# Managing Rotation via CLI > **Important:** The legacy `rotate` (plugin‑based) and `pam rotation set` commands are deprecated. Use `pam rotation edit` to **configure rotation schedules** and `pam action rotate` to **trigger an on‑demand rotation** through a Keeper Gateway. *** ### Prerequisites 1. **Target records are in place** – all PAM Machine, PAM User and other privileged records you plan to rotate live in shared folders inside your Keeper Vault. 2. **A Keeper Gateway is installed and online** – see *Step 1* below. 3. **At least one PAM Configuration exists** and points to the gateway – see *Step 2*. 4. **You are signed in to Keeper Commander** with an administrator or rotation‑manager role. *** ### Step 1 – Create (or locate) a Gateway Commander’s `pam gateway` sub‑commands manage the Gateway service. | Task | Command | | ------------------------------------------------------ | ------------------------------------------------------------------------------- | | List existing gateways | `pam gateway list` | | Create a new gateway and generate a one‑time token | `pam gateway new --name "" --application ""` | | Generate the `GATEWAY_CONFIG` blob for Docker installs | `pam gateway new -n "" -a "" --config-init b64` | > **Tip:** Retrieve the UID for an existing gateway at any time with `pam gateway list --verbose`. *** ### Step 2 – Build a PAM Configuration that uses the Gateway `pam config new` (or `pam config edit`) assembles the rules that tie the gateway to rotation, discovery, tunnelling and connections. ``` pam config new --title "Prod Rotation" \ --gateway "" \ --shared-folder "" \ --rotation on \ --schedule "0 2 * * *" ``` * `--gateway` binds the configuration to the Keeper Gateway you created in Step 1. * `--rotation on` enables the rotation feature for any records attached to this configuration. * `--schedule` sets a default CRON schedule that records can inherit (you can still override per record with `pam rotation edit`). Use `pam config list` to obtain the configuration’s UID for later commands. *** ### Understanding Rotation Commands (Quick Recap) | Command | What it actually does | | ------------------- | -------------------------------------------------------------------------------------------------------------------------- | | `rotate` | **Deprecated**: legacy plugin‑based rotation run directly from Commander. | | `pam action rotate` | Runs an *immediate* rotation job through the Keeper Gateway. | | `pam rotation edit` | Configures rotation settings (schedule, resource, complexity) on one or many records. *(Does **not** rotate immediately.)* | *** ### Command: `pam rotation edit` `pam rotation edit` adjusts the KeeperPAM rotation metadata stored on a record. #### Key Options | Option | Purpose | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | `--record` / `-r` | Target an individual record by UID, name, or pattern. | | `--folder` / `-fd` | Target every record in a folder (bulk update). | | `--force` / `-f` | Skip confirmation prompts. | | `--config` / `-c` | UID or path of the PAM Configuration to link. | | `--iam-aad-config` / `-iac` | Alternative to `--resource` for IAM / Azure AD users. | | `--resource` / `-rs` | UID or path of the resource record used to perform the change. | | `--schedulejson` / `-sj` | Supply a JSON scheduler object. | | `--schedulecron` / `-sc` | Supply a CRON‑formatted schedule string. | | `--on-demand` / `-od` | Mark rotation as on‑demand (no schedule). | | `--schedule-config` / `-sf` | Inherit schedule from the linked PAM Configuration. | | `--complexity` / `-x` | Password complexity spec (`length,upper,lower,digits,symbols[,symbol_set]`). | | `--admin-user` / `-a` | UID/path of a PAM User to act as admin for rotation. | | `--enable` / `-e` | Enable rotation on the targeted record(s). | | `--disable` / `-d` | Disable rotation on the targeted record(s). | | `--schedule-only` / `-so` | **Update *****only***** the schedule** on the targeted record(s). Leaves config, resource, complexity untouched. *.* | Full help: `pam rotation edit --help` *** #### Worked Examples > Replace angle‑bracket placeholders with real UIDs or paths. **1 – Daily rotation on a single machine (CRON)** ``` pam rotation edit --record "" \ --config "" \ --resource "" \ --schedulecron "0 2 * * *" \ --enable ``` **2 – Weekly rotation using JSON** ``` pam rotation edit --record "" \ --config "" \ --resource "" \ -sj '{"type":"WEEKLY","weekday":"SATURDAY","time":"22:00","tz":"America/New_York"}' \ --enable ``` **3 – Bulk‑enable rotation for every record in a folder (monthly)** ``` pam rotation edit --folder "/Shared/Prod" \ --config "" \ --resource "" \ --schedulecron "0 3 1 * *" \ --enable --force ``` **4 – Change schedule only** ``` pam rotation edit --folder "/Shared/Prod" \ --schedulecron "0 1 * * *" \ --schedule-only --force ``` > **Tip:** Combine `-so` with `--enable` or `--disable` to quickly activate or pause existing schedules without touching other parameters. **5 – On‑demand rotation (no schedule)** ``` pam rotation edit --record "" --on-demand --enable ``` **6 – Set password complexity** ``` pam rotation edit --record "" \ --complexity 20,1,4,2,2,.=+- \ --enable ``` *** ### Triggering an On‑Demand Rotation Run a rotation **right now** (ignoring any schedule): ``` pam action rotate --record "" ``` Commander sends the job to the Keeper Gateway, which executes the correct plugin or native driver for the resource. *** ### Where to Go Next * `pam action gateway-info --gateway ` – check gateway health and version. * `pam rotation list` – verify which resources have rotation enabled. * `pam action job-info --gateway ` – view historical rotation job logs. * `pam rotation script` – manage post‑rotation scripts. ### Batch Mode To run a large number of commands in a batch mode, see Keeper's [Batch Mode](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/misc-commands#run-batch-command) command.