# Ephemeral Accounts and Privilege Elevation ## Overview PAM Machine, PAM Database, and PAM Directory record types can be configured to authenticate sessions using **ephemeral** accounts. Additionally, ephemeral accounts or existing accounts can be **elevated** to a specified group or role for the duration of the session. All ephemeral accounts and elevated permissions are automatically removed when the session expires, leaving nothing persistent on the target system to be compromised. This prevents lateral movement using stolen credentials, reduces administrative overhead, and creates clean audit trails. **Ephemeral Accounts** Keeper can create ephemeral accounts on any assigned target resource, such as: * Active Directory / LDAP Domain User * Windows User * Linux User * MySQL User * PostgreSQL User * Microsoft Server SQL User An ephemeral account is a system-generated, time-limited account created specifically for a session. The Keeper Gateway creates the account on the target system when access is approved and automatically deletes it when the session ends. No persistent account remains on the target system. **Privilege Elevation** Privilege elevation temporarily assigns an ephemeral or existing account to a specified group or role on the target system for the duration of the session. Elevated permissions are automatically revoked when the session ends. **Supported Connection Protocols** * RDP * Database connections (MySQL, PostgreSQL, SQL Server, Oracle, etc.) * SSH * VNC In this guide, you will learn how to setup Ephemeral Accounts and Privilege Elevation on PAM Record types in your Keeper Vault. ## PAM Settings - Configuring Ephemeral Accounts & Privilege Elevation ### Navigate to JIT Settings On a PAM Machine, PAM Database or PAM Directory record type navigate to the JIT tab on the PAM Settings screen by: 1. Editing the PAM Record Type 2. Clicking on "Edit" in the PAM Settings section 3. Navigating to the "JIT" section in the prompted window
On the JIT tab, The following fields can be configured
FieldDefinition
Administrative PortThe port used for administrative operations such as creating ephemeral accounts. This value is inherited from the Rotation tab and cannot be modified from the JIT tab.
Create Ephemeral Account for connectionWhen enabled, a system-generated, time-limited account is created for the session. Ephemeral accounts are created using the naming convention keeper_<UID>

The ephemeral account type depends on the record type: PAM Machine: Domain User or Local User (Windows, Linux, or Mac).
PAM Database and PAM Directory: the account type is detected automatically.
Elevate account during connectionWhen enabled, the account used to authenticate the connection — including ephemeral accounts — is temporarily elevated to a specified group or role. Select Group for machines and directory users, or Role for databases.

E.g. for Local Windows User this might be “Administrators” and for AWS this would be the full ARN (e.g. arn:aws:iam::12345:role/Admin).
**Note**: The following fields on the Record types must be configured in order to fully configure JIT:
Record TypeJIT Required Field
PAM MachineOperating System

