KeeperPAM Commands

Management of KeeperPAM functionality including Discovery, Rotation, Connections and Tunneling.

Overview

KeeperPAM functionality including discovery, password rotation, PAM Configuration, Keeper Gateway configuration can be controlled and operated through Commander using the pam command and sub-commands.

PAM Record types command reference and examples are on this page

pam Command

command: pam

Detail: Perform KeeperPAM controls.

My Vault> pam
pam command [--options]

Command     Description
----------  -----------------------------------------
gateway     Manage Gateways
config      Manage PAM Configurations
rotation    Manage Rotations
action      Execute action on the Gateway
tunnel      Manage Tunnels
split       Split credentials from legacy PAM Machine
legacy      Switch to legacy PAM commands
connection  Manage Connections
rbi         Manage Remote Browser Isolation
project     PAM Project Import/Export
launch      Launch a connection to a PAM resource
workflow    Manage PAM Workflows

Sub Commands

Sub-Command: gateway

Detail: View, create and remove Keeper Gateway services. To learn more about the Keeper Gateway click here.

My Vault> pam gateway help
pam command [--options]

Command            Description
-----------------  ------------------
list               List Gateways
new                Create new Gateway
edit               Edit Gateway
remove             Remove Gateway
set-max-instances  Set maximum gateway instances

list

Lists all gateways accessible by the Commander user. This includes:

Gateways directly accessible by the user in their vault.
Gateways registered under any managed node from the user's role.

My Vault> pam gateway list -h
usage: pam [-h] [--force] [--verbose] [--format {table,json}]

options:
  -h, --help            show this help message and exit
  --force, -f           Force retrieval of gateways
  --verbose, -v         Verbose output
  --format {table,json}
                        Output format (table, json)

new

My Vault> pam gateway new -h
usage: dr-create-gateway [-h] --name GATEWAY_NAME --application KSM_APP [--token-expires-in-min TOKEN_EXPIRE_IN_MIN]
                         [--return_value] [--config-init {json,b64}]

options:
  -h, --help            show this help message and exit
  --name GATEWAY_NAME, -n GATEWAY_NAME
                        Name of the Gateway
  --application KSM_APP, -a KSM_APP
                        KSM Application name or UID. Use command `sm app list` to view available KSM Applications.
  --token-expires-in-min TOKEN_EXPIRE_IN_MIN, -e TOKEN_EXPIRE_IN_MIN
                        Time for the one time token to expire. Maximum 1440 minutes (24 hrs). Default: 60
  --return_value, -r    Return value from the command for automation purposes
  --config-init {json,b64}, -c {json,b64}
                        Initialize client config and return configuration string.

edit

Allows updating the gateway's name or registered node. Equivalent actions can be performed in the Admin Console, under Secrets Manager → Gateways.

My Vault> pam gateway edit -h
usage: pam [-h] [--gateway GATEWAY] [--name GATEWAY_NAME] [--node-id NODE_ID]

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway UID or Name
  --name GATEWAY_NAME, -n GATEWAY_NAME
                        Name of the Gateway
  --node-id NODE_ID, -i NODE_ID
                        Node ID

remove

Removes a gateway. The user executing this command must have admin rights on the gateway's parent application to perform this action.

My Vault> pam gateway remove -h
usage: pam [-h] --gateway GATEWAY

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        UID of the Gateway

set-max-instances

Defines maximum gateway pool instances. Used for High Availability integrations.

My Vault> pam gateway set-max-instances -h
usage: pam [-h] --gateway GATEWAY --max-instances MAX_INSTANCES

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway UID or Name
  --max-instances MAX_INSTANCES, -m MAX_INSTANCES
                        Maximum number of gateway instances (must be >= 1)

Sub-Command: config

Detail: View, create, edit and remove Keeper PAM Configurations. To learn more about PAM Configurations click here.

My Vault> pam config help
pam command [--options]

Command    Description
---------  -------------------------------------------------------------
new        Create new PAM Configuration
edit       Edit PAM Configuration
list       List available PAM Configurations associated with the Gateway
remove     Remove a PAM Configuration

new

My Vault> pam config new -h
usage: pam config new [-h] [--environment {local,aws,azure}] [--title TITLE] [--gateway GATEWAY_UID]
                      [--shared-folder SHARED_FOLDER_UID] [--schedule DEFAULT_SCHEDULE] [--port-mapping PORT_MAPPING]
                      [--network-id NETWORK_ID] [--network-cidr NETWORK_CIDR] [--aws-id AWS_ID]
                      [--access-key-id ACCESS_KEY_ID] [--access-secret-key ACCESS_SECRET_KEY] [--region-name REGION_NAMES]
                      [--azure-id AZURE_ID] [--client-id CLIENT_ID] [--client-secret CLIENT_SECRET]
                      [--subscription_id SUBSCRIPTION_ID] [--tenant-id TENANT_ID] [--resource-group RESOURCE_GROUP]
                      [--connections {on,off,default}] [--tunneling {on,off,default}] [--rotation {on,off,default}]
                      [--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}]
                      [--typescript-recording {on,off,default}]

options:
  -h, --help            show this help message and exit
  --environment {local,aws,azure}, -env {local,aws,azure}
                        PAM Configuration Type
  --title TITLE, -t TITLE
                        Title of the PAM Configuration
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID or Name
  --shared-folder SHARED_FOLDER_UID, -sf SHARED_FOLDER_UID
                        Share Folder where this PAM Configuration is stored. Should be one of the folders to which the
                        gateway has access to.
  --schedule DEFAULT_SCHEDULE, -sc DEFAULT_SCHEDULE
                        Default Schedule: Use CRON syntax
  --port-mapping PORT_MAPPING, -pm PORT_MAPPING
                        Port Mapping
  --connections {on,off,default}, -c {on,off,default}
                        Set connections permissions
  --tunneling {on,off,default}, -u {on,off,default}
                        Set tunneling permissions
  --rotation {on,off,default}, -r {on,off,default}
                        Set rotation permissions
  --remote-browser-isolation {on,off,default}, -rbi {on,off,default}
                        Set remote browser isolation permissions
  --connections-recording {on,off,default}, -cr {on,off,default}
                        Set recording connections permissions for the resource
  --typescript-recording {on,off,default}, -tr {on,off,default}
                        Set TypeScript recording permissions for the resource

network:
  Local network configuration

  --network-id NETWORK_ID
                        Network ID
  --network-cidr NETWORK_CIDR
                        Network CIDR

aws:
  AWS configuration

  --aws-id AWS_ID       AWS ID
  --access-key-id ACCESS_KEY_ID
                        Access Key Id
  --access-secret-key ACCESS_SECRET_KEY
                        Access Secret Key
  --region-name REGION_NAMES
                        Region Names

