# SaaS Rotation via Commander ## Overview This guide covers how to configure, manage, and execute SaaS rotation through Keeper Commander. ## Configuring SaaS Rotation ### Step 1: Create a SaaS Configuration Record SaaS rotation configurations are stored as records with custom fields that define the configuration parameters. **Using Keeper Commander CLI** The fastest way to create a SaaS configuration is using the Commander CLI `pam action saas config` command: {% code overflow="wrap" %} ```bash # Login to your vault keeper shell # List available SaaS types for your gateway pam action saas config --gateway "My Gateway" --list # Create a new SaaS configuration (example for Okta) pam action saas config --gateway "My Gateway" --plugin "Okta" --shared-folder-uid FOLDER_UID --create ``` {% endcode %} The command will prompt you for the required configuration values specific to your chosen SaaS type. Each of the configuration values is documented in the section below, for built-in and catalog plugins. You can also just create a Login record with custom fields as defined below. ### Step 2: Associate SaaS Rotation with PAM Users Once your SaaS configuration record is created, associate that record with one or more **PAM User** records in the vault. * Create the PAM User record either in the vault, or using the Commander CLI * Add rotation settings to the PAM User (Rotation Profile: `Run PAM scripts only`, use Profile: `General` only if plugin needs a Resource) * Using Commander, run the below commands to create the association: {% code overflow="wrap" %} ```bash # Add SaaS rotation to a user pam action saas set --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID # Optionally attach to a specific resource pam action saas set --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID --resource-uid RESOURCE_UID ``` {% endcode %} ### Step 3: Verify Configuration Check that your SaaS rotation is properly configured on the PAM User record: ```bash # View all SaaS rotations for the PAM User pam action saas user -u USER_RECORD_UID ``` This will display all configured SaaS rotations for the specified PAM User, including their current settings. ## Running SaaS Rotations To perform the rotation from the Commander CLI, use the pam action rotate command: ``` pam action rotate -r USER_RECORD_UID ``` ### Managing SaaS Rotations #### Remove SaaS Rotation To remove a SaaS rotation from a PAM User record: ```bash pam action saas remove --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID ``` #### Activate/Deactivate Rotations You can control whether a SaaS rotation is active by setting the `Active` custom field: * Set to any value (e.g., "true", "yes", "1") to activate * Remove the field or set to empty/false to deactivate --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins/saas-rotation-via-commander.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.