path": "Extend Shared Folder/AD",
...
{
    "type": "pamUser",
    "title": "My Domain Admin",
    "folder_path": "Extend Shared Folder/AD",
...
{
    "type": "pamMachine",
    "title": "extended_machine_1",
    "folder_path": "Extend Shared Folder/Resources",
...
{
    "type": "pamUser",
    "title": "user_extended_machine_1",
    "folder_path": "Extend Shared Folder/Users",

Folder Management with pam project extend

Additional notes:

If your PAM model has more than the default two shared folders - specifying folder_path for your records is required.
The shared folder must exist.
If a nested personal folders doesn't exist, it will be created automatically.

Running the Import

With the JSON template file above ready, the last requirement is to retrieve the PAM Configuration UID from the vault / Commander, which will be the link to the existing PAM model to extend from.

Get the PAM Configuration UID from the vault:

Get the PAM Configuration UID from Commander:

# List all configurations
pam config list

In Commander, you can then run the new import with pam project extend:

pam project extend --config PWJhchL7sRKeMZFWCVvPrg --filename "path/to/pam_import.json"

Dry Run

Before running the import, you can add the --dry-run flag to see what records and folders would be created:

pam project extend -c PWJhchL7sRKeMZFWCVvPrg -f "path/to/pam_import.json" --dry-run
[DRY RUN] No changes will be made. This is a simulation only.
[DRY RUN] Will use PAM Configuration: PWJhchL7sRKeMZFWCVvPrg  "Import Demo Project" Configuration
[DRY RUN] Will use PAM Gateway:       dbYL-PiETJ2vpyhIo7dexQ  "Import Demo Project" Gateway
[DRY RUN] Will use KSM Application:   vt8rk_CVNOPpCHb4llPuzQ  "Import Demo Project" Application
[DRY RUN] Total shared folders found for the KSM App: 2
[DRY RUN] Found shared folder: aJqCPub1pEqgsG5-STORsQ "Import Demo Project - Users" (Editable)
[DRY RUN] Found shared folder: lTQFgRx8u5nu3OOa9-6FlA "Import Demo Project - Resources" (Editable)
[DRY RUN] Processed 0 folder paths:
[DRY RUN]   - Good paths: 0
[DRY RUN]   - Bad paths: 0
[DRY RUN] 0 existing folders, 0 new folders to be created
  [DRY RUN] [existing]  folder=autodetect	record=pamDirectory: "My Domain Controller"	uid=1uml7drZ4QrpCBDvvJ7idQ
  [DRY RUN] [new]  folder=autodetect	record=pamMachine: extended_machine_2
  [DRY RUN] [existing]  folder=autodetect	record=pamUser: "My Domain Admin" (nested on "My Domain Controller")	uid=rTk2mdsnhbAaDZEp948_AQ
  [DRY RUN] [new]  folder=autodetect	record=pamUser: user_extended_machine_2 (nested on extended_machine_2)
[DRY RUN] 2 existing records (skipped), 2 new records to be created
[DRY RUN COMPLETE] No changes were made. All actions were validated but not executed.

PreviousUsing a CSV Template NextManaging Rotation via CLI

Last updated 17 days ago

Was this helpful?

hashtagJSON Template

hashtagFolder Management

hashtagRunning the Import

hashtagDry Run

JSON Template

Folder Management

Running the Import

Dry Run