All pages
Powered by GitBook
1 of 1

Vendor Privileged Access Management

How KeeperPAM provides Vendor Privileged Access (VPAM)

Vendor Privileged Access Management (VPAM)

Secure third-party access to internal resources with KeeperPAM’s zero-trust architecture. This guide outlines how KeeperPAM enables secure, auditable, and time-limited access for external users like contractors, technicians, and vendors—without the need for VPNs or exposing credentials.


Overview

KeeperPAM provides native support for remote privileged access scenarios involving external users such as vendors, partners, and third-party technicians. The system enables secure access through a browser-based interface with full control, auditability, and session recording—no local agents or VPNs required.


Key Capabilities

Just-in-Time (JIT) Access

Vendors are granted time-limited access to specific systems only when needed. Access can be subject to approval workflows, expiration, and session recording.

Credential Injection (Zero Exposure)

Vendors never see or handle passwords. Keeper injects credentials directly into RDP, SSH, database, or web sessions via the Keeper Gateway.

Agentless, VPN-Free Access

All access occurs through a web browser or desktop app—no client software or VPN setup is required. This ensures fast onboarding and secure connectivity.

Session Recording and Monitoring

Every vendor session is fully recorded, including screen activity, keystrokes, and command logs. Sessions are viewable in the Vault UI and can be streamed to your SIEM.

Real-Time Threat Detection (KeeperAI)

KeeperAI monitors vendor sessions for suspicious activity and can terminate connections automatically based on risk thresholds and pattern detection.

Role-Based Access Controls (RBAC)

Admins can define access rules based on vendor role, project, or department. Sessions can be isolated, time-bound, and protocol-specific.

Compliance Support

All third-party access is auditable to meet GDPR, HIPAA, PCI-DSS, SOX, NIST, and other compliance standards. Detailed logs are retained and can be pushed to external SIEM tools.


How It Works

  1. Configure Vendor Access

    • In the Keeper Vault UI, create a record for the resource the vendor needs (e.g., SSH, RDP).

    • Place it in a shared folder with time-based permissions.

    • Apply RBAC policies as needed.

  2. Vendor Authentication

    • Invite the vendor to join your Keeper tenant using SSO or email/password/MFA

    • Assign the vendor to a role

    • Enforce MFA and other access policies

    • The vendor logs in via the Keeper web vault or desktop app.

    • MFA is enforced even if the target resource lacks native MFA.

  3. Session Launch

    • The vendor selects the resource and initiates the connection.

    • Keeper Gateway injects credentials and brokers the session.

    • No credentials are revealed or copied to the vendor’s device.

  4. Session Monitoring

    • Keeper records screen activity, keystrokes, and command logs.

    • KeeperAI scans the session for anomalies and can terminate high-risk activity automatically.

  5. Access Expiration

    • Sessions are automatically terminated at the scheduled end time.

    • Shared folder permissions expire based on policy.


Example Use Cases

  • An MSP or hardware vendor remotely troubleshooting a server

  • A compliance auditor reviewing system logs

  • A database consultant with short-term access to production


Get Started

Vendor PAM is included in the standard KeeperPAM licensing model.

  • Activate KeeperPAM

  • Provision the vendor through your identity provider

  • Assign role policies to the vendor

  • Deploy a Keeper Gateway

  • Create PAM resource records in the Keeper Vault

  • Activate PAM settings on the resource such as connections, tunnels and session recording

  • Share access to the resource through time-limited access without sharing the credentials

Screenshots

The below screenshots walk through the basic process of provisioning resources to a third-party vendor or contractor.

Invite the Vendor through your identity provider, AD, SSO or SCIM connection. Alternatively, you can create a Node in your Keeper tenant that is associated to a different directory.

Creating a Vendor Node

Vendors can be provisioned through AD/LDAP, SSO, SCIM or manual method.

Provisioning Method

RBAC is applied to vendors through Role Enforcement policies:

Add Vendor Role

Role policies can be configured to enforce MFA on every login, with a hardware-based FIDO2 security key, TOTP or other methods.

MFA Enforcement

Typically, the vendor will have limited ability to create records or folders - in this case, they can only receive shared items.

Sharing Enforcement

Privileged Access Manager enforcement policies can then be limited to allow only launching connections and tunnels.

PAM Enforcements

From the vault, the admin can assign the contractor to a Shared Folder with no permissions, or to individual resources as needed.

Shared Folder

Within each resource, session recording, JIT and other capabilities are configured.

PAM Settings

The vendor then logs in to their vault with MFA and can launch into the session. Credentials are not exposed. In this example, they have been provided access to a MySQL database.

MFA into the Keeper Vault

Vendor launches the connection to the resource (in this case, a database), with one click. All session activity is recorded and logged.

Launching a connection

Admin Console event logs are generated for session launch activity.

Event Logs

Additional Info

Vendor Privileged Access Management (VPAM) is included by default in all KeeperPAM environments—no separate license is required. External vendor accounts are treated the same as internal users in terms of licensing.

Depending on your organization’s policies, external vendors can also benefit from additional Keeper capabilities, including:

  • Accessing target systems from their own device using Keeper Tunnels

  • Federated identity support, allowing SSO integration with the vendor’s identity provider

  • Delegated Administration to designated limited admin rights to specific nodes

  • Deploying Keeper Connection Manager (self-hosted) for remote access with a custom interface, session joining and advanced integration methods.