azure:
  Azure configuration

  --azure-id AZURE_ID   Azure Id
  --client-id CLIENT_ID
                        Client Id
  --client-secret CLIENT_SECRET
                        Client Secret
  --subscription_id SUBSCRIPTION_ID
                        Subscription Id
  --tenant-id TENANT_ID
                        Tenant Id
  --resource-group RESOURCE_GROUP
                        Resource Group

edit

My Vault> pam config edit -h                                                                                                                            
usage: pam config edit [-h] [--environment {local,aws,azure,domain,oci}] [--title TITLE] [--gateway GATEWAY_UID] [--shared-folder SHARED_FOLDER_UID]
                       [--schedule DEFAULT_SCHEDULE] [--port-mapping PORT_MAPPING] [--network-id NETWORK_ID] [--network-cidr NETWORK_CIDR]
                       [--aws-id AWS_ID] [--access-key-id ACCESS_KEY_ID] [--access-secret-key ACCESS_SECRET_KEY] [--region-name REGION_NAMES]
                       [--azure-id AZURE_ID] [--client-id CLIENT_ID] [--client-secret CLIENT_SECRET] [--subscription_id SUBSCRIPTION_ID]
                       [--tenant-id TENANT_ID] [--resource-group RESOURCE_GROUPS] [--domain-id DOMAIN_ID] [--domain-hostname DOMAIN_HOSTNAME]
                       [--domain-port DOMAIN_PORT] [--domain-use-ssl {true,false}] [--domain-scan-dc-cidr {true,false}]
                       [--domain-network-cidr DOMAIN_NETWORK_CIDR] [--domain-admin DOMAIN_ADMINISTRATIVE_CREDENTIAL] [--oci-id OCI_ID]
                       [--oci-admin-id OCI_ADMIN_ID] [--oci-admin-public-key OCI_ADMIN_PUBLIC_KEY] [--oci-admin-private-key OCI_ADMIN_PRIVATE_KEY]
                       [--oci-tenancy OCI_TENANCY] [--oci-region OCI_REGION] [--remove-resource-record REMOVE_RECORDS]
                       [--connections {on,off,default}] [--tunneling {on,off,default}] [--rotation {on,off,default}]
                       [--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}]
                       [--typescript-recording {on,off,default}]
                       uid

positional arguments:
  uid                   The Config UID to edit

options:
  -h, --help            show this help message and exit
  --environment, -env {local,aws,azure,domain,oci}
                        PAM Configuration Type
  --title, -t TITLE     Title of the PAM Configuration
  --gateway, -g GATEWAY_UID
                        Gateway UID or Name
  --shared-folder, -sf SHARED_FOLDER_UID
                        Share Folder where this PAM Configuration is stored. Should be one of the folders to which the gateway has access to.
  --schedule, -sc DEFAULT_SCHEDULE
                        Default Schedule: Use CRON syntax
  --port-mapping, -pm PORT_MAPPING
                        Port Mapping
  --remove-resource-record, -rrr REMOVE_RECORDS
                        Resource Record UID to remove
  --connections, -c {on,off,default}
                        Set connections permissions
  --tunneling, -u {on,off,default}
                        Set tunneling permissions
  --rotation, -r {on,off,default}
                        Set rotation permissions
  --remote-browser-isolation, -rbi {on,off,default}
                        Set remote browser isolation permissions
  --connections-recording, -cr {on,off,default}
                        Set recording connections permissions for the resource
  --typescript-recording, -tr {on,off,default}
                        Set TypeScript recording permissions for the resource

network:
  Local network configuration

  --network-id NETWORK_ID
                        Network ID
  --network-cidr NETWORK_CIDR
                        Network CIDR

aws:
  AWS configuration

  --aws-id AWS_ID       AWS ID
  --access-key-id ACCESS_KEY_ID
                        Access Key Id
  --access-secret-key ACCESS_SECRET_KEY
                        Access Secret Key
  --region-name REGION_NAMES
                        Region Names

azure:
  Azure configuration

  --azure-id AZURE_ID   Azure Id
  --client-id CLIENT_ID
                        Client Id
  --client-secret CLIENT_SECRET
                        Client Secret
  --subscription_id SUBSCRIPTION_ID
                        Subscription Id
  --tenant-id TENANT_ID
                        Tenant Id
  --resource-group RESOURCE_GROUPS
                        Resource Group

domain:
  Domain configuration

  --domain-id DOMAIN_ID
                        Domain ID
  --domain-hostname DOMAIN_HOSTNAME
                        Domain hostname
  --domain-port DOMAIN_PORT
                        Domain port
  --domain-use-ssl {true,false}
                        Domain use SSL flag
  --domain-scan-dc-cidr {true,false}
                        Domain scan DC CIDR flag
  --domain-network-cidr DOMAIN_NETWORK_CIDR
                        Domain Network CIDR
  --domain-admin DOMAIN_ADMINISTRATIVE_CREDENTIAL
                        Domain administrative credential

oci:
  OCI configuration

  --oci-id OCI_ID       OCI ID
  --oci-admin-id OCI_ADMIN_ID
                        OCI Admin ID
  --oci-admin-public-key OCI_ADMIN_PUBLIC_KEY
                        OCI admin public key
  --oci-admin-private-key OCI_ADMIN_PRIVATE_KEY
                        OCI admin private key
  --oci-tenancy OCI_TENANCY
                        OCI tenancy
  --oci-region OCI_REGION
                        OCI region

list

My Vault> pam config list -h                                                                                                                            
usage: pam config list [-h] [--config PAM_CONFIGURATION] [--verbose] [--format {table,json}]

options:
  -h, --help            show this help message and exit
  --config, -c PAM_CONFIGURATION
                        Specific PAM Configuration UID
  --verbose, -v         Verbose
  --format {table,json}
                        Output format (table, json)

remove

My Vault> pam config remove -h                                                                                                                          
usage: pam config remove [-h] uid

positional arguments:
  uid         PAM Configuration UID. To view all rotation settings with their UIDs, use command `pam config list`

options:
  -h, --help  show this help message and exit

Sub-Command: connection

This command will edit the connection parameters and user accounts that are attached to PAM Machine and PAM Database records. The process can also be done in bulk with the run-batch command. To launch the connection, use the Keeper vault or Desktop app.

