# Adding PAM Resources to an Existing Model

After creating your PAM content - either manually or with the `pam project import` command - you can add additional content with the `pam project extend` command.

{% hint style="info" %}
The `pam project extend` command is available from Keeper Commander 17.2.8.
{% endhint %}

## JSON Template

The process requires a similar `pam_import.json` template as the one generated in [Importing PAM Resources](/keeperpam/privileged-access-manager/references/importing-pam-resources.md), with a few notable changes:

* Only the `pam_data` object is included in the template. Since this is an `extend` action, we do not need any project information (although including it would not fail the process).
* The PAM Directory record will not be re-created, but still needs to be included so we can reference the AD Domain Admin from administrative credentials.
* The new pamMachine and pamUser titles need to be unique in the file and the existing PAM model to avoid any conflicts.

```json
{
  "pam_data": {
    "resources": [
      {
        "type": "pamDirectory",
        "title": "My Domain Controller",
        "directory_type": "active_directory",
        "host": "lureydemo.local",
        "port": "636",
        "use_ssl": true,
        "domain_name": "lureydemo.local",
        "pam_settings": {
          "options": {
            "rotation": "on",
            "connections": "on",
            "tunneling": "on",
            "graphical_session_recording": "on"
          },
          "connection": {
            "protocol": "rdp",
            "port": "3389",
            "security": "any",
            "ignore_server_cert": true,
            "administrative_credentials": "My Domain Admin"
          }
        },
        "users": [
          {
            "type": "pamUser",
            "title": "My Domain Admin",
            "login": "administrator@lureydemo.local",
            "password": "YourExistingDomainPassword",
            "rotation_settings": {
              "rotation": "general",
              "enabled": "on",
              "schedule": {
                "type": "on-demand"
              }
            }
          }
        ]
      },
      {
        "type": "pamMachine",
        "title": "extended_machine_1",
        "host": "desktop-machine1",
        "port": "5986",
        "ssl_verification": true,
        "operating_system": "Windows",
        "pam_settings": {
          "options": {
            "rotation": "on",
            "connections": "on",
            "tunneling": "on",
            "graphical_session_recording": "on"
          },
          "connection": {
            "protocol": "rdp",
            "port": "3389",
            "security": "any",
            "ignore_server_cert": true,
            "administrative_credentials": "My Domain Controller.My Domain Admin"
          }
        },
        "users": [
          {
            "type": "pamUser",
            "title": "user_extended_machine_1",
            "login": "extended_user",
            "password": "LocalAdminPassword123",
            "rotation_settings": {
              "rotation": "general",
              "enabled": "on",
              "schedule": {
                "type": "on-demand"
              }
            }
          }
        ]
      }
    ]
  }
}
```

This template will import one new pamMachine and pamUser record to the existing model. This guide assumes that you are familiar with the template structure outlined in [Importing PAM Resources](/keeperpam/privileged-access-manager/references/importing-pam-resources.md). In the interest of clarity, comments have been removed and the same values have been populated as in our example run.

## Folder Management

By adding a `folder_path` attribute to your JSON objects (resources and users), you can define shared folder and personal folder location for your new imported records:

```json
...
{
    "type": "pamDirectory",
    "title": "My Domain Controller",
    "folder_path": "Extend Shared Folder/AD",
...
{
    "type": "pamUser",
    "title": "My Domain Admin",
    "folder_path": "Extend Shared Folder/AD",
...
{
    "type": "pamMachine",
    "title": "extended_machine_1",
    "folder_path": "Extend Shared Folder/Resources",
...
{
    "type": "pamUser",
    "title": "user_extended_machine_1",
    "folder_path": "Extend Shared Folder/Users",
```

<figure><img src="/files/rLDVEnkSVbiDLbjbusxf" alt="Folder Management with pam project extend" width="298"><figcaption></figcaption></figure>

Additional notes:

* If your PAM model has more than the default two shared folders - specifying `folder_path` for your records is required.
* The shared folder must exist.
* If a nested personal folders doesn't exist, it will be created automatically.

## Running the Import

With the JSON template file above ready, the last requirement is to retrieve the PAM Configuration UID from the vault / Commander, which will be the link to the existing PAM model to extend from.

* Get the PAM Configuration UID from the vault:

<figure><img src="/files/Ck3oZYLvhvcOgPhCqam7" alt="Vault PAM Configuration UID"><figcaption></figcaption></figure>

* Get the PAM Configuration UID from Commander:

```bash
# List all configurations
pam config list
```

In Commander, you can then run the new import with `pam project extend`:

```bash
pam project extend --config PWJhchL7sRKeMZFWCVvPrg --filename "path/to/pam_import.json"
```

### Dry Run

Before running the import, you can add the `--dry-run` flag to see what records and folders would be created:

```bash
pam project extend -c PWJhchL7sRKeMZFWCVvPrg -f "path/to/pam_import.json" --dry-run
[DRY RUN] No changes will be made. This is a simulation only.
[DRY RUN] Will use PAM Configuration: PWJhchL7sRKeMZFWCVvPrg  "Import Demo Project" Configuration
[DRY RUN] Will use PAM Gateway:       dbYL-PiETJ2vpyhIo7dexQ  "Import Demo Project" Gateway
[DRY RUN] Will use KSM Application:   vt8rk_CVNOPpCHb4llPuzQ  "Import Demo Project" Application
[DRY RUN] Total shared folders found for the KSM App: 2
[DRY RUN] Found shared folder: aJqCPub1pEqgsG5-STORsQ "Import Demo Project - Users" (Editable)
[DRY RUN] Found shared folder: lTQFgRx8u5nu3OOa9-6FlA "Import Demo Project - Resources" (Editable)
[DRY RUN] Processed 0 folder paths:
[DRY RUN]   - Good paths: 0
[DRY RUN]   - Bad paths: 0
[DRY RUN] 0 existing folders, 0 new folders to be created
  [DRY RUN] [existing]  folder=autodetect	record=pamDirectory: "My Domain Controller"	uid=1uml7drZ4QrpCBDvvJ7idQ
  [DRY RUN] [new]  folder=autodetect	record=pamMachine: extended_machine_2
  [DRY RUN] [existing]  folder=autodetect	record=pamUser: "My Domain Admin" (nested on "My Domain Controller")	uid=rTk2mdsnhbAaDZEp948_AQ
  [DRY RUN] [new]  folder=autodetect	record=pamUser: user_extended_machine_2 (nested on extended_machine_2)
[DRY RUN] 2 existing records (skipped), 2 new records to be created
[DRY RUN COMPLETE] No changes were made. All actions were validated but not executed.
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/references/importing-pam-resources/adding-pam-resources-to-an-existing-model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.