All pages
Powered by GitBook
1 of 1

Sharing Gateways

Sharing the Keeper Gateway with other admins

Overview

Keeper Gateways are essential when configuring PAM features such as rotation and connections on PAM resources. Keeper provides KSM Application Sharing from the vault UI and Keeper Commander CLI.

Why is Gateway Sharing Needed?

Gateways are tied to Keeper Secrets Manager (KSM) applications. Only users who have access to a KSM application can view and select its associated Gateway when configuring PAM Record Types. Without sharing, only the owner of the KSM application can use the Gateway for PAM configuration.

Sharing the KSM application (and thus the Gateway) allows other administrators or team members to independently configure and manage PAM resources. This is critical when multiple users in your organization are responsible for managing privileged access.

Note: Gateways are automatically shared when the associated KSM application is shared.

Sharing KSM applications

When you share the KSM application, you also share access to the associated Gateway.

To share the KSM application:

  1. From the vault, open the KSM Application you want to share

  2. Edit the Application

  3. Navigate to the "Users" tab

  4. In the search bar, enter the user’s email address

  5. Add the user to the application.

For more information, visit this page.

User Permissions

When sharing a KSM application with other users, the following permissions can be assigned:

Permission
Description

Member

Can view the application and use the gateways associated with the application

Sharing Implications

Shared Folders

Shared folders assigned to a KSM application are accessible by the devices and gateways associated with the application. When sharing a KSM application with another user, if the user does not already have access to the shared folders associated with the application, those folders will be automatically shared with the user.

The level of access the user receives to these shared folders depends on their assigned role in the application:

  • If the user is added as a "Member":

    • The user receives the "No User Permissions" shared folder permissions

If the user already had access to any of the shared folders before being added to the KSM application, their existing folder permissions remain unchanged and are not overwritten.

Records

Records can be directly assigned to a KSM application via Keeper Commander secrets-manager app share command.

When sharing a KSM application with another user, if the user does not already have access to the records associated with the application, those records will be automatically shared with the user. The level of access the user receives to these records is "View Only".

Note: Adding individual records to a KSM application requires using Keeper Commander.

Removing a user from the KSM application

Removing a user from the KSM application does not revoke their permissions from the shared folders. Folder access must be manually removed if desired.

Outcomes

Once the gateway is shared through the KSM application, users who now have access can configure PAM resources using that gateway.