Prerequisites: Ensure that the PAM user credential, PAM Machine or PAM Database records are staged in a shared folder. Also ensure that there is a gateway configured, and everything is tied together in a PAM Configuration.

edit

usage: pam connection edit [-h] [--configuration CONFIG] [--admin-user ADMIN] [--launch-user LAUNCH_USER] [--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}] [--connections {on,off,default}]
                           [--connections-recording {on,off,default}] [--typescript-recording {on,off,default}] [--connections-override-port CONNECTIONS_OVERRIDE_PORT] [--key-events {on,off,default}] [--silent]
                           record

positional arguments:
  record                The record UID or path of the PAM resource record with network information to use for connections

options:
  -h, --help            show this help message and exit
  --configuration, -c CONFIG
                        The PAM Configuration UID or path to use for connections. Use command `pam config list` to view available PAM Configurations.
  --admin-user, -a ADMIN
                        The record path or UID of the PAM User record to configure the admin credential on the PAM Resource
  --launch-user, -lu LAUNCH_USER
                        The record path or UID of the PAM User record to configure as the launch credential on the PAM Resource
  --protocol, -p {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}
                        Set connection protocol
  --connections, -cn {on,off,default}
                        Set connections permissions
  --connections-recording, -cr {on,off,default}
                        Set recording connections permissions for the resource
  --typescript-recording, -tr {on,off,default}
                        Set TypeScript recording permissions for the resource
  --connections-override-port, -cop CONNECTIONS_OVERRIDE_PORT
                        Port to use for connections. If not provided, the port from the record will be used.
  --key-events, -k {on,off,default}
                        Toggle Key Events settings
  --silent, -s          Silent mode - don't print PAM User, PAM Config etc.

examples:

1. My Vault> pam connection edit "/Share Folder Name/Record Name" -c ocYDOuzwt3n0iYXuYk0lHw 
-a "/Share Folder Name/Record Name" -p=rdp -cn=on -cr=on -cop=3389

2. My Vault> pam connection edit "/{{ Email }}/{{ Email }} SSH" -c ocYDOuzwt3n0iYXuYk0lHw 
-a "/Share Folder Name/Record Name" -p=ssh -cn=on -cr=on -cop=22 -s

3. My Vault> pam connection edit "/{{ Email }}/{{ Email }} MSSQL" -c ocYDOuzwt3n0iYXuYk0lHw 
-a "/Share Folder Name/Record Name" -p=sql-server -cn=on -tr=on -cop=1433

example 1: Creates an RDP connection and assigns an administrative credential and PAM configuration. Activates the connection and screen recording.

example 2: Creates an SSH connection and assigns and administrative credential and PAM configuration. Activates the connection and screen recording while running in silent mode without screen outputs.

example 3: Creates an MSSQL connection and assigns and administrative credential and PAM configuration. Activates the connection and typescript recording.

Sub-Command: rbi

This command provides the ability to edit remote browser isolation settings for a record.

edit

usage: pam rbi edit [-h] --record RECORD [--configuration CONFIG] [--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}] [--key-events {on,off,default}] [--allow-url-navigation {on,off,default}]
                    [--ignore-server-cert {on,off,default}] [--allowed-urls ALLOWED_URLS] [--allowed-resource-urls ALLOWED_RESOURCE_URLS] [--autofill-credentials AUTOFILL] [--autofill-targets AUTOFILL_TARGETS]
                    [--allow-copy {on,off,default}] [--allow-paste {on,off,default}] [--disable-audio {on,off,default}] [--audio-channels AUDIO_CHANNELS] [--audio-bit-depth {8,16}] [--audio-sample-rate AUDIO_SAMPLE_RATE] [--silent]

options:
  -h, --help            show this help message and exit
  --record, -r RECORD   The record UID or path of the RBI record.
  --configuration, -c CONFIG
                        The PAM Configuration UID or path to use for connections. Use command `pam config list` to view available PAM Configurations.
  --remote-browser-isolation, -rbi {on,off,default}
                        Set RBI permissions
  --connections-recording, -cr {on,off,default}
                        Set recording connections permissions for the resource
  --key-events, -k {on,off,default}
                        Toggle Key Events settings
  --allow-url-navigation, -nav {on,off,default}
                        Allow navigation via direct URL manipulation (on/off/default)
  --ignore-server-cert, -isc {on,off,default}
                        Ignore server certificate errors (on/off/default)
  --allowed-urls, -au ALLOWED_URLS
                        Allowed URL patterns (can specify multiple times)
  --allowed-resource-urls, -aru ALLOWED_RESOURCE_URLS
                        Allowed resource URL patterns (can specify multiple times)
  --autofill-credentials, -a AUTOFILL
                        The record UID or path of the RBI Autofill Credentials record.
  --autofill-targets, -at AUTOFILL_TARGETS
                        Autofill target selectors (can specify multiple times)
  --allow-copy, -cpy {on,off,default}
                        Allow copying to clipboard (on/off/default)
  --allow-paste, -p {on,off,default}
                        Allow pasting from clipboard (on/off/default)
  --disable-audio, -da {on,off,default}
                        Disable audio for RBI sessions (on/off/default)
  --audio-channels, -ac AUDIO_CHANNELS
                        Number of audio channels (e.g., 1 for mono, 2 for stereo)
  --audio-bit-depth, -bd {8,16}
                        Audio bit depth (8 or 16)
  --audio-sample-rate, -sr AUDIO_SAMPLE_RATE
                        Audio sample rate in Hz (e.g., 44100, 48000)
  --silent, -s          Silent mode - don't print PAM User, PAM Config etc.

Sub-Command: rotation

Detail: View and create Keeper Rotation configuration for records.

My Vault> pam rotation help
pam command [--options]

Command    Description
---------  -----------------------------------
edit       Edits Record Rotation configuration
list       List Record Rotation configuration
info       Get Rotation Info
script     Add, delete, or edit script field

edit

My Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG]
                         [--iam-aad-config IAM_AAD_CONFIG_UID] [--resource RESOURCE] [--schedulejson SCHEDULE_JSON_DATA |
                         --schedulecron SCHEDULE_CRON_DATA | --on-demand | --schedule-config] [--complexity PWD_COMPLEXITY]
                         [--admin-user ADMIN] [--enable | --disable]

options:
  -h, --help            show this help message and exit
  --record, -r RECORD_NAME
                        Record UID, name, or pattern to be rotated manually or via schedule
  --folder, -fd FOLDER_NAME
                        Used for bulk rotation setup. The folder UID or name that holds records to be configured
  --force, -f           Do not ask for confirmation
  --config, -c CONFIG   UID or path of the configuration record.
  --iam-aad-config, -iac IAM_AAD_CONFIG_UID
                        UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
  --resource, -rs RESOURCE
                        UID or path of the resource record.
  --schedulejson, -sj SCHEDULE_JSON_DATA
                        JSON of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY",
                        "intervalCount": 1}'
  --schedulecron, -sc SCHEDULE_CRON_DATA
                        Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17
                        * * *"
  --on-demand, -od      Schedule On Demand
  --schedule-config, -sf
                        Schedule from Configuration
  --schedule-only, -so  Only update the rotation schedule without changing other settings                      
  --complexity, -x PWD_COMPLEXITY
                        Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5[,SPECIAL CHARS]
  --admin-user, -a ADMIN
                        UID or path for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when
                        rotating
  --enable, -e          Enable rotation
  --disable, -d         Disable rotation

Example - Set the rotation schedule using JSON

The --schedulejson or -sj params are used to set the schedule via JSON.

