> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/keeperdb/integration-with-keeperpam.md).

# Integration with KeeperPAM

<figure><img src="/files/2ANnAfnxQMbahqIutfrD" alt=""><figcaption></figcaption></figure>

## Overview

KeeperDB integrates with KeeperPAM to provide managed, audited database access. Users launch database sessions without handling credentials, and admins keep full policy control, session visibility, and reviewability.

### Key capabilities

* Fully audited database sessions
* Passwordless access with workflow, approvals, and check-in/check-out
* Zero standing privilege with just-in-time access
* Embedded visual sessions or CLI access

## Prerequisites

An active KeeperPAM license is required. KeeperPAM is available for both business and enterprise customers.

* [KeeperPAM Homepage](https://www.keepersecurity.com/privileged-access-management/)
* [Request a Demo](https://www.keepersecurity.com/contact.html?t=b\&r=sales)
* [Contact Support](https://www.keepersecurity.com/support.html)

Before you configure KeeperDB access, make sure you have:

* Reviewed [Getting Started](/keeperpam/privileged-access-manager/getting-started.md)
* Deployed a [Keeper Gateway](/keeperpam/privileged-access-manager/getting-started/gateways.md)

### Visual walkthrough

{% hint style="info" %}
These steps show the manual setup flow. You can also import resources with Keeper Commander CLI.
{% endhint %}

### Create a PAM Database record

In the Keeper Vault, open a shared folder that is provisioned to a Gateway. Then create a **PAM Database** record.

<figure><img src="/files/GcReeBXMgm4PTrJSFJUb" alt=""><figcaption></figcaption></figure>

This example uses a Microsoft SQL Server database.

<figure><img src="/files/YG7a6jdy2Cx43pzOm1xE" alt=""><figcaption></figcaption></figure>

Enter the basic connection details such as hostname and port. Then select **Set Up** to configure PAM settings. Make sure the correct **Database Type** is selected.

<figure><img src="/files/Nfk6NnhYIFJ1RADo4Hye" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/9QcNFODOCiK7Y6lNJmXI" alt=""><figcaption></figcaption></figure>

### Configure rotation settings

If credential rotation is required, Keeper uses the linked Administrative Credentials record to connect and rotate the target credential over the configured port.

<figure><img src="/files/rSvBbdq65Kcu7J2ZYakA" alt=""><figcaption></figcaption></figure>

### Configure connection settings

Enable the connection with the required database protocol. In this example, the protocol is SQL Server.

Enable session recording and key event capture. To activate KeeperAI threat detection for the session, enable all three session recording options.

<figure><img src="/files/rt9lzy4XKfuSkOoLuVC4" alt=""><figcaption></figcaption></figure>

### Configure KeeperDB and CLI settings

The **KeeperDB** tab lets you allow CLI sessions, visual KeeperDB sessions, or both. If both are enabled, the user chooses the launch mode at runtime.

Session persistence is disabled by default. Each session starts fresh.

* If **By User** is selected, UI preferences and query state are retained for that user.
* If **By Resource** is selected, shared users reuse the same UI preferences and latest query state.
* **By Resource** also prevents simultaneous multi-user connections to that resource.

<figure><img src="/files/x1ieBp9pMCRFWQpbVVVV" alt=""><figcaption></figcaption></figure>

### Configure just-in-time access

The **JIT** tab controls whether the session requires an ephemeral account or temporary privilege elevation.

<figure><img src="/files/Yik7zKeVZKb5lJbLW7Au" alt=""><figcaption></figcaption></figure>

### Configure tunnel settings with KeeperDB Proxy

A local Keeper [Tunnel](/keeperpam/privileged-access-manager/tunnels.md) can be created from the Keeper Desktop application when tunneling is enabled on the resource. If **KeeperDB Proxy** is also enabled, the Keeper Gateway injects the launch credentials into the connection stream without exposing them to the user.

This lets users connect with their preferred database tool, including the native KeeperDB application, without handling credentials directly.

<figure><img src="/files/tZrcfrjtbc7ZEHaeAo4n" alt=""><figcaption></figcaption></figure>

### Enable KeeperAI

If KeeperAI is enabled, all interaction with the database is recorded and monitored by the configured AI agent running on the Keeper Gateway.

* [Learn more](/keeperpam/privileged-access-manager/keeperai.md) about setting up KeeperAI on the Gateway

<figure><img src="/files/XP8i9YLMSqKV6tQVAaEb" alt=""><figcaption></figcaption></figure>

### Enable workflow controls

Enable workflow controls to enforce policies such as check-in/check-out, approvals, and MFA. Users shared to the record with launch access must follow the workflow policy configured on that record.

* [Learn more](/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow.md) about Keeper Workflow

<figure><img src="/files/zlyuqs51Zp07nldODFHz" alt=""><figcaption></figcaption></figure>

### Launch KeeperDB

When a user checks out the resource and launches KeeperDB, the session opens directly in the Vault. The connection is established through the Keeper Gateway without exposing the underlying credentials.

<figure><img src="/files/uWohi1KKLYxuelmmQUn5" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/c6L1tMzFLjM5VGHl5YEg" alt=""><figcaption></figcaption></figure>

The query editor opens in the Vault and can be expanded to full screen.

<figure><img src="/files/ds5ddLCZu3jQ9bSkWmzh" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/op87AZS35cOxAxIUyFjp" alt=""><figcaption></figcaption></figure>

The embedded session supports the same core features as the standalone app, including multi-sheet editing, query history, monitoring, and graph views.

<figure><img src="/files/af0CeyjACEYUZD71706l" alt=""><figcaption></figcaption></figure>

### Review session activity

If you have permission to review recordings, open the record details and go to **Session Activity**. This view shows all recorded database session activity for the resource.

<figure><img src="/files/mYhlLaU26uuaDvzdKY0V" alt=""><figcaption></figcaption></figure>

### Review the KeeperAI summary

KeeperAI generates a high-level summary and step-by-step analysis for the session. If you need more context, you can open the playback and review the full recording.

<figure><img src="/files/FZXFTLAlsbJOgdSywUx3" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/keeperdb/integration-with-keeperpam.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.