Keeper Security Recognized in PAM Magic Quadrant™ and as Second Fastest Growing Security Company Globally
Learn MoreFeature: Automation Commands
One command handles the full provisioning workflow: account creation, password rotation and credential delivery. Define the configuration once and run it every time, whether triggered manually or from an existing HR or IGA platform.
Define the provisioning job in a YAML file, including the user details, target account, vault folder, rotation schedule and how credentials should be delivered.
Keeper creates the identity in Active Directory or Microsoft Entra ID, assigns the user to the appropriate groups and stores the credential as a PAM User record in the vault.
A secure password is generated to meet your complexity requirements, applied to the account immediately and scheduled for automatic rotation going forward.
The credential is delivered to the recipient via direct vault share, a one-time email link or both, with expiry and permissions you control.
Trigger the whole workflow via REST API to plug provisioning into any HR or IGA platform, so new accounts are created automatically when a new hire is added — no manual steps required.
The credential-provision command orchestrates what was once a multi-step manual process, eliminating human error and making onboarding consistent every time.
Creates identities directly in Active Directory or Microsoft Entra ID via the Keeper Gateway, an outbound-only connection component that brokers access to your directory without requiring inbound firewall changes, with group assignments handled automatically.
Configures and immediately triggers rotation on the new credential. Schedule it with a CRON expression, weekly, daily or at any cadence you need.
Creates and stores the PAM User record in your vault at a folder path you define, organized by department, team or any structure you prefer.
Delivers credentials to the recipient as a One-Time Share link via email, directly into their Keeper Vault or both. For privileged or high-sensitivity accounts, direct vault share is the recommended option.
All provisioning parameters are defined in a single YAML file. Pass it via file path, base64 string or through the REST API for programmatic workflows.
Use website_feature_ac_faq_0002=Yes. Automation Commands support Active Directory, Microsoft Entra ID, AWS and GCP. If you're working with Entra ID or a cloud environment, you can skip the AD-specific fields entirely. Keeper Commander's Service Mode REST API to trigger provisioning from any identity governance platform — Workday, SailPoint, ConductorOne, Aquera and others.
Trigger provisioning from your HR system the moment a new hire is added. Credentials are delivered before day one.
Spin up privileged AD service accounts with group assignments, rotation and delivery to the right vault — no manual steps.
Automate the entire reset flow: rotate the password, generate a One-Time Share link and email it to the user.
Works with AWS IAM, Microsoft Entra ID and GCP in addition to on-prem AD — same command, same config structure.
Yes. Automation Commands support Active Directory, Microsoft Entra ID, AWS and GCP. If you're working with Entra ID as a standalone provider, you can skip the AD-specific federation settings.
Automation Commands checks for duplicate accounts before taking any action. If a matching user is found, the process stops and flags the conflict rather than creating a duplicate.
Yes. The --dry-run flag validates your YAML file and checks that everything is in order without creating any accounts, records or sending any emails.
Direct vault share places the record inside the recipient's existing Keeper Vault and restricts access to that authenticated user only. Email delivery sends a one-time link that can be used to decrypt the credentials without a Keeper account, making it useful for external recipients or users who haven't yet set up their vault. Links are time-limited and expire automatically. For privileged accounts, direct vault share is the more secure option. You can configure both delivery methods in the same YAML file and they'll run independently.
If a step fails, for example if the Gateway is unreachable or rotation does not complete, the structured output log flags which step failed and why. Partially completed workflows do not succeed silently; each step's status is reported individually so you can identify and resolve issues without guesswork.
Yes, every run produces a structured output that logs each step — account creation, group assignment, rotation status and delivery confirmation. You can return this as plaintext or JSON, depending on how you consume the results.
You must accept cookies to use Live Chat.