Rotate the PAM User record every month, on the 1st, at 4:00AM Chicago time.

pam rotation edit -r XXXX -sj '{"type": "MONTHLY_BY_DAY", "monthDay": 1, "time": "04:00", "tz": "America/Chicago"}'

Rotate the PAM User record every week on a Saturday, at 10:00PM New York time.

pam rotation edit -r XXXX -sj '{"type": "WEEKLY", "weekday": "SATURDAY", "time": "22:00", "tz": "America/New_York"}'

The following are the valid schedule types.

ON DEMAND

The job is triggered manually on demand.

pam rotation edit -r XXXX --on-demand

DAILY

The job is triggered every day.

type - DAILY
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; The number of days between triggers. Allows ability to skip days.

WEEKLY

The job is triggered every week.

type - WEEKLY
weekday - Week day name. Must be the full name, all in uppercase.
- SUNDAY
- MONDAY
- TUESDAY
- WEDNESDAY
- THURSDAY
- FRIDAY
- SATURDAY
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; If set to a value greater than 1, weekday will be ignored. The job will be triggers the multiple times per week starting on Sunday. The day will be based on the value of intervalCount .

MONTHLY_BY_DAY

The job is triggered every month on a specific month day.

type - MONTHLY_BY_DAY
monthDay - Day of the month. Starts at 1 and goes to max number of days per month. Remeber that 29 can be a leap year day.
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; If set to a value greater than 1, the job will trigger on the monthDay and will re-trigger every intervalCount days.

MONTHLY_BY_WEEKDAY

The job is triggered every month on a specific week day and time.

type - MONTHLY_BY_WEEKDAY
weekday - Week day name. Must be the full name, in all uppercase.
- SUNDAY
- MONDAY
- TUESDAY
- WEDNESDAY
- THURSDAY
- FRIDAY
- SATURDAY
occurrence - Which week to trigger. If fifth week, use LAST.
- FIRST
- SECOND
- THIRD
- FOURTH
- LAST
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; If set, and set to value other than 1, the trigger will start on the weekday and then trigger every intervalCount weeks.

YEARLY

The job is triggered yearly on a specific month, day and time.

type - YEARLY
month - Month name. Must be the full month name, in all uppercase.
- JANUARY
- FEBURARY
- MARCH
- APRIL
- MAY
- JUNE
- JULY
- AUGUST
- SEPTEMBER
- OCTOBER
- NOVEMBER
- DECEMBER
monthDay - Day of the month. Starts at 1 and goes to max number of days per month. Remeber that 29 can be a leap year day.
time - A 24 hours formatted time when the jobs should be triggered.
tz - You local IANA time zone. (i.e., America/Chicago)
intervalCount - Optional; If set, and set to value other than 1, every intervalCount year will be triggered.

Example - Set the password complexity for the PAM User

The --complexity or -x params are used to set the password complexity.

Set the password complexity to create a 20 character password with a minimum of 1 uppercase letter, 4 lowercase letters, 2 digits, and 2 symbols from the symbol set .=+- .

pam rotation edit -r XXXX -x 20,1,4,2,2,.=+-

The value is a comma separated value (CSV) style value with the following parts:

Overall password length
Minimum number of uppercase letters.
Minimum number of lowercase letters.
Minimum number of digits.
Minimum number of symbols.
Special set. After last comma, just type the special characters you would like. You are limited to symbols in the following set. If left blank, this symbol set will be used.
```
!@#$%^?();',.=+[]<>{}-_/\\*&:"`~|
```

list

Display a list of all resources configured for rotation

My Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]

optional arguments:
  -h, --help     show this help message and exit
  --verbose, -v  Verbose output

info

Display information about the rotation settings for a particular resource.

My Vault> pam rotation info --help 
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID

optional arguments:
  -h, --help            show this help message and exit
  --record-uid RECORD_UID, -r RECORD_UID
                        Record UID to rotate

script

Manage post-rotation PAM scripts

My Vault> pam rotation script --help
pam command [--options]

Command    Description
---------  ---------------------------------
list       List script fields
add        List Record Rotation Schedulers
edit       Add, delete, or edit script field
delete     Delete script field

Sub-Command: action

Detail: Discovery, rotation and service account management of PAM Resources

My Vault> pam action help
pam command [--options]

Command       Description
------------  ---------------------
gateway-info  Info command
discover      Discover command
rotate        Rotate command
job-info      View Job details
job-cancel    View Job details
service       Manage services and scheduled tasks
debug         PAM debug information

gateway-info

Display information about the specific Keeper Gateway.

My Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]

optional arguments:
  -h, --help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID
  --verbose, -v         Verbose Output

discover

Manage Discovery jobs

My Vault> pam action discover --help
pam command [--options]

Command    Description
---------  ----------------------------------
start      Start a discovery process
status     Status of discovery jobs
remove     Cancel or remove of discovery jobs
process    Process discovered items
rule       Manage discovery rules

discover start

Start a discovery job

My Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
                                 [--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
                                 [--cred-file CREDENTIAL_FILE]

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name of UID.
  --resource RESOURCE_UID, -r RESOURCE_UID
                        UID of the resource record. Set to discover specific resource.
  --lang LANGUAGE       Language
  --include-machine-dir-users
                        Include directory users found on the machine.
  --inc-azure-aadds     Include Azure Active Directory Domain Service.
  --skip-rules          Skip running the rule engine.
  --skip-machines       Skip discovering machines.
  --skip-databases      Skip discovering databases.
  --skip-directories    Skip discovering directories.
  --skip-cloud-users    Skip discovering cloud users.
  --cred CREDENTIALS    List resource credentials.
  --cred-file CREDENTIAL_FILE
                        A JSON file containing list of credentials.

discover status

Display the status of a discovery job

My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Show only discovery jobs from a specific gateway.
  --job-id JOB_ID, -j JOB_ID
                        Detailed information for a specific discovery job.
  --history             Show history

discover remove

Stop a running discovery job

My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID

options:
  -h, --help            show this help message and exit
  --job-id JOB_ID, -j JOB_ID
                        Discovery job id.

discover process

Process the findings of a discovery job

My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]

options:
  -h, --help            show this help message and exit
  --job-id JOB_ID, -j JOB_ID
                        Discovery job to process.
  --add-all             Respond with ADD for all prompts.
  --debug-gs-level DEBUG_LEVEL
                        GraphSync debug level. Default is 0

discover rule

Manage discovery rules

My Vault> pam action discover rule --help
pam command [--options]

Command    Description
---------  --------------
add        Add a rule
list       List all rules
remove     Remove a rule
update     Update a rule

discover rule add

Add a discovery rule

My Vault> pam action discover rule add --help
usage: pam-action-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case]
                                    [--shared-folder-uid SHARED_FOLDER_UID] --statement STATEMENT

options:
  -h, --help            show this help message and exit
  --gateway, -g GATEWAY
                        Gateway name of UID.
  --action, -a {add,ignore,prompt}
                        Action to take if rule matches
  --priority, -p PRIORITY
                        Rule execute priority
  --ignore-case         Ignore value case. Rule value must be in lowercase.
  --shared-folder-uid SHARED_FOLDER_UID
                        Folder to place record.
  --statement, -s STATEMENT
                        Rule statement

rotate

Issue a credential rotation on the specific resource, folder of resources, or pattern in the resource title. Optionally send an email with a one-time share link through a configured email provider.

