# PAM Extended Commands ## PAM Extended Commands The `pam extended` command group provides advanced management of PAM rotation schedules and discovery rules directly from Commander. These operations complement the web vault UI for automation, scripting, and CI/CD pipelines. To get help on a particular subcommand, run: ``` pam extended schedule help pam extended rule help ``` *** ### Command Reference #### Schedule commands | Command | Description | | ------------------------------ | ----------------------------------------------------------------- | | `pam extended schedule list` | List all PAM rotation schedules visible to the authenticated user | | `pam extended schedule set` | Create or update a rotation schedule for a PAM record | | `pam extended schedule delete` | Remove a rotation schedule from a PAM record | #### Rule commands | Command | Description | | -------------------------- | -------------------------------------------------------- | | `pam extended rule list` | List discovery rules associated with a PAM configuration | | `pam extended rule add` | Add a new discovery rule to a PAM configuration | | `pam extended rule delete` | Delete a discovery rule from a PAM configuration | *** ### pam extended schedule list Lists all PAM rotation schedules the authenticated user can see. Optionally filter by PAM configuration UID. **Syntax** ``` pam extended schedule list [--config-uid ] [--format table|json] ``` **Options** | Option | Description | | ---------------------- | -------------------------------------------------- | | `--config-uid ` | Filter results to a specific PAM configuration UID | | `--format table\|json` | Output format. Default: `table` | **Example — list all schedules** ``` My Vault> pam extended schedule list a1b2c3d4e5f6... cron=0 3 * * * f6e5d4c3b2a1... cron=0 */6 * * * ``` **Example — JSON output** ``` My Vault> pam extended schedule list --format json [ { "record_uid": "a1b2c3d4e5f6...", "no_schedule": false, "schedule": { "type": "cron", "cron": "0 3 * * *" } } ] ``` *** ### pam extended schedule set Creates or updates a rotation schedule for a PAM record. The schedule is stored as a JSON cron expression inside `PAMRotationSchedule.scheduleData` and takes effect at the next rotation window. **Syntax** ``` pam extended schedule set --cron [--config-uid ] [--notify ...] ``` **Parameters** | Parameter | Required | Description | | --------------------- | -------- | ------------------------------------------------------------ | | `` | Yes | UID of the PAM record to schedule | | `--cron ` | Yes | 5-field cron expression (minute hour day month weekday) | | `--config-uid ` | No | Associate schedule with a specific PAM configuration | | `--notify ` | No | Email address to notify when the schedule fires. Repeatable. | **Cron expression format** Keeper uses standard 5-field cron syntax: ``` ┌───────────── minute (0–59) │ ┌───────────── hour (0–23) │ │ ┌───────────── day of month (1–31) │ │ │ ┌───────────── month (1–12) │ │ │ │ ┌───────────── day of week (0–7, 0 and 7 = Sunday) │ │ │ │ │ * * * * * ``` **Examples** Rotate every day at 03:00 UTC: ``` My Vault> pam extended schedule set a1b2c3d4 --cron "0 3 * * *" Rotation schedule set for a1b2c3d4 (cron: 0 3 * * *) ``` Rotate every 6 hours and notify two recipients: ``` My Vault> pam extended schedule set a1b2c3d4 --cron "0 */6 * * *" \ --notify ops@example.com --notify security@example.com ``` Rotate at 02:30 on Mondays, scoped to a specific config: ``` My Vault> pam extended schedule set a1b2c3d4 \ --cron "30 2 * * 1" \ --config-uid f6e5d4c3 ``` *** ### pam extended schedule delete Removes the rotation schedule from a PAM record by setting `noSchedule=True`. The record will no longer be rotated on a schedule; it can still be rotated manually. **Syntax** ``` pam extended schedule delete ``` **Parameters** | Parameter | Required | Description | | ----------- | -------- | ------------------------------------------------------ | | `` | Yes | UID of the PAM record whose schedule should be removed | **Example** ``` My Vault> pam extended schedule delete a1b2c3d4 Rotation schedule removed for a1b2c3d4 ``` *** ### pam extended rule list Lists the discovery rules associated with a PAM configuration. Rules are stored in the PAM DAG under the `DISCOVERY_RULES` graph node. **Syntax** ``` pam extended rule list --config-uid [--format table|json] ``` **Parameters** | Parameter | Required | Description | | ---------------------- | -------- | ------------------------------------- | | `--config-uid ` | Yes | UID of the PAM configuration to query | | `--format table\|json` | No | Output format. Default: `table` | **Example** ``` My Vault> pam extended rule list --config-uid f6e5d4c3 3a4b5c6d... name=web-tier type=machine cidr=10.0.1.0/24 7e8f9a0b... name=db-tier type=database cidr=10.0.2.0/24 ``` *** ### pam extended rule add Adds a new discovery rule to a PAM configuration. The rule is written to the PAM DAG via a `PAMModifyRequest` ADD operation on `PAMElementData`. **Syntax** ``` pam extended rule add --cidr --config-uid \ [--type machine|user|database] [--protocol ssh|rdp|database] \ [--credential-uid ] ``` **Parameters** | Parameter | Required | Description | | ------------------------ | -------- | ---------------------------------------------------------- | | `` | Yes | Human-readable name for the rule | | `--cidr ` | Yes | Target IP range in CIDR notation (e.g. `10.0.1.0/24`) | | `--config-uid ` | Yes | UID of the PAM configuration to attach the rule to | | `--type` | No | Target type: `machine` (default), `user`, or `database` | | `--protocol` | No | Connection protocol: `ssh` (default), `rdp`, or `database` | | `--credential-uid ` | No | UID of a credential record to associate with the rule | **Examples** Add a machine discovery rule for the web tier: ``` My Vault> pam extended rule add web-tier \ --cidr 10.0.1.0/24 \ --config-uid f6e5d4c3 \ --type machine \ --protocol ssh Discovery rule 'web-tier' added to config f6e5d4c3 ``` Add a database discovery rule with a linked credential: ``` My Vault> pam extended rule add db-prod \ --cidr 10.0.2.0/24 \ --config-uid f6e5d4c3 \ --type database \ --protocol database \ --credential-uid 9a8b7c6d ``` *** ### pam extended rule delete Deletes a discovery rule from a PAM configuration by its element UID (returned by `pam extended rule list`). The deletion is applied via a `PAMModifyRequest` DELETE operation. **Syntax** ``` pam extended rule delete --config-uid ``` **Parameters** | Parameter | Required | Description | | -------------------- | -------- | ------------------------------------------------ | | `` | Yes | Hex UID of the discovery rule element to delete | | `--config-uid ` | Yes | UID of the PAM configuration the rule belongs to | **Example** ``` My Vault> pam extended rule delete 3a4b5c6d7e8f9a0b --config-uid f6e5d4c3 Discovery rule 3a4b5c6d7e8f9a0b deleted from config f6e5d4c3 ``` *** ### Notes * All `pam extended` commands require an active enterprise admin session. * Record and configuration UIDs can be found using `pam config list` or `pam project list`. * Schedule changes take effect at the next rotation window evaluated by the PAM gateway; there is no forced immediate rotation. * Discovery rules added via `pam extended rule add` are evaluated by the PAM gateway during the next discovery cycle. Existing discovered records are not affected retroactively. * Use `--format json` with any `list` command to pipe output into scripts or other tools. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/commander-cli/command-reference/keeperpam-commands/pam-extended-commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.