Role-based enforcement policy settings for KeeperPAM
Role-based Access Controls (RBAC) provide your organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. Prior to proceeding with this guide, familiarize yourself with roles and enforcement policies.
From the Admin Console, enable the corresponding PAM Enforcement Policies.
Login to the Keeper Admin Console for your region.
Under Admin > Roles, create a new role for PAM or modify an existing role.
Go to Enforcement Policies and open the "Privileged Access Manager" section.
Enable all the to use the new features.
These policies are not required moving forward, but they exist for support of legacy features.
The CLI enterprise-role command can be used to set these policies through automation. The list of policies related to PAM functionality is listed below.
Can create applications and manage secrets
Allow users to create and manage KSM application
Can create, deploy, and manage Keeper Gateways
Allow users to create, setup, and manage Keeper Gateways
Can configure rotation settings
Allow users to configure Rotation settings on PAM User and PAM Configuration Record Types
Can rotate credentials
Allow users to rotate credentials on PAM User Record Types
Can configure connection settings
Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
Can launch connections
Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types
Can view session recordings
Allow users to view Session Recordings
Can configure tunnel settings
Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types
Can start tunnels
Allow users to start tunnels on PAM Machine, PAM Directory, PAM Database Record Types
Can configure remote browsing
Allow users to configure Remote Browser and Session Recordings settings on PAM Remote Browsing and Configuration Record Types
Can launch remote browsing
Allow users to launch remote browsing on PAM Remote Browsing Record Types
Can view RBI session recordings
Allow users to view RBI Session Recordings
Can run discovery
Allow users to run discovery
Legacy allow rotation
Allow users to perform password rotation
ALLOW_SECRETS_MANAGERALLOW_PAM_GATEWAYALLOW_CONFIGURE_ROTATION_SETTINGSALLOW_ROTATE_CREDENTIALSALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGSALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTIONALLOW_VIEW_KCM_RECORDINGSALLOW_CONFIGURE_PAM_TUNNELING_SETTINGSALLOW_LAUNCH_PAM_TUNNELSALLOW_CONFIGURE_RBIALLOW_LAUNCH_RBIALLOW_VIEW_RBI_RECORDINGSALLOW_PAM_DISCOVERYALLOW_PAM_ROTATIONenterprise-role ROLE_ID --enforcement "ALLOW_SECRETS_MANAGER:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_ROTATION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_DISCOVERY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_GATEWAY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_ROTATE_CREDENTIALS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_TUNNELS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_KCM_RECORDINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_RBI_RECORDINGS:True"