My Vault> pam action rotate --help
usage: pam action rotate [-h] [--record-uid RECORD_UID] [--folder FOLDER] [--dry-run]

options:
  -h, --help            show this help message and exit
  --record-uid, -r RECORD_UID
                        Record UID to rotate
  --folder, -f FOLDER   Shared folder UID or title pattern to rotate
  --dry-run, -n         Enable dry-run mode
  --email-config NAME   Email configuration to use for sending (required with --send-email)
  --send-email EMAIL    Email address to send one-time share link after successful rotation
  --email-message MESSAGE  Custom message to include in notification email

job-info

Display information about the running job

My Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id

positional arguments:
  job_id

optional arguments:
  -h, --help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID. Needed only if there are more than one gateway running

job-cancel

Cancel a running job

My Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id

positional arguments:
  job_id

optional arguments:
  -h, --help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID. Needed only if there are more than one gateway running

service list

Display the services and scheduled tasks associated to a specific Keeper Gateway

My Vault> pam action service list -h
usage: pam-action-service-list [-h] --gateway GATEWAY

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name or UID

service add

Add an association for a service to a specific Keeper Gateway and PAM Machine. Once associated, Keeper will update the credentials for that service, on the specific PAM Machine, and restart the service (if running).

My Vault> pam action service add -h
usage: pam-action-service-add [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
                              USER_UID --type {service,task}

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name or UID
  --machine-uid MACHINE_UID, -m MACHINE_UID
                        The UID of the Windows Machine record
  --user-uid USER_UID, -u USER_UID
                        The UID of the User record
  --type {service,task}, -t {service,task}
                        Relationship to add [service, task]

service remove

Remove an association for a service on a specific PAM Machine.

My Vault> pam action service remove -h
usage: pam-action-service-remove [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
                                 USER_UID --type {service,task}

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name or UID
  --machine-uid MACHINE_UID, -m MACHINE_UID
                        The UID of the Windows Machine record
  --user-uid USER_UID, -u USER_UID
                        The UID of the User record
  --type {service,task}, -t {service,task}
                        Relationship to remove [service, task]

Sub-Command: tunnel

Detail: View and create Keeper Tunnels from the local machine to target infrastructure.

My Vault> pam tunnel help
pam command [--options]

Command    Description
---------  -------------------------
start      Start Tunnel
list       List all Tunnels
stop       Stop Tunnel to the server
tail       View Tunnel Log
edit       Edit Tunnel settings

start

Start a tunnel from the local device to the target resource

My Vault> pam tunnel start -h
usage: pam tunnel start [-h] [--host HOST] [--port PORT] uid

positional arguments:
  uid                   The Record UID of the PAM resource record with network information to use for tunneling

options:
  -h, --help            show this help message and exit
  --host HOST, -o HOST  The address on which the server will be accepting connections. It could be an IP address or a
                        hostname. Ex. set to 127.0.0.1 as default so only connections from the same machine will be accepted.
  --port PORT, -p PORT  The port number on which the server will be listening for incoming connections. If not set, random
                        open port on the machine will be used.

list

Display a list of all available tunnels running

My Vault> pam tunnel list -h
usage: pam tunnel list [-h]

options:
  -h, --help  show this help message and exit

stop

Stop a tunnel that is currently running

My Vault> pam tunnel stop -h
usage: pam tunnel stop [-h] uid

positional arguments:
  uid         The Tunnel UID or Record UID

options:
  -h, --help  show this help message and exit

tail

Display information in the Keeper tunnel

My Vault> pam tunnel tail -h
usage: pam tunnel tail [-h] uid

positional arguments:
  uid         The Tunnel UID

options:
  -h, --help  show this help message and exit

edit

Edit the configuration of an existing Tunnel

usage: pam tunnel edit [-h] [--configuration CONFIG] [--enable-tunneling] [--tunneling-override-port TUNNELING_OVERRIDE_PORT] [--disable-tunneling] [--remove-tunneling-override-port] [--keeper-db-proxy {on,off,default}] record

positional arguments:
  record                The record path or UID of the PAM resource record with network information to use for tunneling

options:
  -h, --help            show this help message and exit
  --configuration, -c CONFIG
                        The PAM Configuration UID or path to use for tunneling. Use command `pam config list` to view available PAM Configurations.
  --enable-tunneling, -et
                        Enable tunneling on the record
  --tunneling-override-port, -top TUNNELING_OVERRIDE_PORT
                        Port to use for tunneling. If not provided, the port from the record will be used.
  --disable-tunneling, -dt
                        Disable tunneling on the record
  --remove-tunneling-override-port, -rtop
                        Remove tunneling override port
  --keeper-db-proxy, -kdbp {on,off,default}
                        Enable/disable Keeper Database Proxy for pamDatabase records (on/off/default)

Sub-command: split

Detail: Split a legacy PAM record into the new KeeperPAM format.

My Vault> pam split -h
usage: pam split [-h] [--configuration PAM_CONFIG] [--folder PAM_USER_FOLDER] pam_machine_record

positional arguments:
  pam_machine_record    The record UID or title of the legacy PAM Machine record with built-in PAM User credentials.

options:
  -h, --help            show this help message and exit
  --configuration PAM_CONFIG, -c PAM_CONFIG
                        The PAM Configuration Name or UID - If the legacy record was configured for rotation this command
                        will try to autodetect PAM Configuration settings otherwise you'll be prompted to provide the PAM
                        Config.
  --folder PAM_USER_FOLDER, -f PAM_USER_FOLDER
                        The folder where to store the new PAM User record - folder names/paths are case sensitive!(if skipped
                        - PAM User will be created into the same folder as PAM Machine)

Sub-command: project

Detail: Create a KeeperPAM project (similar to the Quick Start Sandbox from the vault user interface).

The PAM Import command helps customers (such as MSPs) with thousands of managed companies to automate the creation of folders, gateways, machines, users, connections, tunnels and (optionally) rotations.

