POST PAM Providers Types

The POST /PamProviders/Types method creates a new PAM PAM (Privileged Access Management): Controls privileged access by vaulting credentials, enforcing least-privilege/just-in-time access, rotating secrets, and auditing sessions. Across Keyfactor products, PAM protects diverse sensitive operations and secrets—for example certificate stores and CA credentials—via built-in or third-party providers; external integrations are delivered as custom PAM extensions (several published on Keyfactor’s public GitHub). provider type. This method returns HTTP 200 OK on a success with details about the PAM provider type.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/pam/modify/

/pam/modify/#/ (where # is a reference to a specific PAM provider ID)

Permissions for PAM providers can be set at the system-wide level or with fine-grained control at the PAM provider level. See PAM Permissions for more information about the differences between system-wide and more targeted permissions.

This method has two available versions. Keyfactor recommends using the newer method when possible. For more information about versioning, see Versioning. The input parameters and response data returned are the same for both versions.

Table 626: POST PamProviders Types v1 & v2 Input Parameters

Name

Description

Name Body Required. A string containing the name of the PAM provider type.

Parameters

Body

Required. An array of objects containing parameters set for the PAM provider type. Show parameter details.

Value	Description
Name	Required. A string indicating the internal name for the PAM parameter.
Display Name	A string indicating the display name for the PAM parameter. For parameters with an InstanceLevel of False, this name appears on the PAM provider dialog when a user creates a new PAM provider. For parameters with an InstanceLevel of True, this name appears on the dialog when a user creates a new record using the PAM provider (e.g., a new certificate store using PAM for authentication). If a DisplayName is not provided, the Name will be used as the DisplayName.
DataType	An integer indicating the data type for the parameter. Possible values are: 1 = String 2 = Secret The default is 1.
Instance Level	A Boolean that sets whether the parameter is used to define the underlying PAM provider (false) or a field that needs to be set to a value when configuring a record (e.g., a certificate store) to use the PAM provider (true). The default is false. Example: For Delinea when defining a PAM provider, you configure these Delinea-specific fields: Secret Server URL: The URL to the Secret Server vault instance, including port number if applicable (e.g., https://websrvr38.keyexample.com/SecretServer). Secret Server Username: The name of the user that will be used to connect to SecretServer. Secret Server Password: The password of the user that will be used to connect to SecretServer. Because these fields are configured on the PAM provider definition, they appear as InstanceLevel=False like so: Copy `{ "Name": "Host", "DisplayName":"Secret Server URL", "InstanceLevel":false, "DataType": "1 }, { "Name":"Username", "DisplayName":"Secret Server Username", "InstanceLevel":false, "DataType": 2 }, { "Name":"Password", "DisplayName":"Secret Server Password", "InstanceLevel":false, "DataType": 2 }` When you configure a certificate store to use Delinea as a credential provider, you enter the name of the secret field in Delinea referencing the protected object and you enter the ID of the projected object containing the username or password used to access the certificate store. Because these fields are configured on the certificate store level, they appear as InstanceLevel=True like so: Copy `{ "Name":"SecretId", "DisplayName":"Secret Server Secret ID", "InstanceLevel":true, "DataType": 1 }, { "Name":"SecretFieldName", "DisplayName":"Secret Field Name", "InstanceLevel":true, "DataType": 1 }` In both cases, the values for the fields (e.g., the actual name of the object in Delinea where the password is stored) are stored in the ProviderTypeParamValues array.

Table 627: POST PamProviders Types v1 & v2 Response Data

Name

Description

Id A string containing the Keyfactor Command reference GUID for the PAM provider type.

Name A string containing the name of the PAM provider type.

Parameters

An array of objects containing parameters set for the PAM provider type. Show parameter details.

Value

Description

An integer indicating the ID of the parameter. Parameters will vary depending on your PAM extension. Show built-in parameter values.

Value	Description
1	Private Ark Safe
2	PrivateArk Folder Name
3	PrivateArk Protected Password Name
4	Application ID
5	Secret Server Url
6	Rule Name
7	Thycotic Secret ID
8	Rule Key

Name

A string indicating the internal name for the PAM parameter.

Display Name

A string indicating the display name for the PAM parameter. For parameters with an InstanceLevel of False, this name appears on the PAM provider dialog when a user creates a new PAM provider. For parameters with an InstanceLevel of True, this name appears on the dialog when a user creates a new record using the PAM provider (e.g., a new certificate store using PAM for authentication).

DataType

An integer indicating the data type for the parameter. Possible values are:

1 = String
2 = Secret

Instance Level

A Boolean that sets whether the parameter is used to define the underlying PAM provider (false) or a field that needs to be set to a value when configuring a record (e.g., a certificate store) to use the PAM provider (true).

Example: For Delinea when defining a PAM provider, you configure these Delinea-specific fields:

Secret Server URL: The URL to the Secret Server vault instance, including port number if applicable (e.g., https://websrvr38.keyexample.com/SecretServer).
Secret Server Username: The name of the user that will be used to connect to SecretServer.
Secret Server Password: The password of the user that will be used to connect to SecretServer.

Because these fields are configured on the PAM provider definition, they appear as InstanceLevel=False like so:

Copy

{
   "Name": "Host",
   "DisplayName":"Secret Server URL", 
   "InstanceLevel":false,
   "DataType": "1
},
{
   "Name":"Username",
   "DisplayName":"Secret Server Username", 
   "InstanceLevel":false,
   "DataType": 2
},
{
   "Name":"Password",
   "DisplayName":"Secret Server Password", 
   "InstanceLevel":false,
   "DataType": 2
}

When you configure a certificate store to use Delinea as a credential provider, you enter the name of the secret field in Delinea referencing the protected object and you enter the ID of the projected object containing the username or password used to access the certificate store. Because these fields are configured on the certificate store level, they appear as InstanceLevel=True like so:

Copy

{
   "Name":"SecretId",
   "DisplayName":"Secret Server Secret ID", 
   "InstanceLevel":true,
   "DataType": 1
},
{
   "Name":"SecretFieldName",
   "DisplayName":"Secret Field Name", 
   "InstanceLevel":true,
   "DataType": 1
}

In both cases, the values for the fields (e.g., the actual name of the object in Delinea where the password is stored) are stored in the ProviderTypeParamValues array.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Was this page helpful? Provide Feedback

Version v25.3.1

On this page: