# Importing PAM Resources ## Overview Keeper supports importing of PAM resources in bulk through the Keeper Commander CLI. This allows you to import a large number of resources, along with a PAM Configuration, Gateway and project folders. In this page, we will demonstrate importing a large number of domain-joined Windows servers and local admin accounts. *** ### Overview of the Workflow 1. Create a **JSON file** that includes information about your project and resources. A **CSV file** can be used to create or merge content into this **JSON file**. This process is documented [here](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/importing-pam-resources/using-a-csv-template). 2. Import the **JSON file** with the `pam project import` command. *** ### Prerequisites | Requirement | Notes | | ------------------------------------- | ----------------------------------- | | Keeper Commander v17.1.8 or newer | Verify with `keeper version` | | KeeperPAM License | Enabled in the Keeper Admin Console | | Admin role with Manage PAM permission | Enabled in the Keeper Admin Console | *** ### 1 - JSON Structure You can find an example JSON file below: {% code expandable="true" %} ```json { "project": "XXX:Project1", "shared_folder_users": { "manage_users": true, "manage_records": true, "can_edit": true, "can_share": true }, "shared_folder_resources": { "manage_users": true, "manage_records": true, "can_edit": true, "can_share": true }, "pam_configuration": { "environment": "local", "connections": "on", "rotation": "on", "graphical_session_recording": "on" }, "pam_data": { "resources": [ { "_comment1": "Every key that starts with '_' is a comment and can be ignored or deleted", "_comment2": "Every value that starts with uppercase 'XXX:' must be replaced with actual value (removed if not required)", "_comment3": "Every value that starts with lowercase 'xxx:' is just a placeholder - can be replaced with anything but must be present", "type": "pamDirectory", "title": "XXX:Project1 AD", "directory_type": "XXX:active_directory|ldap", "host": "XXX:demo.local", "port": "XXX:636", "use_ssl": true, "domain_name": "XXX:demo.local", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "XXX:3389", "security": "XXX:any", "ignore_server_cert": true, "_comment_administrative_credentials": "Must match the unique title of one of the users below", "administrative_credentials": "XXX:DomainAdmin" } }, "users": [ { "type": "pamUser", "_comment_title": "Must match administrative_credentials above if this is the admin user", "title": "XXX:DomainAdmin", "_comment_login_password": "Must provide valid credentials but delete sensitive data/json after import", "login": "XXX:administrator@demo.local", "password": "XXX:P4ssw0rd_123", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] }, { "_comment4": "While pamDirectory section above is static, the pamMachine section below is dynamicly generated", "_comment5": "One pamMachine with one pamUser will be generated per each line from the CSV file", "_comment6": "Only one pamMachine is needed and it will be used as a template for all CSV rows", "_comment7": "Please do NOT edit lines with xxx: in them - these are placeholders", "_comment8": "Any other line that don't contain xxx: can be altered/added/deleted in the template", "_comment9": "CSV Format: server_name,username,password", "type": "pamMachine", "_comment_title_and_host": "server value from CSV", "title": "xxx:server1", "host": "xxx:server1", "port": "5986", "ssl_verification": true, "operating_system": "Windows", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "3389", "security": "any", "ignore_server_cert": true, "_comment_administrative_credentials": "Format: pamDirectory#title.pamDirectory#administrative_credentials - exact match needed", "administrative_credentials": "XXX:Project1 AD.DomainAdmin" } }, "users": [ { "type": "pamUser", "_comment_title": "username value from CSV or server-username if --prefix-names option is used", "title": "xxx:admin", "_comment_login": "username value from CSV", "login": "xxx:Administrator", "_comment_password": "password value from CSV", "password": "xxx:P4ssw0rd_123", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] } ] } } ``` {% endcode %} The JSON body is made up of these basic components: {% code overflow="wrap" %} ``` project └ Name of your project (will be used for naming the application, gateway and folders) shared_folder_users └ Settings to set for the default "Users" folder shared_folder_resources └ Settings to set for the default "Resources" folder pam_configuration └ Settings to set for the PAM Configuration record pam_data └ resources ├ │ ├ type: pamDirectory │ ├ pam_settings │ │ ├ options │ │ │ └ Enabling PAM settings │ │ └ connection │ │ ├ administrative_credentials (format:pamUser title) │ │ │ └ title of a user resource to map as Administrative Credentials │ │ └ launch_credentials (format:pamUser title) │ │ └ title of a user resource to map as Launch Credentials │ └ users │ └ │ └ user login and rotation data. General rotation maps to the parent resource └ ├ type: pamMachine ├ pam_settings │ ├ options │ │ └ Enabling PAM settings │ └ connection │ ├ administrative_credentials (format:pamDirectory title.pamUser title) │ │ └ title of a user resource to map as Administrative Credentials │ └ launch_credentials (format:pamDirectory title.pamUser title) │ └ title of a user resource to map as Launch Credentials └ users └ └ user login and rotation data. General rotation maps to the parent resource ``` {% endcode %} Many attributes can be applied to resources and user objects, which are documented [here](https://github.com/Keeper-Security/Commander/blob/master/keepercommander/commands/pam_import/README.md). Users can be placed either in the `users` array of the `pamDirectory` resource (to model Active Directory rotations) or in the `users` array of the `pamMachine` resource (to model Local rotations). The example from this documentation uses the latter model. *** ### 2 – Create the JSON Template Create a JSON template as described above. For our simple example, we will use this template and name the file `pam_import.json`: {% code expandable="true" %} ```json { "project": "Example Project", "shared_folder_users": { "manage_users": true, "manage_records": true, "can_edit": true, "can_share": true }, "shared_folder_resources": { "manage_users": true, "manage_records": true, "can_edit": true, "can_share": true }, "pam_configuration": { "environment": "local", "connections": "on", "rotation": "on", "graphical_session_recording": "on" }, "pam_data": { "resources": [ { "type": "pamDirectory", "title": "Example AD", "directory_type": "active_directory", "host": "demo.local", "port": "636", "use_ssl": true, "domain_name": "demo.local", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "3389", "security": "any", "ignore_server_cert": true, "administrative_credentials": "DomainAdmin" } }, "users": [ { "type": "pamUser", "title": "DomainAdmin", "login": "administrator@demo.local", "password": "P4ssw0rd_123", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] }, { "type": "pamMachine", "title": "srv\u201101", "host": "srv\u201101", "port": "5986", "ssl_verification": true, "operating_system": "Windows", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "3389", "security": "any", "ignore_server_cert": true, "administrative_credentials": "Example AD.DomainAdmin" } }, "users": [ { "type": "pamUser", "title": "srv\u201101-Administrator", "login": "Administrator", "password": "LocalAdminPassword123", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] }, { "type": "pamMachine", "title": "srv\u201102", "host": "srv\u201102", "port": "5986", "ssl_verification": true, "operating_system": "Windows", "pam_settings": { "options": { "rotation": "on", "connections": "on", "tunneling": "on", "graphical_session_recording": "on" }, "connection": { "protocol": "rdp", "port": "3389", "security": "any", "ignore_server_cert": true, "administrative_credentials": "Example AD.DomainAdmin" } }, "users": [ { "type": "pamUser", "title": "srv\u201102-Administrator", "login": "Administrator", "password": "LocalAdminPassword123", "rotation_settings": { "rotation": "general", "enabled": "on", "schedule": { "type": "on-demand" } } } ] } ] } } ``` {% endcode %} *** ### 3 – Import Resources into Keeper The file `pam_import.json` will now be imported into Keeper from the Commander CLI. Start your Keeper Commander session. If you haven't set up Commander, [follow this setup guide](https://docs.keeper.io/en/keeperpam/commander-cli/commander-installation-setup). ``` keeper shell ``` Run the import with this command (assumes that the pam\_import.json file is in the Commander working directory. It can also have an absolute path). ```bash pam project import -f pam_import.json ``` When the import is complete, the response output in Commander will contain an access token: ``` "access_token": "XXXXXXXX...." ``` Save the value inside the quotes (XXXXX.....) for initializing the Gateway in the next step below. Note: After the import is complete, the vault will be updated with the resources. If your vault is currently open, it's probably a good idea to click Full Sync or refresh the page. ### 4 – Start the Gateway This document doesn't cover the installation of a Keeper Gateway, so let's assume that you have already done this. If you haven't created a Gateway, [follow these setup instructions](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways) for your preferred method. * In the Gateway's configuration, update the `GATEWAY_CONFIG` with the access token value provided in Step 4 above. For Docker installations, this will be in the `docker-compose.yaml` file. For Windows installations, it will be in the `C:\ProgramData\KeeperGateway\config\gateway-config.json` file * Restart the Gateway At this point, the Gateway is running and has been associated to all of your imported resources. By default, the import will add all PAM projects to a folder called "PAM Environments". ### Import Results Based on this example, below are some screenshots of the resources created: * Secrets Manager Application * Keeper Gateway * PAM Configuration * PAM Directory (Active Directory Service) * PAM User representing the Domain Admin * PAM Machine Resources (Windows Servers) * PAM Users for each PAM Machine (Local Admins)

KSM Application

PAM Configuration

PAM Gateway

PAM Resources

PAM Users

Domain Controller

PAM Machine

PAM User (Local Admin)

### Advanced Import Formats This document demonstrated the basic example of importing a series of Windows servers for the purpose of establishing connections, tunnels and automated password rotation. The configuration of the connections and resources was set up to be simple. More advanced import options including full JSON template capabilities are documented on [this GitHub README Page](https://github.com/Keeper-Security/Commander/blob/master/keepercommander/commands/pam_import/README.md). This page provides all of the possible settings that can be modified as part of the import process. If you need to re-run this process, it's no big deal - just delete the Folders, PAM Configuration and Gateway from the vault and start over. If you have any questions on the import process, contact your account team or email . *** ### Generate the JSON file from CSV To use a CSV file to generate the JSON file to import, see this section: [Using a CSV Template](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/importing-pam-resources/using-a-csv-template) *** ### Importing with Existing Data To add content to an existing PAM model instead of creating a new Application, see this section: [Adding PAM Resources to an Existing Model](https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/importing-pam-resources/adding-pam-resources-to-an-existing-model) *** ### Related Topics * See the [Keeper Commander](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/keeperpam-commands) options for additional PAM automation capabilities.