Contact

Privileged Access

PAM & Credential Vault operations

Manage encrypted credential vaults with checkout/checkin workflows, automatic password rotation, granular vault-level access control, and full audit trails for every credential operation.

Technical Manual
Status: Available

Prerequisites and permission model

PAM uses a two-layer access model: RBAC permissions control who can manage vaults, while vault access grants control who can see and use individual credentials.

  • Role with pam_vaults.view for listing vaults and identities
  • Role with pam_vaults.manage for creating/updating/deleting vaults and credentials, and rotating passwords
  • Explicit vault access grant at "View Credentials" level to reveal credential values
  • Explicit vault access grant at "Checkout" level to checkout credentials
  • Account owners bypass all vault access checks
  • Organizations must have an organization secret configured for encryption
Two-layer security Having pam_vaults.view lets you see vault names and identity metadata, but you cannot reveal or checkout credentials without an explicit vault access grant on the specific vault.

Creating vaults

Vaults (called "Identity Groups" in the API) are organization-scoped containers for credentials.

  1. Navigate to Identities page from the sidebar (under Policy section)
  2. Click Create Vault
  3. Enter a vault name and optional description
  4. Select the target organization
  5. Click Save
Vault deletion A vault must be empty (no identities) before it can be deleted. Remove all credentials first.

Adding credentials

  1. On the Identities page, select the target vault from the vault list
  2. Click Add Identity
  3. Enter: name, username, credential (password or key), and credential type
  4. Set the rotation interval in days (how often the password should rotate)
  5. Toggle Rotate after use if the password should auto-rotate after every checkin
  6. Optionally select hosts this credential applies to
  7. Click Create

Credential fields

NameDescriptive name for the credential (e.g., "prod-db-admin")
UsernameThe account username
CredentialPassword or SSH key. Encrypted with AES-256-GCM before storage.
Credential TypeType: password, SSH key, API key, etc.
Rotation Interval (days)Days between automatic rotations. Leave empty to disable auto-rotation.
Rotate After UseEnable to automatically rotate the password after every checkin
HostsHosts this credential applies to. Rotation dispatches password reset jobs to these hosts.
Allow Concurrent CheckoutEnable to allow multiple users to checkout simultaneously
Max Concurrent SessionsMaximum simultaneous checkouts (if concurrent checkout is enabled)
Encryption details Credentials are encrypted with AES-256-GCM using v2 per-vault HKDF-derived keys. Legacy v1 credentials are automatically upgraded to v2 on next access (lazy migration).

Granting vault access

  1. Navigate to the Vault Access tab on the Identities page
  2. Search for a user or group
  3. Select the access level
  4. Optionally set an expiration date
  5. Click Grant Access

Access levels

LevelGrants
view_vaultCan see that the vault exists and view identity names/metadata. Cannot see credential values.
view_credentialsCan reveal (view) decrypted credential values. Includes view_vault access.
checkoutCan checkout credentials for active use. Includes view_credentials access.

Access grants can be made to individual IDP users or IDP groups. Group grants provide inherited access to all group members.

Checking out credentials

  1. On the Identities page, find the credential
  2. Click Checkout
  3. Enter a reason (required, 1-500 characters)
  4. Set the duration (5-1440 minutes / 24 hours max)
  5. Optionally select a target host
  6. Click Confirm
  7. The decrypted credential is displayed. Copy it for use.
  8. When done, click Checkin or let the session expire automatically

Concurrent checkout rules

  • If concurrent checkout is disabled: only one user can have the credential checked out at a time.
  • If concurrent checkout is enabled: multiple users can checkout, up to the configured maximum concurrent sessions.
Audit trail Every checkout creates an immutable audit log entry with the user, reason, host, and duration. All PAM operations are fully auditable.

Revealing credentials (view only)

Revealing a credential lets you view the decrypted value without formally checking it out. This is for situations where you need to see the password but are not actively using it on a system.

  1. Click the Reveal button next to a credential
  2. The decrypted value displays for 30 seconds, then auto-clears
  3. This action is audit logged

Requires pam_vaults.view plus a vault access grant at "View Credentials" level or higher.

Password rotation

Manual rotation

  1. Select a credential (it must not be currently checked out)
  2. Click Rotate Password
  3. The system generates a new random password
  4. The old password is hashed (SHA-256) and stored in password history (max 10 entries)
  5. The new password is encrypted with AES-256-GCM
  6. Password reset jobs are dispatched to all associated hosts
  7. Monitor rotation status: pendingconfirmed (or failed)
Cannot rotate while checked out Attempting to rotate a currently checked-out credential returns HTTP 409. Wait for checkin or force-checkin first.

