# Troubleshooting
## Access Denied
When attempting a Secrets Manager command in Commander, the tool responds with `access_denied`
**Solution**
In order to utilize Keeper Secrets Manager, two permission criteria must be met:
1. The Secrets Manager add on must be enabled for your Keeper Account, and you must have an active (non-expired) subscription.
2. You must be in a role with the Secrets Manager enforcement policy enabled
### Enabling the Secrets Manager Add On
Secrets Manager can be added from the "Secure Add Ons" section of the [Keeper Admin Console](/enterprise-guide/getting-started-with-keeper-admin-console.md).
### Enabling the Secrets Manager Enforcement Policy
In the [Keeper Admin Console](/enterprise-guide/getting-started-with-keeper-admin-console.md) add Secrets Manager to a role with role enforcements. Select or create a new role, open the "Enforcement Policies" settings and navigate to the "Privileged Access Manager" tab to allow or disallow Secrets Manager for the role.
Any users that are in a role with Secrets Manager allowed will be able to see the Secrets Manager tab in their Keeper Vault, and create and manage Secrets Manager Applications and Devices.
Enabling Secrets Manager with Keeper Commander
You must have Keeper account administrative permissions to create and edit roles.
To enable the Secrets Manager enforcement policy, use the following command in [Keeper Commander](https://docs.keeper.io/keeperpam/commander-cli):
```
er --enforcement="allow_secrets_manager:true" ""
```
Replace \ with the role you would like to set the enforcement policy to.
For example, to set the enforcement on the Keeper Administrator role:
```
er --enforcement="allow_secrets_manager:true" "Keeper Administrator"
```
For more information on creating and editing roles, and adding users to roles, see the [Enterprise Management Commands documentation](/keeperpam/commander-cli/command-reference/enterprise-management-commands.md).
## Record UID Starts With "-"
When performing commands with the KSM CLI that use a record or folder UID as an input, the command line interface cannot distinguish between a UID that starts with "-" and a command option. If the UID you are using begins with a "-" (dash / hyphen) simply **add "--" before the UID** to use it.
Example:\
\
`ksm secret get -- -id8QpE2ZAkdd4KlCfoWQ`
*\*The UID in this example is not a real record UID*
## Record not Found
When fetching secrets using Secrets Manager, the system responds that the record could not be found.
**Solution**
There are two reasons that this message may appear:
1. The record that is being searched for is not shared with the Secrets Manager Application
2. The record is a legacy (V2) non-typed record
### Share Records with Secrets Manager
Individual records can be shared with a Secrets Manager Application, or a shared folder can be shared with a Secrets Manager Application, which will give access to all records in that folder.
To share records or shared folders with a Secrets Manager Application, in Commander use the following command:
```
sm share add -a -s
```
### Identify Typed Records
Keeper Secrets Manager supports typed records (V3) only. If a legacy, non-typed record is queried, Secrets Manager will respond that the record cannot be found.
To identify if a record is typed in Commander, use the `get` command
```
get
```
If the record has a type (and is compatible with Secrets Manager) it will be displayed in the record information
```
my vault> get pICzm4iw9sW454m2ZR4mmQ
UID: pICzm4iw9sW454m2ZR4mmQ
Type: login
Title: My Login
(login): john.doe
(password): N*3s.kk/Ji20}cJ7
Shared: False
Last Modified: 2021-10-18 16:08:04
Revision: 887800170
```
If the record is not typed (and not compatible with Secrets Manager) it will not have a Type field.
Additionally, you can view all records in the current folder using the `ls -l` command. The resulting table has a type column. Any records which are blank in the type column are non typed records.
```
My Vault> ls -l
# Folder UID Name Flags
--- ---------------------- ----------------- -------
1 RpdmergF5lpsaID3TcHu8A Devops Secrets S
2 461XtX26R1SggIyQDFGfZg Secrets S
3 ZDw67iL28d6-YqUVwBHAug Social
# Record UID Type Title Login URL
--- ---------------------- ------------------- ----------------------- --------------------- -------------------
1 FyP2it0DzwIDPSbch2WyHw address Bank Address 1
2 pICzm4iw9sWS_4m2ZR4mmQ login breached john.doe@example.com keepersecurity.com
3 qUX4gSlmDRfM1Kq9lrQi-w databaseCredentials MySQL Database SQL_Admin
4 rlr04tiSxFmLmRNjEC7h7Q NonTyped Record legacy test.com
```
In the above example, the bottom record (#4) is not typed, and not compatible with Secrets Manager
### Create Typed Records
Typed records can be created in by clicking "Create New" in the vault, or using the [add command](/keeperpam/commander-cli/command-reference/record-commands.md#add-command-record-types) in Commander.
{% hint style="warning" %}
When choosing a record type, all types are compatible with Secrets Manager except for the "General" type.
General type records are identical to legacy, non typed records.
{% endhint %}
**Replace an existing record**
If you have existing non typed records that you would like to use with Secrets Manager, we recommend creating a "Login" type record and copying the information to it.
Login type records have identical fields to legacy non typed Keeper records.
Place the new typed record in a shared folder that your Secrets Manager application can access, or use the UID to share it to an application directly.
### Convert Untyped Records
Untyped records can be converted to typed records that Secrets Manager can utilize by using the `convert` command in Keeper Commander.
Format:
`convert --type `
Example:
```
convert Dtvb84zwkBmZgxrUByUfpg --type login
```
The convert command can use patterns to find all relevant records, can recursively apply the conversion to all sub-folders, and supports all record types.
For more information on using the `convert` command, see the [Commander documentation.](/keeperpam/commander-cli/command-reference/record-commands/record-type-commands.md#convert-command)
## Throttling
The Keeper Secrets Manager API throttles requests based on the Device ID. If your connection is throttled, you will receive an error, such as a 503 response code (the actual message depends on the integration/SDK being used).
### Details of the rate limits:
The Secrets Manager APIs are set to limit any system that makes more than 200 calls without a 10-second break.
This count resets when the 10 second timer expires, however it renews with each subsequent request sent in less than 10 seconds. So without a 10 second pause, the system will continue to be throttled.
#### Examples of when you may be throttled:
* Making 201 calls in less than 10 seconds
* Making 1 call per 9 seconds, you will be throttled on your 201'st call
To resolve a throttling limit:
* Generate additional Device IDs for each machine sending requests
* Pause requests for 10 seconds after every 200 calls
{% hint style="info" %}
If you require changes to your throttling limit, please contact the Keeper team at
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/secrets-manager/troubleshooting.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.