Post-Rotation Scripts

Perform privileged automation tasks with Post-Rotation scripts and password rotation

Overview

Post-rotation scripts (PAM Scripts) are user-defined software programs that can perform privileged automation tasks. Scripts can be attached to any PAM resource records in the vault. Depending on the PAM record the script is attached to, the script will execute either on the Keeper Gateway, or the remote host where password rotation occurred.

The following table shows all the available PAM Records and where the attached script will execute:

Record Type
Attached Post Execution Script will execute on

PAM Configuration

Gateway

PAM Machine

The Machine specified in the record

PAM Database

Gateway

PAM Directory

Gateway

PAM User

Gateway

Order of Execution

Scripts will be executed in the following order:

  1. Scripts attached to a PAM User Record type

  2. Scripts attached to a PAM Machine, PAM Database, or PAM Directory Record type

  3. Scripts attached to a PAM Configuration Record type

If multiple scripts are attached to a record, scripts will be executed in the order they appear on the PAM Record.

Common Use Cases

Here are some of the use cases made possible with Keeper Post-Rotation Scripts:

  • Updating dependent services or applications

  • Updating credentials for scheduled tasks

  • Revoking access to a resource

  • Sending notifications to team members

  • Propagating the password change to other systems

  • Any other custom privilege automation task

Documentation included

Last updated