My Vault> pam project import -h
usage: pam project import [-h] [--name PROJECT_NAME] [--filename FILE_NAME] [--dry-run] [--sample-data] [--show-template]
                          [--output {token,base64,json}]

options:
  -h, --help            show this help message and exit
  --name PROJECT_NAME, -n PROJECT_NAME
                        Project name.
  --filename FILE_NAME, -f FILE_NAME
                        File to load import data from.
  --dry-run, -d         Test import without modifying vault.
  --sample-data, -s     Generate sample data.
  --show-template, -t   Print JSON template required for manual import.
  --output {token,base64,json}, -o {token,base64,json}
                        Output format (token: one-time token, config: base64/json)

pam project import --name=project1 --filename=/path/to/import.json --dry-run

--name, -n → Project name (overrides "project":"" from JSON)
--filename, -f → JSON file to load import data from.
--dry-run, -d → Test import without modifying vault.

Command Variation: "extend"

The pam project extend command helps customers to create additional records after the initial import that will use same existing PAM Gateway and PAM Configuration.

My Vault> pam project extend -h
usage: pam project extend [-h] [--config PAM_CONFIG] [--filename FILE_NAME] [--dry-run]

options:
  -h, --help            show this help message and exit
  --config PAM_CONFIG, -c PAM_CONFIG
                        PAM Configuration record UID or title.
  --filename FILE_NAME, -f FILE_NAME
                        File to load import data from.
  --dry-run, -d         Test import without modifying vault.

Import/Extend JSON Documentation

A step-by-step guide to importing Windows Servers as PAM Resources from a basic list of server hostnames can be found at this page: Importing PAM Resources
A more detailed specification for "pam project import" templates can be found at this GitHub README Page
If you require assistance, contact the Commander team ([email protected]).

Sub-Command: Launch

Detail: Launch a CLI-based KeeperPAM privileged session. This allows developers to use their preferred native terminal for connecting to a target. When "pam launch" is used, the session activity is recorded and monitored as configured by the resource.

To initiate a connection from the Commander CLI:

My Vault> pam launch <UID>

Launching connection to SSH to Linux Gateway Host (i-028348b3257e8c550)...
⠧ [ Establishing secure session… ]

   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Wed May  6 02:10:58 2026 from 192.168.1.11
[ec2-user@ip-10-0-0-137 ~]$

From the terminal, sessions can be launched outside of the Commander CLI:

$ keeper pam launch <UID>

Syntax:

My Vault> pam launch -h                                                                                                                                   
usage: pam [-h] [--no-trickle-ice] [--credential LAUNCH_CREDENTIAL] [--host CUSTOM_HOST] [--host-record HOST_RECORD] [--stdin] [--normalize-crlf]
           [--scale SCALE]
           record

Launch a connection to a PAM resource

positional arguments:
  record                Record path or UID of the PAM resource to launch

options:
  -h, --help            show this help message and exit
  --no-trickle-ice, -nti
                        Disable trickle ICE for WebRTC connections. By default, trickle ICE is enabled for real-time candidate exchange.
  --credential LAUNCH_CREDENTIAL, -cr LAUNCH_CREDENTIAL
                        Record (UID, path, or title) for launch credentials
  --host CUSTOM_HOST, -H CUSTOM_HOST
                        Host and port in format host:port (e.g. -H=192.168.1.1:22 or -H=[::1]:22 for IPv6). Requires allowSupplyHost. Mutually exclusive
                        with --host-record.
  --host-record HOST_RECORD, -hr HOST_RECORD
                        Record (UID, path, or title) with a host or pamHostname field containing hostName and port. Requires allowSupplyHost. Mutually
                        exclusive with --host.
  --stdin               Send typed input via stdin pipe bytes (pipe/blob/end, kcm-cli style) instead of the default Guacamole key-event mode. Paste and
                        Ctrl+C double-tap behave the same in both modes.
  --normalize-crlf, -n  Normalize decoded Guacamole STDOUT: CRLF to LF and downstream LF cleanup. Use when you see double new lines from the remote. By
                        default we keep raw CR/LF on STDOUT (lower overhead). Alternatively, tune sending double newlines to the remote with environment
                        variable PAM_LAUNCH_CRLF_MERGE_DELAY_MS: [50..500] ms which controls local Enter coalescing (split CRLF across reads).
  --scale SCALE, -s SCALE
                        Scale pixel width/height by this percentage (e.g. 50 = half canvas, 200 = double). Range: [40-400]. Helps when fullscreen TUI
                        programs show garbled layout.

Sub-Command: workflow

Detail: Manage Just-In-Time (JIT) privileged access workflows for PAM resources. Workflows enforce approval-based access control with optional check-in/check-out, MFA verification and time-based access windows.

Workflow configuration commands (create, update, delete, add-approver, remove-approver) require the "Can manage workflow settings" enforcement policy enabled for your role. Users without this enforcement will only see requester and approver commands.

Record owners and approvers (users on a workflow's approver list, either directly or via a team) are exempt from workflow requirements on that record and can access the resource directly.

My Vault> pam workflow help
pam command [--options]

Command          Description
---------------  ---------------------------------
create           Create workflow configuration
read             Read workflow configuration
update           Update workflow configuration
delete           Delete workflow configuration
add-approver     Add approvers
remove-approver  Remove approvers
pending          Get pending approvals
approve          Approve access request
deny             Deny access request
request          Request, escalate, or cancel access
start            Start workflow (check-out)
end              End workflow (check-in)
state            Get workflow state
my-access        Get my access state

Sub Commands

Configuration
Approver Actions
Requester Actions
State Inspection
- state
- my-access

create

Create a workflow configuration for a PAM record. At least one approver must be added if approvals are required.

My Vault> pam workflow create -h
usage: pam workflow create [-h] [-u APPROVER] [-n APPROVALS_NEEDED] [-co] [-sa] [-rr] [-rt]
                           [-rm] [-d DURATION] [--allowed-days ALLOWED_DAYS]
                           [--time-range TIME_RANGE]
                           [--format {table,json}]
                           record

positional arguments:
  record                Record UID or name to configure workflow for

options:
  -h, --help            show this help message and exit
  -u APPROVER, --approver APPROVER
                        User email to add as approver (repeat for multiple).
                        Required when --approvals-needed > 0.
  -n APPROVALS_NEEDED, --approvals-needed APPROVALS_NEEDED
                        Number of approvals required (default: 1)
  -co, --checkout       Enable single-user check-in/check-out mode
  -sa, --start-on-approval
                        Start access timer when approved (vs when checked out)
  -rr, --require-reason
                        Require user to provide reason for access
  -rt, --require-ticket
                        Require user to provide ticket number
  -rm, --require-mfa    Require MFA verification for access
  -d DURATION, --duration DURATION
                        Access duration (e.g., "2h", "30m", "1d"). Default: 1d
  --allowed-days ALLOWED_DAYS
                        Comma-separated allowed days (e.g., "mon,tue,wed,thu,fri")
  --time-range TIME_RANGE
                        Allowed time range in HH:MM-HH:MM format (e.g., "09:00-17:00")
  --format {table,json}
                        Output format

