# Enforcement Policies

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FHAQZMfu5ZSg6QAGqOJiF%2FEnforcement%20Policies.jpg?alt=media&#x26;token=926aec64-b51a-4117-9f66-6e47da3f221b" alt=""><figcaption></figcaption></figure>

## Overview

Role-based Access Controls (RBAC) provide your organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. Prior to proceeding with this guide, familiarize yourself with roles and enforcement policies.

### Enable PAM Policies

From the Admin Console, enable the corresponding PAM Enforcement Policies.

* Login to the Keeper Admin Console for your region.
* Under **Admin** > **Roles**, create a new role for PAM or modify an existing role.
* Go to **Enforcement Policies** and open the "**Privileged Access Manager**" section.
* Enable all the [PAM enforcement policies](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/enforcement-policies) to use the new features.

## Privileged Access Manager Policies

### Secrets Manager

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can create applications and manage secrets</td><td>Allow users to create and manage KSM application</td><td><pre data-overflow="wrap"><code>ALLOW_SECRETS_MANAGER
</code></pre></td></tr></tbody></table>

### Keeper Gateway

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can create, deploy, and manage Keeper Gateways</td><td>Allow users to create, setup, and manage Keeper Gateways</td><td><pre><code>ALLOW_PAM_GATEWAY
</code></pre></td></tr></tbody></table>

### Keeper Rotation

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can configure rotation settings</td><td>Allow users to configure Rotation settings on PAM User and PAM Configuration Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_ROTATION_SETTINGS
</code></pre></td></tr><tr><td>Can rotate credentials</td><td>Allow users to rotate credentials on PAM User Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_ROTATE_CREDENTIALS
</code></pre></td></tr></tbody></table>

### Keeper Connection Manager (KCM)

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can configure connection settings</td><td>Allow users to configure Connection and Session Recordings settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS
</code></pre></td></tr><tr><td>Can launch connections</td><td>Allow users to launch connections on PAM Machine, PAM Directory, PAM Database Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION
</code></pre></td></tr><tr><td>Can view session recordings</td><td>Allow users to view Session Recordings</td><td><pre data-overflow="wrap"><code>ALLOW_VIEW_KCM_RECORDINGS
</code></pre></td></tr></tbody></table>

### Keeper Tunnels

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can configure tunnel settings</td><td>Allow users to configure Tunnel settings on PAM Machine, PAM Directory, PAM Database and PAM Configuration Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS
</code></pre></td></tr><tr><td>Can start tunnels</td><td>Allow users to start tunnels on PAM Machine, PAM Directory, PAM Database Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_PAM_TUNNELS
</code></pre></td></tr></tbody></table>

### Remote Browser Isolation (RBI)

<table><thead><tr><th>Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can configure remote browsing</td><td>Allow users to configure Remote Browser and Session Recordings settings on PAM Remote Browsing and Configuration Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_RBI
</code></pre></td></tr><tr><td>Can launch remote browsing</td><td>Allow users to launch remote browsing on PAM Remote Browsing Record Types</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_RBI
</code></pre></td></tr><tr><td>Can view RBI session recordings</td><td>Allow users to view RBI Session Recordings</td><td><pre data-overflow="wrap"><code>ALLOW_VIEW_RBI_RECORDINGS
</code></pre></td></tr></tbody></table>

### Discovery

{% hint style="info" %}
Discovery is currently only available on Keeper Commander. The UI is coming soon.
{% endhint %}

<table><thead><tr><th width="213">Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Can run discovery</td><td>Allow users to run discovery</td><td><pre data-overflow="wrap"><code>ALLOW_PAM_DISCOVERY
</code></pre></td></tr></tbody></table>

### Legacy Policies

These policies are not required moving forward, but they exist for support of legacy features.

<table><thead><tr><th width="213">Policy</th><th>Definition</th><th>Commander CLI</th></tr></thead><tbody><tr><td>Legacy allow rotation</td><td>Allow users to perform password rotation</td><td><pre data-overflow="wrap"><code>ALLOW_PAM_ROTATION
</code></pre></td></tr></tbody></table>

### Commander CLI

The [Keeper Commander](https://docs.keeper.io/keeperpam/commander-cli) CLI `enterprise-role` command can be used to set these policies through automation. The list of policies related to PAM functionality is listed below.

```
enterprise-role ROLE_ID --enforcement "ALLOW_SECRETS_MANAGER:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_ROTATION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_DISCOVERY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_PAM_GATEWAY:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_ROTATE_CREDENTIALS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_CLOUD_CONNECTION_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_ON_CLOUD_CONNECTION:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_PAM_TUNNELING_SETTINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_PAM_TUNNELS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_LAUNCH_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_CONFIGURE_RBI:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_KCM_RECORDINGS:True"
enterprise-role ROLE_ID --enforcement "ALLOW_VIEW_RBI_RECORDINGS:True"
```