# Managing Rotation via CLI > **Important:** The legacy `rotate` (plugin‑based) and `pam rotation set` commands are deprecated. Use `pam rotation edit` to **configure rotation schedules** and `pam action rotate` to **trigger an on‑demand rotation** through a Keeper Gateway. *** ### Prerequisites 1. **Target records are in place** – all PAM Machine, PAM User and other privileged records you plan to rotate live in shared folders inside your Keeper Vault. 2. **A Keeper Gateway is installed and online** – see *Step 1* below. 3. **At least one PAM Configuration exists** and points to the gateway – see *Step 2*. 4. **You are signed in to Keeper Commander** with an administrator or rotation‑manager role. *** ### Step 1 – Create (or locate) a Gateway Commander’s `pam gateway` sub‑commands manage the Gateway service. | Task | Command | | ------------------------------------------------------ | ------------------------------------------------------------------------------- | | List existing gateways | `pam gateway list` | | Create a new gateway and generate a one‑time token | `pam gateway new --name "" --application ""` | | Generate the `GATEWAY_CONFIG` blob for Docker installs | `pam gateway new -n "" -a "" --config-init b64` | > **Tip:** Retrieve the UID for an existing gateway at any time with `pam gateway list --verbose`. *** ### Step 2 – Build a PAM Configuration that uses the Gateway `pam config new` (or `pam config edit`) assembles the rules that tie the gateway to rotation, discovery, tunnelling and connections. ``` pam config new --title "Prod Rotation" \ --gateway "" \ --shared-folder "" \ --rotation on \ --schedule "0 2 * * *" ``` * `--gateway` binds the configuration to the Keeper Gateway you created in Step 1. * `--rotation on` enables the rotation feature for any records attached to this configuration. * `--schedule` sets a default CRON schedule that records can inherit (you can still override per record with `pam rotation edit`). Use `pam config list` to obtain the configuration’s UID for later commands. *** ### Understanding Rotation Commands (Quick Recap) | Command | What it actually does | | ------------------- | -------------------------------------------------------------------------------------------------------------------------- | | `rotate` | **Deprecated**: legacy plugin‑based rotation run directly from Commander. | | `pam action rotate` | Runs an *immediate* rotation job through the Keeper Gateway. | | `pam rotation edit` | Configures rotation settings (schedule, resource, complexity) on one or many records. *(Does **not** rotate immediately.)* | *** ### Command: `pam rotation edit` `pam rotation edit` adjusts the KeeperPAM rotation metadata stored on a record. #### Key Options | Option | Purpose | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | `--record` / `-r` | Target an individual record by UID, name, or pattern. | | `--folder` / `-fd` | Target every record in a folder (bulk update). | | `--force` / `-f` | Skip confirmation prompts. | | `--config` / `-c` | UID or path of the PAM Configuration to link. | | `--iam-aad-config` / `-iac` | Alternative to `--resource` for IAM / Azure AD users. | | `--resource` / `-rs` | UID or path of the resource record used to perform the change. | | `--schedulejson` / `-sj` | Supply a JSON scheduler object. | | `--schedulecron` / `-sc` | Supply a CRON‑formatted schedule string. | | `--on-demand` / `-od` | Mark rotation as on‑demand (no schedule). | | `--schedule-config` / `-sf` | Inherit schedule from the linked PAM Configuration. | | `--complexity` / `-x` | Password complexity spec (`length,upper,lower,digits,symbols[,symbol_set]`). | | `--admin-user` / `-a` | UID/path of a PAM User to act as admin for rotation. | | `--enable` / `-e` | Enable rotation on the targeted record(s). | | `--disable` / `-d` | Disable rotation on the targeted record(s). | | `--schedule-only` / `-so` | **Update *****only***** the schedule** on the targeted record(s). Leaves config, resource, complexity untouched. *.* | Full help: `pam rotation edit --help` *** #### Worked Examples > Replace angle‑bracket placeholders with real UIDs or paths. **1 – Daily rotation on a single machine (CRON)** ``` pam rotation edit --record "" \ --config "" \ --resource "" \ --schedulecron "0 2 * * *" \ --enable ``` **2 – Weekly rotation using JSON** ``` pam rotation edit --record "" \ --config "" \ --resource "" \ -sj '{"type":"WEEKLY","weekday":"SATURDAY","time":"22:00","tz":"America/New_York"}' \ --enable ``` **3 – Bulk‑enable rotation for every record in a folder (monthly)** ``` pam rotation edit --folder "/Shared/Prod" \ --config "" \ --resource "" \ --schedulecron "0 3 1 * *" \ --enable --force ``` **4 – Change schedule only** ``` pam rotation edit --folder "/Shared/Prod" \ --schedulecron "0 1 * * *" \ --schedule-only --force ``` > **Tip:** Combine `-so` with `--enable` or `--disable` to quickly activate or pause existing schedules without touching other parameters. **5 – On‑demand rotation (no schedule)** ``` pam rotation edit --record "" --on-demand --enable ``` **6 – Set password complexity** ``` pam rotation edit --record "" \ --complexity 20,1,4,2,2,.=+- \ --enable ``` *** ### Triggering an On‑Demand Rotation Run a rotation **right now** (ignoring any schedule): ``` pam action rotate --record "" ``` Commander sends the job to the Keeper Gateway, which executes the correct plugin or native driver for the resource. *** ### Where to Go Next * `pam action gateway-info --gateway ` – check gateway health and version. * `pam rotation list` – verify which resources have rotation enabled. * `pam action job-info --gateway ` – view historical rotation job logs. * `pam rotation script` – manage post‑rotation scripts. ### Batch Mode To run a large number of commands in a batch mode, see Keeper's [Batch Mode](/en/keeperpam/commander-cli/command-reference/misc-commands.md#run-batch-command) command. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/managing-rotation-via-cli.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.