Examples

Create a basic workflow requiring 1 approval with a 1 day access window:

My Vault> pam workflow create "Linux Server Prod" -u [email protected]

Create a workflow with check-in/check-out, MFA, and reason required:

My Vault> pam workflow create aB1cD2eF3gH4 -u [email protected] -n 2 -co -rm -rr -d 2h

Create a workflow with temporal access restrictions (weekdays only, business hours):

My Vault> pam workflow create aB1cD2eF3gH4 -u [email protected] --allowed-days mon,tue,wed,thu,fri --time-range 09:00-17:00

Allowed days and time ranges are stored in the admin's local IANA timezone (auto-detected when running the command). All access enforcement is performed in this timezone, regardless of where the requester is located. Override at run-time via the TZ environment variable (e.g. TZ=America/New_York pam workflow create ...).

read

Display the current workflow configuration for a record, including parameters, approvers and temporal access filters.

My Vault> pam workflow read -h
usage: pam workflow read [-h] [--format {table,json}] record

positional arguments:
  record                Record UID or name

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        Output format

Example

My Vault> pam workflow read "Linux Server Prod"

Workflow Configuration
Record: Linux Server Prod 
Record UID: (aB1cD2eF3gH4)

Access Parameters:
  Approvals needed: 2
  Check-in/out required: No
  Access duration: 1 day
  Timer starts: On check-out

Requirements:
  Reason required: No
  Ticket required: No
  MFA required: No

Approvers (2):
  1. User: [email protected]
  2. Team: security-team  (RpL1PYhMEh)

update

Update an existing workflow configuration. Only specified fields are changed; unspecified fields retain their current values.

My Vault> pam workflow update -h
usage: pam workflow update [-h] [-n APPROVALS_NEEDED] [-co CHECKOUT]
                           [-sa START_ON_APPROVAL] [-rr REQUIRE_REASON]
                           [-rt REQUIRE_TICKET] [-rm REQUIRE_MFA]
                           [-d DURATION] [--allowed-days ALLOWED_DAYS]
                           [--time-range TIME_RANGE]
                           [--format {table,json}]
                           record

positional arguments:
  record                Record UID or name with workflow to update

options:
  -h, --help            show this help message and exit
  -n APPROVALS_NEEDED, --approvals-needed APPROVALS_NEEDED
                        Number of approvals required
  -co CHECKOUT, --checkout CHECKOUT
                        Enable/disable check-in/check-out (true/false)
  -sa START_ON_APPROVAL, --start-on-approval START_ON_APPROVAL
                        Start timer on approval vs check-out (true/false)
  -rr REQUIRE_REASON, --require-reason REQUIRE_REASON
                        Require reason (true/false)
  -rt REQUIRE_TICKET, --require-ticket REQUIRE_TICKET
                        Require ticket (true/false)
  -rm REQUIRE_MFA, --require-mfa REQUIRE_MFA
                        Require MFA (true/false)
  -d DURATION, --duration DURATION
                        Access duration (e.g., "2h", "30m", "1d")
  --allowed-days ALLOWED_DAYS
                        Comma-separated allowed days (e.g., "mon,tue,wed,thu,fri")
  --time-range TIME_RANGE
                        Allowed time range in HH:MM-HH:MM format (e.g., "09:00-17:00")
  --format {table,json}
                        Output format

Example

Enable MFA and change the access duration to 4 hours:

My Vault> pam workflow update aB1cD2eF3gH4 -rm true -d 4h

delete

Delete the workflow configuration from a record. This removes all workflow requirements for the resource.

My Vault> pam workflow delete -h
usage: pam workflow delete [-h] [--format {table,json}] record

positional arguments:
  record                Record UID or name to remove workflow from

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        Output format

add-approver

Add users or teams as approvers to a workflow. Supports escalation approvers with an optional delay timer. Any user with at least view-only access to the record can be added as an approver. Enterprise administrators can add any team in the enterprise as an approver, even if they are not personally a member of that team.

My Vault> pam workflow add-approver -h
usage: pam workflow add-approver [-h] [-u USER] [-t TEAM] [-e]
                                 [-ea ESCALATION_AFTER] [--format {table,json}]
                                 record

positional arguments:
  record                Record UID or name

options:
  -h, --help            show this help message and exit
  -u USER, --user USER  User email to add as approver (can specify multiple times)
  -t TEAM, --team TEAM  Team name or UID to add as approver (can specify multiple times)
  -e, --escalation      Mark as escalation approver
  -ea ESCALATION_AFTER, --escalation-after ESCALATION_AFTER
                        Time before escalating to this approver (e.g., "30m", "1h", "2h").
                        Only meaningful with --escalation
  --format {table,json}
                        Output format

Examples

Add a user and a team as approvers:

My Vault> pam workflow add-approver aB1cD2eF3gH4 -u [email protected] -t "Security Team"

Add an escalation approver that is notified after 1 hour:

My Vault> pam workflow add-approver aB1cD2eF3gH4 -u [email protected] -e -ea 1h

remove-approver

Remove users or teams from a workflow's approver list.

My Vault> pam workflow remove-approver -h
usage: pam workflow remove-approver [-h] [-u USER] [-t TEAM]
                                    [--format {table,json}]
                                    record

positional arguments:
  record                Record UID or name

options:
  -h, --help            show this help message and exit
  -u USER, --user USER  User email to remove as approver
  -t TEAM, --team TEAM  Team name or UID to remove as approver
  --format {table,json}
                        Output format

Example

My Vault> pam workflow remove-approver aB1cD2eF3gH4 -u [email protected]

pending

List all pending workflow approval requests assigned to the current user. Duplicate entries (when the user is an approver via multiple paths) are automatically filtered.

My Vault> pam workflow pending -h
usage: pam workflow pending [-h] [--format {table,json}]

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        Output format

Example

My Vault> pam workflow pending

Pending Approval Requests

  Flow UID        Requester          Resource              Reason     Ticket   Escalated
  --------------  -----------------  --------------------  ---------  -------  ---------
  xY9zA8bC7dE6   [email protected]   Linux Server Prod     Deploying  INC-123  No

approve

Approve a pending workflow access request using the flow UID from the pending command.

My Vault> pam workflow approve -h
usage: pam workflow approve [-h] [--format {table,json}] flow_uid

positional arguments:
  flow_uid              Flow UID of the workflow to approve

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        Output format

Example

My Vault> pam workflow approve xY9zA8bC7dE6

deny

Deny a pending workflow access request. An optional reason can be provided which is encrypted with the requester's public key.