Automatic rotation

Credentials with a rotation interval configured have a next rotation date calculated automatically. A background scheduler checks every 30 minutes and rotates any credentials whose rotation date has passed. After auto-rotation, the next rotation date advances by the configured interval.

Rotate after use

If "Rotate After Use" is enabled on a credential, the system automatically triggers rotation when the credential is checked in. This ensures the password changes after every use, providing maximum security for highly sensitive accounts.

One-click PAM enrollment

Quickly enroll existing host accounts into PAM directly from the host detail page.

  1. On a host detail page, click PAM Enroll
  2. Enter the username and select the target vault
  3. The system generates a random password
  4. A password reset job is dispatched to the host
  5. An identity record is created and linked to the host

Requires hosts.manage_users permission and the host must be online.

Support access workflow

Support access provides a controlled mechanism for granting temporary elevated access, typically for vendor or support staff.

  1. Navigate to Support Access
  2. Click the toggle to enable support access
  3. Enter a reason (required)
  4. Set an optional expiration (1-365 days)
  5. Click Enable

Emergency disable

Use Emergency Disable to immediately revoke all support access across the account. This is a one-click action that takes effect instantly.

Audit trail

All support access toggles, updates, and emergency disables are logged in the support access audit trail, accessible via Support Access > Audit Log.

Credential lifecycle flow

Create Vault Add Credential Grant Access Checkout Use Credential Checkin Auto-Rotate (if configured) Every step is audit logged AES-256-GCM encryption at rest

Break-glass emergency access

When normal approval workflows are too slow for a critical incident, break-glass provides emergency credential checkout that bypasses the standard approval process. Every break-glass checkout creates a comprehensive audit trail for SOX 404 compliance.

  1. Navigate to the credential you need and click Break-Glass Checkout.
  2. Enter a justification reason explaining why emergency access is needed.
  3. The credential is immediately checked out without approval. A critical-severity notification is sent to all account administrators.
  4. The session has a configurable maximum duration (set per organization). When the session expires, the credential is automatically checked in.
  5. After checkin (manual or automatic), the credential password is auto-rotated to ensure the emergency credential is no longer valid.
Rate limited Break-glass checkouts are rate-limited to 3 per minute to prevent abuse. The pam_vaults.break_glass permission is required and should be granted sparingly.

Audit trail

Break-glass sessions are recorded with additional metadata:

  • Break-glass flag on the privileged session
  • Justification reason text
  • Automatic expiry timestamp
  • Full audit log entry with user, IP address, and timestamp
  • Critical notification to all account admins for immediate visibility

Permissions reference

ActionRBAC PermissionAdditional Requirement
List vaults and identitiespam_vaults.view--
Create/update/delete vaultspam_vaults.manage--
Create/update identitiespam_vaults.manage--
Reveal credential valuepam_vaults.viewVault access grant ≥ "View Credentials"
Checkout credentialpam_vaults.viewVault access grant ≥ "Checkout"
Rotate passwordpam_vaults.manage--
Break-glass emergency checkoutpam_vaults.break_glassRate limited: 3/minute
PAM enrollmenthosts.manage_usersHost must be online
View sessionspam_vaults.view--

Troubleshooting

SymptomCauseFix
"No IDP user mapping" on reveal/checkoutLegacy user without matching IDP user emailCreate an IDP user with the same email, or use an account owner role
"Identity is already checked out"Another user has it checked out and concurrent checkout is disabledWait for checkin or ask the other user to checkin
Rotation stuck in "pending"Agent offline or job failedCheck job status in the Jobs page. Host must be online to receive the password reset job.
"Organization secret not found"Organization has no secret configuredAdmin must set the org secret in organization settings
Credential reveals garbled textPre-migration data stored in plaintext that fails v2 decryptFallback returns raw value. Re-save the credential to encrypt properly.
Support access expired silentlyExpiration date passed without renewalRe-enable via the toggle with a new duration
"Cannot delete group with N identities"Vault is not emptyRemove all identities from the vault before deleting it
"Maximum concurrent sessions reached"Concurrent checkout limit hitWait for an existing session to checkin or increase the maximum concurrent sessions setting