How KeeperPAM provides Vendor Privileged Access (VPAM)
Secure third-party access to internal resources with KeeperPAM’s zero-trust architecture. This guide outlines how KeeperPAM enables secure, auditable, and time-limited access for external users like contractors, technicians, and vendors—without the need for VPNs or exposing credentials.
KeeperPAM provides native support for remote privileged access scenarios involving external users such as vendors, partners, and third-party technicians. The system enables secure access through a browser-based interface with full control, auditability, and session recording—no local agents or VPNs required.
Vendors are granted time-limited access to specific systems only when needed. Access can be subject to approval workflows, expiration, and session recording.
Vendors never see or handle passwords. Keeper injects credentials directly into RDP, SSH, database, or web sessions via the Keeper Gateway.
All access occurs through a web browser or desktop app—no client software or VPN setup is required. This ensures fast onboarding and secure connectivity.
Every vendor session is fully recorded, including screen activity, keystrokes, and command logs. Sessions are viewable in the Vault UI and can be streamed to your SIEM.
KeeperAI monitors vendor sessions for suspicious activity and can terminate connections automatically based on risk thresholds and pattern detection.
Admins can define access rules based on vendor role, project, or department. Sessions can be isolated, time-bound, and protocol-specific.
All third-party access is auditable to meet GDPR, HIPAA, PCI-DSS, SOX, NIST, and other compliance standards. Detailed logs are retained and can be pushed to external SIEM tools.
Configure Vendor Access
In the Keeper Vault UI, create a record for the resource the vendor needs (e.g., SSH, RDP).
Place it in a shared folder with time-based permissions.
Apply RBAC policies as needed.
Vendor Authentication
Invite the vendor to join your Keeper tenant using SSO or email/password/MFA
Assign the vendor to a role
Enforce MFA and other access policies
The vendor logs in via the Keeper web vault or desktop app.
MFA is enforced even if the target resource lacks native MFA.
Session Launch
The vendor selects the resource and initiates the connection.
Keeper Gateway injects credentials and brokers the session.
No credentials are revealed or copied to the vendor’s device.
Session Monitoring
Keeper records screen activity, keystrokes, and command logs.
KeeperAI scans the session for anomalies and can terminate high-risk activity automatically.
Access Expiration
Sessions are automatically terminated at the scheduled end time.
Shared folder permissions expire based on policy.
An MSP or hardware vendor remotely troubleshooting a server
A compliance auditor reviewing system logs
A database consultant with short-term access to production
Vendor PAM is included in the standard KeeperPAM licensing model.
Provision the vendor through your identity provider
Assign role policies to the vendor
Deploy a Keeper Gateway
Create PAM resource records in the Keeper Vault
Activate PAM settings on the resource such as connections, tunnels and session recording
Share access to the resource through time-limited access without sharing the credentials
The below screenshots walk through the basic process of provisioning resources to a third-party vendor or contractor.
Invite the Vendor through your identity provider, AD, SSO or SCIM connection. Alternatively, you can create a Node in your Keeper tenant that is associated to a different directory.
Vendors can be provisioned through AD/LDAP, SSO, SCIM or manual method.
RBAC is applied to vendors through Role Enforcement policies:
Role policies can be configured to enforce MFA on every login, with a hardware-based FIDO2 security key, TOTP or other methods.
Typically, the vendor will have limited ability to create records or folders - in this case, they can only receive shared items.
Privileged Access Manager enforcement policies can then be limited to allow only launching connections and tunnels.
From the vault, the admin can assign the contractor to a Shared Folder with no permissions, or to individual resources as needed.
Within each resource, session recording, JIT and other capabilities are configured.
The vendor then logs in to their vault with MFA and can launch into the session. Credentials are not exposed. In this example, they have been provided access to a MySQL database.
Vendor launches the connection to the resource (in this case, a database), with one click. All session activity is recorded and logged.
Admin Console event logs are generated for session launch activity.
Vendor Privileged Access Management (VPAM) is included by default in all KeeperPAM environments—no separate license is required. External vendor accounts are treated the same as internal users in terms of licensing.
Depending on your organization’s policies, external vendors can also benefit from additional Keeper capabilities, including:
Accessing target systems from their own device using Keeper Tunnels
Federated identity support, allowing SSO integration with the vendor’s identity provider
Delegated Administration to designated limited admin rights to specific nodes
Deploying Keeper Connection Manager (self-hosted) for remote access with a custom interface, session joining and advanced integration methods.