Accepted Values: Windows, Linux, Mac
PAM DatabaseDatabase Type
PAM DirectoryDirectory Type
### Configuring Elevation for Domain Users #### **Elevating Ephemeral Domain User to AD Group** When elevating an ephemeral Domain User to an Active Directory group, you must link the PAM Directory record and specify the group name in Distinguished Name (DN) format. **Example:** If the group name is **`RemoteUsers`**, the DN would be: ``` CN=RemoteUsers,CN=Users,DC=example,DC=com ``` If your group name contains spaces, you must enclose the DN in quotes. **Example:** If the group name is **`Remote Users`**, the DN would be: ``` "CN=Remote Users,CN=Users,DC=example,DC=com" ``` #### **Elevating Ephemeral Domain User to Local Group** To elevate to a local group on the machine instead, specify the local group name directly (e.g., `RemoteUsers`). No DN format is required for local groups. #### **Elevating Existing Domain User to AD Group** Existing domain users are defined as PAM User records and can be used as the launch credential to targets defined on PAM Machine Record types. To elevate an existing domain user to an Active Directory group: 1. On the PAM User record, configure the rotation settings and link it to a PAM Directory record. 2. On the PAM Machine record that uses this PAM User as the launch credential, navigate to the **JIT** tab and enable **Elevate Account During Connection**. 3. Specify the target group in Distinguished Name (DN) format. The existing user will be temporarily elevated to the specified group in the directory service linked on the PAM User record. Elevation is removed when the session expires. #### **Ephemeral Account Propagation Delay** When using Domain ephemeral accounts, the Keeper Gateway creates a temporary Active Directory account and waits for it to propagate across Domain Controllers before initiating a session. The default propagation delay is 3 seconds. In environments with multiple Domain Controllers or high replication latency, the default delay may not be sufficient, resulting in invalid credential errors during connection. To adjust the propagation delay, set the following environment variable on the Gateway: `KEEPER_GATEWAY_JIT_ACCOUNT_CREATION_LOGIN_DELAY_SECS` This value is specified in seconds. For example, setting it to `10` will cause the Gateway to wait 10 seconds after account creation before attempting to authenticate. **When to use this:** If you see invalid credential errors for ephemeral accounts and the Gateway logs show a message like `waiting 3 seconds for ephemeral account [account-name] to propagate before login`, increasing this value should resolve the issue. ### Configuring Elevation for Database Users Ephemeral and existing database users can be elevated to a specified role on the database server. On the PAM Database record, navigate to the **JIT** tab, enable **Elevate Account During Connection**, select **Role**, and enter the target role name. For example, to grant read-only access during a session, specify the `readonly` role. The user will be assigned the `readonly` role for the duration of the session, and the role is automatically removed when the session expires. **Troubleshooting: MySQL Ephemeral Users Have No Privileges** In some cases, newly created MySQL users have no privileges. Because KeeperPAM creates ephemeral users dynamically, there is no opportunity to manually grant permissions to each one. To resolve this, use **mandatory roles** in MySQL 8+. Mandatory roles are automatically assigned to every user created on the server, ensuring that ephemeral users receive the required permissions without manual intervention. **Setup Steps** Run the following commands as a MySQL admin (e.g. `root`): ```sql -- Step 1: Create a role with the desired permissions CREATE ROLE 'readonly'; -- Step 2: Grant read-only access to all schemas GRANT SELECT ON *.* TO 'readonly'; -- Step 3: Make the role mandatory for all users (including future ephemeral users) SET GLOBAL mandatory_roles = 'readonly'; -- Step 4: Ensure roles activate automatically at login SET GLOBAL activate_all_roles_on_login = ON; ``` **Step 4 is critical.** Without it, mandatory roles are assigned but not activated — meaning ephemeral users will still appear to have no permissions when they connect. **Persist Across Restarts** To ensure these settings survive a MySQL restart, add the following to your MySQL configuration file (`my.cnf` or `my.ini`): ```sql [mysqld] mandatory_roles = 'readonly' activate_all_roles_on_login = ON ``` **Adjusting Permissions** To grant read/write access instead of read-only, adjust the privileges on the role: ```sql GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO 'readonly'; ``` Or create a separate role: ```sql CREATE ROLE 'readwrite'; GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO 'readwrite'; SET GLOBAL mandatory_roles = 'readonly,readwrite'; ``` **Verifying the Configuration** You can confirm everything is set correctly by running: ```sql SELECT @@mandatory_roles; SELECT @@activate_all_roles_on_login; ``` ## Ephemeral Accounts and Privilege Elevation with Workflow and Keeper Connections Ephemeral accounts and privilege elevation are best used in combination with Workflow and [Connections](/keeperpam/privileged-access-manager/connections.md). Workflow adds approval controls, time limits, and accountability to ensure that ephemeral accounts and elevated permissions are only granted with proper authorization. Connections enable users to launch sessions directly to target resources from the vault. To learn more vist the following pages: * [Workflow](/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow.md) * [Authentication Methods](/keeperpam/privileged-access-manager/connections/authentication-methods.md#ephemeral-account)
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/privileged-access-manager/just-in-time-access-jit/ephemeral-accounts-and-privilege-elevation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.