My Vault> pam workflow deny -h
usage: pam workflow deny [-h] [-r REASON] [--format {table,json}] flow_uid

positional arguments:
  flow_uid              Flow UID of the workflow to deny

options:
  -h, --help            show this help message and exit
  -r REASON, --reason REASON
                        Reason for denial
  --format {table,json}
                        Output format

Example

My Vault> pam workflow deny xY9zA8bC7dE6 -r "Access not justified for this environment"

request

Request access to a workflow-protected PAM resource. Supports escalation of pending requests and cancellation of active requests.

My Vault> pam workflow request -h
usage: pam workflow request [-h] [-r REASON] [-t TICKET] [-e] [-c]
                            [--format {table,json}]
                            record

positional arguments:
  record                Record UID or name

options:
  -h, --help            show this help message and exit
  -r REASON, --reason REASON
                        Reason for access request
  -t TICKET, --ticket TICKET
                        External ticket/reference number
  -e, --escalate        Escalate a pending request to escalation approvers
  -c, --cancel          Cancel a pending or active workflow request
  --format {table,json}
                        Output format

The --cancel flag cannot be used with --escalate, --reason, or --ticket.

Examples

Request access with a reason and ticket number:

My Vault> pam workflow request "Linux Server Prod" -r "Emergency deployment" -t "INC-456"

Escalate a pending request to escalation approvers:

My Vault> pam workflow request "Linux Server Prod" -e

Cancel a pending or active request:

My Vault> pam workflow request "Linux Server Prod" -c

start

Start a workflow session (check-out). This is required before connecting to the resource when check-in/check-out is enabled. Accepts either a record UID/name or a flow UID.

My Vault> pam workflow start -h
usage: pam workflow start [-h] [--format {table,json}] uid

positional arguments:
  uid                   Record UID, record name, or Flow UID

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        Output format

Example

My Vault> pam workflow start "Linux Server Prod"

end

End a workflow session (check-in). Credentials may be rotated after check-in. The --force flag allows approvers to terminate another user's active session when single-user checkout is enabled.

My Vault> pam workflow end -h
usage: pam workflow end [-h] [-f] [--format {table,json}] uid

positional arguments:
  uid                   Record UID, record name, or Flow UID

options:
  -h, --help            show this help message and exit
  -f, --force           Force check-in: approvers can terminate another user's
                        active session when single-user checkout is enabled.
  --format {table,json}
                        Output format

Examples

End your own workflow session:

My Vault> pam workflow end "Linux Server Prod"

Force check-in another user's session (approver only):

My Vault> pam workflow end aB1cD2eF3gH4 --force

state

View the current workflow state for a record. Output includes the current Stage, outstanding Conditions, who has the resource checked out, and the list of approvers who have already approved.

My Vault> pam workflow state -h
usage: pam workflow state [-h] [--format {table,json}] record

positional arguments:
  record                Record UID or name

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        Output format

Example

My Vault> pam workflow state "Linux Server Prod"

Workflow State
Record: Linux Server Prod (aB1cD2eF3gH4)

  Stage: Started
  Conditions: Approval, Check-in
  Checked out by: [email protected]
  Started: 2026-02-05 10:30:00
  Expires: 2026-02-05 12:30:00
  Approved by:
    - [email protected] at 2026-02-05 10:28:00

Check workflow state by flow UID:

My Vault> pam workflow state -f xY9zA8bC7dE6

my-access

List all active workflow sessions for the current user across all resources.

My Vault> pam workflow my-access -h
usage: pam workflow my-access [-h] [--format {table,json}]

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        Output format

Example

My Vault> pam workflow my-access

My Active Workflows

  Flow UID        Resource              Stage     Started              Expires
  --------------  --------------------  --------  -------------------  -------------------
  xY9zA8bC7dE6   Linux Server Prod     Started   2026-02-05 10:30:00  2026-02-05 12:30:00
  aB2cD3eF4gH5   Database Staging      Approved  2026-02-05 09:00:00  2026-02-05 17:00:00

Single-User Check-In / Check-Out Mode

When a workflow is created with the --checkout (-co) flag, the resource operates in single-user check-in/check-out mode. This enforces exclusive access - only one user can have the resource checked out at a time.

How it works:

After a request is approved, the user must explicitly check out the resource with pam workflow start before they can connect via pam tunnel or pam launch.
While the resource is checked out, no other user can check it out until the current session ends.
When the user is done, they check in with pam workflow end, which releases the resource and may trigger credential rotation.
If a user's session needs to be terminated, an approver can use pam workflow end <uid> --force to forcibly check in the resource.

Without single-user check-out mode: After approval, the user must still run pam workflow start to begin the access session, unless --start-on-approval was set (which starts the access timer automatically upon approval). Multiple users can have concurrent approved access to the same resource.

Visibility: When a resource is checked out, the pam workflow state <record> command shows the Checked out by field with the current user's email.

Force check-in (--force) is only available when single-user checkout is active. It allows approvers to revoke a user's session - for example, if the user is unresponsive or the session has been left open.

Typical Workflow Lifecycle

The following describes a typical end-to-end JIT access workflow:

Administrator creates a workflow on a PAM record: pam workflow create "Prod Server" -n 1 -co -rm -d 2h
Administrator adds approvers: pam workflow add-approver "Prod Server" -u [email protected]
User requests access: pam workflow request "Prod Server" -r "Deploy hotfix" -t "INC-789"
Approver reviews pending requests: pam workflow pending
Approver approves the request: pam workflow approve xY9zA8bC7dE6
User checks out the resource: pam workflow start "Prod Server"
User is prompted for MFA (if --require-mfa was set), then connects via tunnel or launch: pam tunnel start "Prod Server" or pam launch "Prod Server"
User checks in after completing work: pam workflow end "Prod Server"

Glossary

Term

Definition

Flow UID

Unique identifier for a workflow request instance. Generated when a user requests access; used to approve, deny, start, or end that specific request. Visible in the output of pam workflow pending and pam workflow my-access.

Stage

Current state of a workflow request: Needs Action (no request raised), Waiting (request raised, awaiting approvals or time-window), Ready to Start (approved, awaiting check-out), Started (active session).

Conditions

Outstanding requirements blocking the workflow from advancing. Possible values: Approval Required, Check-in Required, MFA Required, Time Restriction, Reason Required, Ticket Required.

Check-out

Acquiring exclusive access to a resource via pam workflow start. Required when single-user check-in/check-out mode is enabled.

Check-in

Releasing access to a resource via pam workflow end. May trigger credential rotation.

PreviousSharing Commands NextPAM Extended Commands

Last updated 10 days ago